Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • 1. apktool - decode and compile APK
  • 2. Add the payload
  • 3. Build the APK
  • 4. Create keystore with self-signed cert
  • 5. Sign the APK file
  • 6. Align the APK with zipalign

Was this helpful?

  1. Mobile
  2. Reverse Android APKs

Backdooring/patch APKs

PreviousSSL unpining frida + Fiddler/BurpNextBasic tips

Last updated 3 years ago

Was this helpful?

n this laboratory, we are going to add a toast message on the target APK. This approach can be also used to backdoor the APK with something including the frida gadget.

1. apktool - decode and compile APK

The first task is the decoding of the target APK. We can do this using the tool: apktool.

First, we need to access the folder and we have installed the apktool.jar, in my case: C:\Tools\android.

Tip: First time, we can remove the -r option to decode all the resource and analyze the Android-Manifest.xml file.

cd C:\Tools\android
PS C:\Tools\android> java -jar .\apktool.jar decode -r 'C:\tmp\xxxx_2.7.3.apk'
I: Using Apktool 2.5.0 onxxxx_2.7.3.apk
I: Copying raw resources...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory
PS C:\Tools\android>

2. Add the payload

After getting the source-code (smali), the frist step is to analyze the Android-Manifest.xml file to discover the laucher activity.

Let's opening the smali file: com.xxx.xxx.v2.ui.splashscreen.SplashscreenActivity.smali

After that, we need to find the "onCreate()" method (our target).

Here, we can add the code below, a toast message that will be presented when the activity starts.

const/4 v0, 0x1
const-string v1, "Backdoored like a baws"
invoke-static {p0, v1, v0}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object v0
invoke-virtual {v0}, Landroid/widget/Toast;->show()V

3. Build the APK

After adding the target payload, we need to build the APK with the changes. Inside the created folder, we can seethe apktool.yml file. It is necessary to proceed. So, we need to execute the akptool build process from this path.

(inside the decompiled APK folder (root))
java -jar ..\apktool.jar build -o c:\tmp\backdoored.apk

I: Using Apktool 2.5.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether sources has changed...
I: Smaling smali_classes2 folder into classes2.dex...
I: Checking whether resources has changed...
I: Copying raw resources...
I: Copying libs... (/lib)
I: Copying libs... (/kotlin)
I: Copying libs... (/META-INF/services)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...

4. Create keystore with self-signed cert

The next step is to create a .keystore to sign the APK. For this, we will use the keytool.exe from JRE.

It's important to save some details, including the alias ("baws") and the typed password ("123456").

cd C:\Program Files\Java\jre1.8.0_251\bin
 keytool.exe -genkey -v -keystore c:\tmp\.keystore -keyalg RSA -keysize 2040 -validity 365 -alias baws
 
 (...)
 Generating 2,040 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
        for: CN=123, OU=123, O=123, L=123, ST=123, C=123
[Storing c:\tmp\.keystore]

As observed, the .keystore file was created on the c:\tmp folder.

5. Sign the APK file

Here, you need to use the alias created when you created the keystore file (baws, in this case). The password was "123456".

cd C:\Program Files\AdoptOpenJDK\jdk-11.0.11.9-hotspot\bin
jarsigner.exe -sigalg SHA1withRSA -digestalg SHA1 c:\tmp\backdoored.apk baws -keystore C:\tmp\.keystore

(...)
Enter Passphrase for keystore:
jar signed.

Warning:
The signer's certificate is self-signed.

6. Align the APK with zipalign

After sign an APK, if you got some erros such as "Failed to extract native libraries, res=-2]", probably you need to align the APK.

Before aligning it, you can try to install it:

.\adb.exe install C:\tmp\backdored.apk
Performing Streamed Install
adb: failed to install C:\tmp\backdored.apk: Failure [INSTALL_FAILED_INVALID_APK: Failed to extract native libraries, res=-2]

Attention: You must use zipalign at one of two specific points in the app building process, depending on the app signing tool you use:

  • If you use apksigner, only run zipalign before signing the apk file. If you sign your APK using apksigner and make other changes to the APK, the signature will be invalidated.

  • If you use jarsigner, only run zipalign after signing the APK file.

As I used jarsigner, my last step is align the APK before installing it.

zipalign -p -f -v 4 backdored.apk backdored-aligned.apk

Now, it's time to test it

.\adb.exe install C:\tmp\backdored-aligned.apk

Of course, the APK was modified, you need to install it anyway.

When the installation process ends, it's prompted to send the app for a security scan. You should pick "DON'T SEND".

We got it!

Gotcha!

🤓
😎
💉 Frida's Gadget Injection on Android: No Root, 2 MethodsAlexander Fadeev's Blog
Releases · frida/fridaGitHub
Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps.
zipalign  |  Android DevelopersAndroid Developers
Mobexler - Mobile Application Penetration Testing Platform
Logo
Logo
Logo
Logo