1
00:00:00,270 --> 00:00:08,580
In this video, I will show you how perpetrators inject payloads in legit applications, such as what's

2
00:00:08,580 --> 00:00:08,880
up?

3
00:00:09,510 --> 00:00:10,290
They do that.

4
00:00:10,830 --> 00:00:18,310
And by using social engineering techniques, they get these apps up and running on end users smartphones.

5
00:00:18,810 --> 00:00:20,790
Suppose now we are the bad people here.

6
00:00:20,820 --> 00:00:23,070
I'm using a different or test box.

7
00:00:23,400 --> 00:00:25,090
It's the parrot just for a change.

8
00:00:25,110 --> 00:00:30,620
You can do the same thing in Cali, so users will usually go to these Web sites.

9
00:00:30,690 --> 00:00:36,750
HBK Pure, a Mitra, et cetera, that you seen earlier in the course and they search for any application.

10
00:00:36,760 --> 00:00:40,470
I will search for WhatsApp here and press the button.

11
00:00:43,300 --> 00:00:48,910
Now go to the first result, WhatsApp Messenger and download the AP case.

12
00:00:50,050 --> 00:00:51,290
So let's close that now.

13
00:00:52,240 --> 00:00:57,370
I have already downloaded that and it's on the downloads.

14
00:00:57,700 --> 00:01:01,360
So this is the WhatsApp, HBK, supposedly the legit one.

15
00:01:01,870 --> 00:01:04,900
Now, I'll open that in terminal.

16
00:01:06,420 --> 00:01:07,010
Where is it?

17
00:01:07,080 --> 00:01:07,720
It's here.

18
00:01:10,470 --> 00:01:12,270
So I'll open that and a terminal.

19
00:01:14,660 --> 00:01:20,760
And as you can see, I can see the application now, I'll go to a super user.

20
00:01:24,740 --> 00:01:35,120
By simply issuing one command, which is the MSF, Viña, then Dash X, you have to specify the name

21
00:01:35,120 --> 00:01:36,110
of the application.

22
00:01:36,680 --> 00:01:42,110
Then provide the P parameter for the payload, which is Android.

23
00:01:45,120 --> 00:01:48,680
Metro operator, reverse TCAP.

24
00:01:49,190 --> 00:01:51,650
Then you specify the local host.

25
00:01:51,710 --> 00:01:53,030
I'll put just an IP now.

26
00:01:53,500 --> 00:01:54,560
And the local port.

27
00:01:55,250 --> 00:01:57,200
Again, any port for now.

28
00:01:57,830 --> 00:02:01,820
And the output is for example hacked dort ap k.

29
00:02:02,750 --> 00:02:08,960
Now MSF Venom will try to reverse engineer the application decoded.

30
00:02:09,130 --> 00:02:17,060
You compile it, inject the payload, change the manifest file by putting in you dangerous what they

31
00:02:17,060 --> 00:02:20,960
call and permissions and then it will compile the code again.

32
00:02:21,290 --> 00:02:23,340
So we'll wait for that to finish.

33
00:02:23,360 --> 00:02:26,990
It'll take like a couple of minutes.

34
00:02:31,860 --> 00:02:37,920
As you can see, it's the compiling the payload, locating hook points and adding the permissions to

35
00:02:37,920 --> 00:02:39,620
the Android manifesto.

36
00:02:40,080 --> 00:02:40,860
Ximo file.

37
00:02:41,310 --> 00:02:43,650
And this is the output here.

38
00:02:44,600 --> 00:02:50,340
After that, the compilation and the insertion or the injection of the payload.

39
00:02:50,340 --> 00:02:51,180
So I'll stop that.

40
00:02:51,630 --> 00:02:52,620
I'll just show you.

41
00:02:52,650 --> 00:02:54,840
I'll go to this directory here.

42
00:02:57,550 --> 00:03:00,320
And a list.

43
00:03:00,490 --> 00:03:07,060
So as you can see here, we have the original HBK, which is the WhatsApp and the payload APJ, we have

44
00:03:07,060 --> 00:03:10,270
the original folder and the payload folder.

45
00:03:10,270 --> 00:03:14,780
So let's see the difference between the original manifest.

46
00:03:16,840 --> 00:03:18,520
So I'll just leave it here.

47
00:03:19,780 --> 00:03:23,700
Android manifesto ximo to clarify my point.

48
00:03:23,740 --> 00:03:29,740
I have placed both Android manifestoes ximo files side by side.

49
00:03:30,100 --> 00:03:33,430
The logit one is on the right and the forged one is on the left.

50
00:03:33,880 --> 00:03:38,440
If you look closely, you will see that the content is totally different here.

51
00:03:38,440 --> 00:03:40,960
It's obviously generated by Metters point.

52
00:03:41,380 --> 00:03:48,550
And if you look closely here and drill down, it looks like this is the legit one generated by WhatsApp.

53
00:03:49,030 --> 00:03:52,870
So this is how the perpetrators in git applications.

54
00:03:53,290 --> 00:03:59,620
They will compile the applications later on using the Android studio, for example, or even the API

55
00:03:59,620 --> 00:04:00,130
key tool.

56
00:04:00,760 --> 00:04:08,140
And in many cases, and then they upload these AP case files on many platforms that we have discussed

57
00:04:08,170 --> 00:04:09,820
earlier in this course.