Msfvenom Payload in APK (Manual Embedding)
1. Generating Payload using MSFVenom
2. Decompiling Payload.apk
3. Decompiling Original Apk
4. Embedding Payload to Original APK
First, Copy Payload/smali/com/metasploit/stage/Payload.smali to Original/smali/com/metasploit/stage/Payload.smali
Then, open Original/AndroidManifest.xml and find <action android:name="android.intent.action.MAIN"/>. Then look at its parent <activity> tag and take a note at the <activity android:name="com.a.b.c.d">. Now, goto smali folder and then follow the activity name to find the d file i.e smali->com->a->b->c->d.
In the file d, find the line onCreate(Landroid/os/Bundle;)V and under that line, you will see invoke-super {p0, p1} ....
You have to enter the following line underneath this line : invoke-static {p0}, Lcom/metasploit/stage/Payload;->onCreate(Landroid/content/Context;)V or invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V
Please note that the above is a single line of code. It is possible to confuse by using a different pathname than “com/Metasploit/stage/Payload” however if you do that you will have to modify all references to the path in all of the “smali” files that are contained in the “Payload” directory and change the directory name itself. This can be done manually but is prone to error.
Finally, copy the NON-DUPLICATE PERMISSIONS from Payload/AndroidManifest.xml and paste them to Original/AndroidManifest.xml.
5. Recompiling the Modded APK
The unsigned modified apk will be present in Original/dist folder.
6. Signing the APK
First, (ONE TIME ONLY), you have to generate a keystore using keytool which contains the keys. Remember the keystore password, alias and algorithm as they will be used in next steps
Now, you will use jarsigner to sign the apk
7. Optimizing the APK (ZipAlign)
Last updated