Make your own malicious WhatsApp

We can see how to create a backdoor for Android systems in my last post but if we want to be more convincing to deploy a trojan into someone’s mobile, we’ll need to customize the malicious application. For instance, it would be a good idea to change the App name to WhatsApp Messenger, Facebook or some other social network, as well as customize permissions and modify the default App icon to some more convincing.

Step 1: The first step is to make the malicious mobile application with the MSFvenom tool from Kali Linux where we set the IP address and port of the C&C server.

Making the Malicious Apk
Step 2: Once the malicious application has been created, we have to decompile the application to get important files, which are going to be modified to make the application more convincing.

Decompiling the Malicious Apk
Step 3: It’s time to modify the AndroidManifiest.xml file to customize permissions and avoid warnings in the installation as well as to change the line highlighted to add icons.

Modifying App Permissions into the AndroidManifiest.xml file
On the other hand, we can edit the strings.xml file into the “values” folder, which is into the “res” folder, to modify the application name for some more convincing. For instance, WhatsApp Messenger Plus.

Modifying the App Name into the strings.xml file
If we want to customize application icons as well, we’ll have to make three new folders into the “res” folder and copy inside icon png files.
  • We should have a 72x72 pixels file called icon.png into the drawable-hdpi-v4 folder.
  • We should have a 36x36 pixels file called icon.png into the drawable-ldpi-v4 folder.
  • We should have a 48x48 pixels file called icon.png into the drawable-mdpi-v4 folder.

Modifying App Icons into the rest folder
It’s easy to resize images on the net. There are many services to do this. For instance,

Step 4: The next step is to compile the custom application with the apktool command to make a new application with all our custom features. Once executed, we’ll see the new application into the “dist” folder.

Compiling the Malicious App
Step 5: We've almost done. Android systems don’t allow installing applications without signing thus we have to sign manually the application with jarsigner and our keystore.

Signing the Malicious Apk
Step 6: We are ready to deploy the custom application to someone’s mobile. As you can see, it’s simple and easy, and we just need social engineering to get our aim.

Fake WhatsApp Messenger Plus

Once malicious application is installed into some Android system, we’ll have to start the listener with multi/handler exploit from Metasploit, which will be our C&C system to control Android devices. We can know how to start the listener from my last post (step 3).

I’m not responsible for any illegal activity performed by the reader because this is for education purpose only.

Regards my friends and be a good guy!