Made by darkwall
Evil-Droid is a powerful Android penetration testing framework designed for security researchers and ethical hackers. This tool allows you to create malicious APK payloads, backdoor existing Android applications, and establish remote connections to target devices.
This tool is for educational and authorized security testing purposes only.
- Use it only on systems you own or have explicit permission to test
- The author is NOT responsible for any misuse or damage caused by this tool
- Unauthorized access to computer systems is illegal
- Use at your own risk and responsibility
- APK MSF Payload Generation: Create standalone malicious APK files using Metasploit payloads
- APK Backdooring: Inject Metasploit payloads into legitimate Android applications
- AV Bypass Techniques: Obfuscate payload code and customize icons to evade antivirus detection
- Multiple Payload Options: Support for various Metasploit Android payloads (TCP, HTTP, HTTPS)
- Attack Vector: Clone websites and embed APK downloads for social engineering attacks
- Multi-Handler Listener: Integrated Metasploit listener for handling connections
- APK Signing: Automatic APK signing and verification
- Permission Injection: Automatically adds necessary Android permissions
- OS: Kali Linux / Debian-based Linux distributions
- Root Access: Required for running the framework
- Internet Connection: Required for initial setup
The framework will automatically check and install the following dependencies:
- Metasploit Framework - Payload generation and handling
- Xterm - Terminal emulator for spawning processes
- Zenity - GUI dialog boxes
- AAPT - Android Asset Packaging Tool
- Apktool - APK decompilation and recompilation
- Zipalign - APK optimization
- Apksigner - APK signing
- Keytool - Java keystore management
- Wget - File downloading
- Curl - HTTP requests
- Unzip - Archive extraction
- Apache2 - Web server for attack vectors
- PostgreSQL - Database for Metasploit
- Clone the repository:
git clone <repository-url>
cd Evil-Droid- Make the script executable:
chmod +x evil-droid- Download apktool.jar (required):
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar -O tools/apktool.jarNote: The apktool.jar file is not included in the repository due to its size. You must download it manually before running the framework.
- Run the framework with root privileges:
sudo ./evil-droidThe framework will automatically check for dependencies and install any missing packages.
- APK MSF - Generate a standalone malicious APK
- BACKDOOR APK ORIGINAL (OLD) - Backdoor using MSFVenom's -x option
- BACKDOOR APK ORIGINAL (NEW) - Advanced backdooring with Smali injection
- BYPASS AV APK - Create payload with AV evasion techniques
- START LISTENER - Launch Metasploit multi-handler
- CLEAN - Remove generated files and cleanup
- QUIT - Exit the framework
1. Select option [1] APK MSF
2. Set LHOST (your IP address)
3. Set LPORT (listening port, e.g., 4444)
4. Choose payload name
5. Select payload type (e.g., android/meterpreter/reverse_tcp)
6. APK will be generated in evilapk/ directory1. Select option [3] BACKDOOR APK ORIGINAL (NEW)
2. Set LHOST and LPORT
3. Choose output APK name
4. Select payload type
5. Browse and select original APK file
6. Backdoored APK will be created in evilapk/ directory1. Select option [5] START LISTENER
2. Set LHOST and LPORT (must match APK configuration)
3. Select payload type (must match APK payload)
4. Metasploit handler will start automaticallyEvil-Droid/
├── evil-droid # Main framework script
├── evilapk/ # Output directory for generated APKs
├── icons/ # Custom icons for APK customization
├── testapks/ # Sample APKs for testing
└── tools/ # Required tools (apktool.jar)
The framework supports multiple Metasploit Android payloads:
android/shell/reverse_tcpandroid/shell/reverse_httpandroid/shell/reverse_httpsandroid/meterpreter/reverse_tcpandroid/meterpreter/reverse_httpandroid/meterpreter/reverse_httpsandroid/meterpreter_reverse_tcpandroid/meterpreter_reverse_httpandroid/meterpreter_reverse_https
- Smali Code Obfuscation: Randomizes package names and class names
- Icon Customization: Replace default payload icon with legitimate app icons
- String Obfuscation: Replaces common Metasploit strings
- Permission Management: Smart permission injection to avoid suspicion
The attack vector feature allows you to:
- Clone a legitimate website
- Embed your malicious APK as a download
- Host the cloned site on your Apache server
- Social engineer targets to download the APK
- Ensure all dependencies are properly installed
- Try updating apktool: Select option to update framework
- Check that the original APK is not corrupted
- Verify LHOST is accessible from target device
- Check firewall settings
- Ensure LHOST and LPORT match in both APK and listener
- Framework automatically generates debug keystore
- Ensure Java is properly installed
- Check file permissions in ~/.android directory
- Generated APKs require installation from "Unknown Sources" enabled on Android
- Target device needs internet connectivity for reverse connections
- HTTPS payloads require valid SSL handling on target
- Persistence is achieved through BOOT_COMPLETED receiver
- Original Framework: Mascerano Bachir (Dev-labs)
- Enhanced Version: TBCN - BLACK HAT TEAM
- Modified by: darkwall
This tool is provided for educational purposes. Users are responsible for complying with all applicable laws and regulations.
For issues, questions, or contributions, please refer to the project repository.
Remember: Always obtain proper authorization before testing any system. Unauthorized access is illegal and unethical.