Android Overhaul

[h00die]

I wanted to start documenting some issues/enhancements for Android, as per slack convo.

The android payload was amazing, but @timwr (and whoever else has been working on it) hasn't had time to keep it up to date. I haven't played around with it for a while either, but am using it now for a presentation to children.

Ideas

Compatibility

the payload seems to be losing newer compatibility while trying to maintain older compatibility. I have a ZTE android 6.0.1 I use for demos, and all the payload stuff works great on there. a Samsung galaxy a03s on android 13 installs and some things work, but many give unexpected permissions errors (I believe part of #16208 is related). Maybe let a user pick which SDK version(s) they want to use. It could even be simple like 'pre android 6' and 'post android 6' kind of thing. I think the new android permission model is actually better for what we want anyways since it wont list an entire screen of permissions, but pop them up as we call things that need them. Likely a better scenario.

Related Issues

1. Lots of good info: android payload permissions not registered #16208
2. About Android 14 Incompatibility Issue #19224
3. App not installed as app isn't compatible with your phone #19203
4. Android incompatible issue #18703
5. Android meterpreter reverse tcp #18464
6. (likely) after creating a simple payload for android it is not intaling in andrioid i dont know whats wronge I allowed instalation from unknow sources everthing is updated the payloads was installing before i used a tool called evil-droid and remove its apktool.jar file and replaced it with lastest one (i dont know) #19136
7. (possibly) bypass Google Protection on Android  #18529
8. We need update in android/meterpreter/reverse_tcp #17433
9. Android 14 to block old API versions #17620
10. [Enhancement Request] - Modern Android Meterpreter Payload for SDK 23 and Above metasploit-payloads#695
11. Android android/meterpreter/reverse_tcp webcam_snap and webcam_stream not working on Android 11+ metasploit-payloads#717
12. Android Overhaul #19154
13. apk payload does not support new android versions #16870

Persistence

Add persistence (on rooted at least)?

1. Idea 1 ref2 on android 14 (bash script to init.d)

Related Issues

1. Android Persistence Techniques Help  #18502
2. plzzz someone answer ;( how to auto connect android/metrerpreter/reverse_tcp even though the cellphone is off and then on again || and please find the solution for IP - Meterpreter session closed. Reason: Died #19164
3. how do android/meterpreter/reverse_tcp auto connect to the session even after rebooting, so the target no longer needs to click on the payload app #19177
4. Backdooring so Files (Android) #18382
5. How to get permanent access after rebooting Android via payload or script #17954
6. (somewhat) How to ( get | keep ) a session when the user connects to a VPN #18014
7. How to keep android meterpreter shell script running in background after app is closed #16375
8. How to get persistence on Android 11? #15529

Bugs

1. android/local/su_exec: Does not work with su on modern Android #16362

New Modules

1. check for new exploits, last one for an app was one I did but it was more web server backdoor than anything. prob some chrome ones out there? maybe? Can we get a priv esc?

Related Issues

1. cve-2020-0041
2. CVE-2023-48409
3. A few more here: https://github.com/github/securitylab/tree/main/SecurityExploits/Android
4. I started coding a new post module/payload feature to pop up a fake unlock screen if the user uses a pin/passcode. much easier to ask for the password than get a hash. I never finished it, mainly because I hate java. (https://github.com/h00die/metasploit-framework/tree/android_password_prompt , rapid7/metasploit-payloads@master...h00die:metasploit-payloads:phish_android)
5. cve-2023-45779

Enhancements

1. could we get a flag in msfvenom to change the name from mainActivity, and maybe set a custom icon?
2. mic stream Android meterpreter (record mic ) (wlan geolocate error) metasploit-payloads#309

Etc

1. right now it seems like a lot of the instructions talk about signing your apk, maybe that could be built in or auto chained?

Just throwing this out there as it seems like a neglected, but still often used feature of metasploit. happy to hear some thoughts, but I don't know java, and haven't messed around with android phone hacking much.

[bcoles]

3. the payload seems to be losing newer compatibility while trying to maintain older compatibility. I have a ZTE android 6.0.1 I use for demos, and all the payload stuff works great on there. a Samsung galaxy a03s on android 13 installs and some things work, but many give unexpected permissions errors (I believe part of [android payload permissions not registered #16208](https://github.com/rapid7/metasploit-framework/issues/16208) is related). Maybe let a user pick which SDK version(s) they want to use. It could even be simple like 'pre android 6' and 'post android 6' kind of thing. I think the new android permission model is actually better for what we want anyways since it wont list an entire screen of permissions, but pop them up as we call things that need them. Likely a better scenario.

rapid7/metasploit-payloads#695 (comment)

[skid-bomberman]

i was also so frustrated in the 2018 that the metasploit stopped working for android , and now in 2024 when i thought i would give it a another try i found out no difference , it was the same! same issues, but seeing your posts increases our hope. Thanks