Hello learners, in the first part of our android payload guide, we embedded an android payload to a legitimate application. The application is however getting detected by google play security as shown in the screenshot below.
In this guide we will be obfuscating android payload with an aim to evade detection. We will be using a Kali Linux tool, ApkBleach. ApkBleach exists in two forms one being the terminal based tool and the other being a hosted website from where you can obfuscate an android payload without having to use the terminal for the novices. Using the tool, we will be changing the android payload name, app icon, aligning and signing the application.
Pre-requisites
- Have Kali Linux.
- Have ability to use the terminal.
- Target. (Note: You should obtain consent from the target)
Make sure you obtain the consent of your victim before carrying out any attack on him or her.
ApkBleach features
- Stealth option - This option allows you to determine the number of session of exploit to be spawned.
- Icon injection - Using this option you can choose the icon you want to appear on the victim’s device. You can also provide your own custom icon.
- Application renaming - With this option you can name the application to the name of the app you want.
- Signing the apk - Since msfvenom produces unsigned android payload applications, ApkBleach uses jar signer to sign your generated payloads.
- ApkBleach also allows line by line editing of the permissions. The tool goes through each of the permissions and ask if you want to keep or delete the permission.
Step 1: Installing ApkBleach
To install ApkBleach we need to clone the tools official repository, move into the directory and run the installer as shown below.
┌──(toxic㉿kali)-[~/Desktop] └─$ git clone https://github.com/graylagx2/ApkBleach.git Cloning into 'ApkBleach'... remote: Enumerating objects: 123, done. remote: Counting objects: 100% (123/123), done. remote: Compressing objects: 100% (104/104), done. remote: Total 123 (delta 43), reused 0 (delta 0), pack-reused 0 Receiving objects: 100% (123/123), 617.30 KiB | 347.00 KiB/s, done. Resolving deltas: 100% (43/43), done. ┌──(toxic㉿kali)-[~/Desktop] └─$ cd ApkBleach ┌──(toxic㉿kali)-[~/Desktop/ApkBleach] └─$ chmod +x install.sh ┌──(toxic㉿kali)-[~/Desktop/ApkBleach] └─$ ./install.sh Obtaining file:///home/toxic/Desktop/ApkBleach Collecting argparse Using cached argparse-1.4.0-py2.py3-none-any.whl (23 kB) Requirement already satisfied: colorama in /usr/lib/python3/dist-packages (from apkbleach==2.1) (0.4.4) Requirement already satisfied: pillow in /usr/lib/python3/dist-packages (from apkbleach==2.1) (8.1.2) Requirement already satisfied: pyfiglet==0.8.post1 in /usr/local/lib/python3.9/dist-packages (from apkbleach==2.1) (0.8.post1) Requirement already satisfied: requests in /usr/local/lib/python3.9/dist-packages (from apkbleach==2.1) (2.27.1) Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3/dist-packages (from requests->apkbleach==2.1) (2.10) Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/lib/python3/dist-packages (from requests->apkbleach==2.1) (1.26.4) Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3/dist-packages (from requests->apkbleach==2.1) (2020.6.20) Requirement already satisfied: charset-normalizer~=2.0.0 in /usr/local/lib/python3.9/dist-packages (from requests->apkbleach==2.1) (2.0.12) Installing collected packages: argparse, apkbleach Running setup.py develop for apkbleach Successfully installed apkbleach argparse-1.4.0
Step 2: Obfuscating android payload using ApkBleach
The first step is to generate an android payload which we will obfuscate. We can choose to generate the payload using metasploit then we obfuscate the payload using ApkBleach. Before obfuscating an android payload, we need to know some of the commands to use with ApkBleach. Below is a summary of the basic commands and their functions.
- -p | –payload <payload> - This is used to set the android payload to be generated in msfvenom.
- -o | –output <output.apk> - This used to set the name of the application which is created as well as the output application.
- -g | –generate - This option generates an android payload using defaults
- -n | –new key - This option generates a new debug key before signing the APK.
- -v | –verbose - This is option is used when you do not want to mask output of commands.
- -d | –debug - This is an option if you want to leave the /tmp/payload files in place for review.
- -h | –help - This option provides for help information.
For us to generate an android payload, we will use the below command.
After the bleached android payload has been generated, we can now send it to our targets using social engineering techniques to make sure our target downloads and installs the application on their android devices. We will be able to gain a shell from where we can send commands to the target device remotely. We can also install other android payloads and fetch information from the mobile device remotely. The installation runs smoothly without raising any suspicious notification from google play protect.
Step 3: Getting a reverse shell using the android payload
When using ApkBleach, you can add your own custom android payloads and icons as you wish in their respective folders. They will be useful when generating different payloads to be used on different victims and scenarios. Using commonly known icons and names on your android payload will help making the hack successful. Below is a screen of a session gained from a victim’s android phone using an ApkBleach android payload. In our case, we used a reverse tcp payload to gain a session.
Conclusion
ApkBleach was developed to specifically obfuscate android payloads which have been generated by the metasploit framework in order to evade detection by anti-viruses. The obfuscation process attempts to avoid detection using two main methods. The first method is the strict screening of the compiled android payload. Metasploit by default generates an android application littered with the keywords “payload” and “metasploit”.
The keywords are replaced with random strings and randomizing file names is good first step in obfuscating the typical metasploit android payload. The second method is by changing the way the payloads are executed. The default payload generated by metasploit executes by creating or simply running as soon as the applications are opened. This method of obfuscation uses the devices accelerometer activity to launch an android payload. The ApkBleach payload waits for physical movement of the target device before the android payload is executed. In addition to obfuscation, ApkBleach has automated the process of changing the android payload app name and icon.