______ _ _ _____ _ _
| ____| (_) | | __ \ (_) | |
| |____ ___| | | | | |_ __ ___ _ __| |
| __\ \ / / | | | | | | '__/ _ \ |/ _` |
| |___\ V /| | |____| |__| | | | __/ | (_| |
|______\_/ |_|______|_____/|_| \___|_|\__,_|
____
/ __ \
/ /__\ \
| _ _ |
| | | | |
| |_| |_|
\ _ /
\___/
Evil-Droid is a testing/demo framework for authorized Android security research and lab exercises. This build focuses on Kali-friendly setup, clearer diagnostics, and safer file handling.
This repository is a testing/demo project. Use only in controlled lab environments and with explicit authorization. It is not intended for real-world deployment or misuse.
- Kali-friendly service handling with systemctl fallback
- Dependency summary with install hints
- Optional logging for troubleshooting
- Safer temp workspace under a dedicated directory
- Public IP lookup fallback (curl/wget)
- Demo-build banners and maintainer info
- Udaya Sri (https://github.com/UdayaSri0)
- Original author: Mascerano Bachir (dev-labs)
- Enhanced by: Tech Sky - Security Research Team
- OS: Linux (Kali recommended)
- Root access (for services and package installation)
- Tools: metasploit-framework, xterm, zenity, aapt, apktool, zipalign, apksigner, keytool (JDK), wget, curl, unzip
metasploit-framework: Payload generation and handler management for lab testing.xterm: Opens separate terminal windows for long-running tasks.zenity: Provides GUI prompts and selections.aapt: Reads APK metadata and resources.apktool: Decompiles and rebuilds APKs for research workflows.zipalign: Aligns APK files for install compatibility.apksigner: Signs APKs for install verification.keytool(JDK): Manages debug keystore creation.wget/curl: Fetches remote content when needed.unzip: Extracts archives used by tools or assets.
- Update your system:
sudo apt-get update
- Install core dependencies:
sudo apt-get install -y metasploit-framework xterm zenity apktool \ android-sdk-platform-tools-common android-sdk-build-tools \ default-jdk wget curl unzip
- Clone the repository:
git clone https://github.com/UdayaSri0/Evil-Droid-master.git cd Evil-Droid - Make the script executable:
chmod +x evil-droid
- Run (authorized lab use only):
sudo ./evil-droid
- Launch the tool as root.
- Read and accept the disclaimer.
- Use the menu to choose the workflow you need for your authorized lab test.
- Follow the on-screen prompts. The tool validates inputs and reports errors clearly.
- Output files are placed in the
evilapkdirectory by default.
Note: This project is for controlled testing only. Do not use on systems you do not own or have explicit permission to test.
1) APK MSF: Generates a standalone test APK payload for lab validation and controlled demonstrations.2) BACKDOOR APK ORIGINAL (OLD): Legacy workflow that embeds a payload into an existing APK for research comparisons.3) BACKDOOR APK ORIGINAL (NEW): Updated injection workflow using the newer decompile/build/sign flow.4) BYPASS AV APK (ICON CHANGE): Demonstrates how changing app labels/icons affects presentation in a lab; not a guarantee of bypass.5) START LISTENER: Starts the handler in Metasploit for authorized lab tests.c) CLEAN: Removes generated artifacts and the temporary workspace.q) QUIT: Exits the framework and stops services.
These descriptions are conceptual and intended for authorized lab use only.
APK MSF: Produces a standalone test APK. Inputs include payload type and local host/port values. Output is a single APK inevilapk/.BACKDOOR APK ORIGINAL (OLD): Uses the legacy embed flow on a selected APK. Useful for comparing older techniques to newer flows in a lab.BACKDOOR APK ORIGINAL (NEW): Uses the updated decompile and rebuild flow on a selected APK. Intended for research comparisons and controlled demos.BYPASS AV APK (ICON CHANGE): Changes label/icon presentation for UI testing in a lab. It does not guarantee bypass of security tools.START LISTENER: Launches the listener/handler to observe lab traffic in a controlled environment.CLEAN: Removes generated artifacts and temporary workspace files.
- Compatibility is not guaranteed and varies by Android version, patch level, vendor changes, security settings, and user interaction.
- Play Protect, device security policies, and AV/EDR tools can block or alter behavior.
- Network topology (NAT, firewall rules, VPNs) can impact connectivity.
- GUI steps require a desktop session (
zenity,xterm). - Always validate behavior in a controlled lab environment with devices you own or have explicit permission to test.
- Preflight checks for root, internet connectivity, and dependencies.
- Collects inputs (host, port, payload choice, APK name) via GUI prompts.
- Uses a dedicated workspace for temporary files and rebuild steps.
- Produces output artifacts in
evilapk/, with optional cleanup. - Optional logging captures high-level events for troubleshooting.
This list is descriptive only and does not provide operational steps.
checkinternet: Verifies basic network connectivity.install_package: Installs a dependency with fallback packages.dependency_summary: Prints missing tools and install hints.get_public_ip: Attempts to resolve public IP via available tools.get_lhost,get_lport: Collect local host/port values for lab configuration.get_payload,get_payload1: Collects a payload choice from the menu.payload_name: Captures the output APK name.orig_apk: Selects an existing APK file.change_icon: Selects a PNG icon for UI testing.gen_payload,embed_payload: Generates payload output files for lab testing.apk_decomp,apk_comp: Decompile/rebuild the payload workspace.apk_decomp1,apk_comp1: Decompile/rebuild the original APK workspace.perms,hook_smalies: Updates manifest and injection points (lab research only).flagg,flagg_original: Performs obfuscation-related transformations for testing.merge_name_ico: Updates label/icon resources.sign: Signs and verifies the rebuilt APK.listener: Launches the handler in Metasploit.clns,index_name,launcher: Website cloning/launcher helpers for lab demos.atkv,suite: Menu flow helpers.clean: Removes generated files and temp workspace.svc_action,apache_svc_start/stop,postgresql_start/stop: Service management helpers.
Enable optional logging (writes to a local log file):
EVIL_DROID_LOG=1 ./evil-droidWhat gets logged (high-level):
- Startup, dependency summary, and service start/stop events
- Selected LHOST, LPORT, payload, and output names
- Major build/sign steps and failures
Treat logs as sensitive lab data and store them securely.
Override log file location:
EVIL_DROID_LOG=1 EVIL_DROID_LOG_FILE=/tmp/evil-droid.log ./evil-droidOverride temporary workspace:
EVIL_DROID_WORKDIR=/tmp/evil-droid-tmp ./evil-droid- Output directory:
evilapk/ - Temp workspace:
.evil-droid-tmp/(overridable viaEVIL_DROID_WORKDIR) - Cleanup option removes generated artifacts and the temp workspace
- "You must be root": run with
sudo. - "tool not found": install missing dependencies; the script prints install hints.
- "msfconsole/msfvenom not found": ensure
metasploit-frameworkis installed. - Java/apksigner errors: ensure
default-jdkandandroid-sdk-build-toolsare installed. - GUI dialogs not showing: ensure
zenityis installed and you are in a GUI session. - Services fail to start: verify
apache2andpostgresqlare installed and not blocked by policy. - Output not created: ensure write permissions in the repo directory.
- Clean up stuck files: use the
CLEANoption or delete the temp workspace.
FAQ:
- "Does this work on every Android version?": No. Behavior depends on OS version, patch level, vendor hardening, and security settings.
- "Is this safe for production devices?": No. Use only in authorized lab environments.
- Confirm written permission and scope before testing.
- Use isolated lab devices and networks (no production data).
- Document baseline device state before testing.
- Record results and observations for research reporting.
- Clean up artifacts and restore the lab environment after testing.
- Issues: use GitHub Issues for bugs and requests
- Maintainer: https://github.com/UdayaSri0
Remember: use this tool only for systems you own or have explicit permission to test.