Forum Thread: How to Embed a Payload into an Apk

I don't know much about embedding into APKs but this post is a good question to ask and well asked.

I do know about this tutorial though https://null-byte.wonderhowto.com/how-to/make-your-malicious-android-app-be-more-convincing-0163730/

Thanks for the link i'll have a look

the linkis about changing the app name and picture but i want it to be embedded into another app

thanks for the link though

Ok like I said I don't know much about this. Good luck!

Thank You

I am looking for this for weeks! Couldn't make any progress.

You can try to use SPF. You can backdoor a legit apk with this. At least it claims that it can do. I couldn't do it but there are lots of videos on youtube they actually did it.

https://github.com/georgiaw/Smartphone-Pentest-Framework

It looks like we can use our backdoored apk with metasploit. If you make it work. Let me know. I'm very interested.

I don't have much coding skills. However if you look into sourcecode of it maybe you get the process of compiling two apks.

hey @casperass
I saw your comment in the other post and i have been trying ever since.
it keeps failing with me because of errors in the code eg:
/app/androidmanifest.xml not found when the file existed but at:
/usr/bin/apktool/app/androidmanifest.xml
i also had to replace the apktool that it automatically installs

please tell me the errors you faced and ill try my best to help you out

guys apart from the smartphone penetration software is there any other methood

@casperass sorry to burst your bubble but the program is just too buggy for me to redo.

I haven't tried it with SMSHack app yet but I followed the same logic with our metasploit payload. I finally combined them but there are some problems as I said below.

@casperass try this link : http://insiderattack.blogspot.com.tr/2013/09/android-malware-injection-into-original_5.html

Tried it and looks like working.

this is an improvement
can you please walk me through the steps you took
thanks

Decompile our mateasploit apk and the original one using "apktool d" after that copy the permissions and the activity from our malicious apk to the target AndroidManifest.xml. It should look like this:

http://postimg.org/image/9ja4p1nbj/

After that copy the smail file(metasploit) into the target apk's com directory in smail.

The thing you have to be careful about is activity part on AndroidManifest.xml Copy it before the first activity and If you leave it as .MainActivity. It won't work because at the top of the xml it's pointing to target apk's com directory. So you need to change it like on the screenshot: "com.metasploit.stage.MainActivity"

Right after the installation if the victim press "run" nothing will happen but give us meterpreter session. And there will be two of them on the menu.

I made my research and because I'm using more than one "android.intent.category.LAUNCHER" it's extracting 2 icon on the menu. To fix it, we need to convert our mainactivity to "Service" which is kinda hard to do without coding skills.

It's explained here:

https://github.com/codepath/android_guides/wiki/Starting-Background-Services

I specially made an account to beg you to make a tutorial, am dying here trying

Please Bart!!

bart i would love it if you make tut
and no we havent been able to but were still making progress

It'd be so great BART. i'm looking forward to it!

I don't have the time for it guys, busy with school.

Bart, did you any progress?

ROOTBOSS, thanks for sharing with us. I tried the script, but it keeps throwing a bunch of errors, like this one
apk_backdoor.rb:149:in `<main>': undefined method `include?' for nil:NilClass (NoMethodError)

so please could you show us a detailed explanation of the steps you took to successfully backdoor your apk file? what extra packages did you install, if any? thanks

Yes sorry, I will post a better explanation with more detail, work hours are crazy. I did use Kali Linux and you need to have the latest version of apktool. 2.0.1 and aapt installed. Edit the script and on line #228 change to look like:`apktool b -o --aapt /usr/local/bin/aapt $(pwd)/#{injectedapk} $(pwd)/original`

So the script will find aapt to build the .apk
If you are still having problems, let me know.

thanks for helping me. the error i got before editing line 228 was this:

apkbackdoor.rb:92:in `initialize': No such file or directory @ rbsysopen - /tmp/d20151015-18744-1jv5bw9/payload/AndroidManifest.xml (Errno::ENOENT)

from apkbackdoor.rb:92:in `open'
from apkbackdoor.rb:92:in `fixmanifest'
from apkbackdoor.rb:236:in `<main>'

and after i edited line 228 i got this error:
* Generating msfvenom payload..
* Signing payload..
* Decompiling orignal APK..
* Decompiling payload APK..
* Locating onCreate() hook..
* Copying payload files..
apkbackdoor.rb:228:in `<main>': undefined local variable or method `injectedapk' for main:Object (NameError)

I have apktool 2.0.2 and i placed aapt in /usr/local/bin/
any clues?

Hey ROOTBOSS, from what I found there is a slight error in the line of code you said to change as there is no in {injectedapk}. The correct line is:

`apktool b -o --aapt /usr/local/bin/aapt $(pwd)/#{injectedapk} $(pwd)/original`

Now I tried the script myself however I was unable to find apknamebackdoor.apk so I assume an error occurred. Could you send a link to the apk you used to test this. Thanks Jadex

So any more corrections?