Backdooring/patch APKs
n this laboratory, we are going to add a toast message on the target APK. This approach can be also used to backdoor the APK with something including the frida gadget.
1. apktool - decode and compile APK
The first task is the decoding of the target APK. We can do this using the tool: apktool.
First, we need to access the folder and we have installed the apktool.jar, in my case: C:\Tools\android.
Tip: First time, we can remove the -r option to decode all the resource and analyze the Android-Manifest.xml file.
2. Add the payload
After getting the source-code (smali), the frist step is to analyze the Android-Manifest.xml file to discover the laucher activity.
Let's opening the smali file: com.xxx.xxx.v2.ui.splashscreen.SplashscreenActivity.smali
After that, we need to find the "onCreate()" method (our target).
Here, we can add the code below, a toast message that will be presented when the activity starts.
3. Build the APK
After adding the target payload, we need to build the APK with the changes. Inside the created folder, we can seethe apktool.yml file. It is necessary to proceed. So, we need to execute the akptool build process from this path.
4. Create keystore with self-signed cert
The next step is to create a .keystore to sign the APK. For this, we will use the keytool.exe from JRE.
It's important to save some details, including the alias ("baws") and the typed password ("123456").
As observed, the .keystore file was created on the c:\tmp folder.
5. Sign the APK file
Here, you need to use the alias created when you created the keystore file (baws, in this case). The password was "123456".
6. Align the APK with zipalign
After sign an APK, if you got some erros such as "Failed to extract native libraries, res=-2]", probably you need to align the APK.
Before aligning it, you can try to install it:
Attention: You must use zipalign at one of two specific points in the app building process, depending on the app signing tool you use:
If you use apksigner, only run zipalign before signing the apk file. If you sign your APK using apksigner and make other changes to the APK, the signature will be invalidated.
If you use jarsigner, only run zipalign after signing the APK file.
As I used jarsigner, my last step is align the APK before installing it.
Now, it's time to test it
Of course, the APK was modified, you need to install it anyway.
When the installation process ends, it's prompted to send the app for a security scan. You should pick "DON'T SEND".
Last updated