Hacking Android Mobile using Meterpreter

Disclaimer: The below post is only for educational purpose and not for performing actual hacking.

Because of the security reasons I am not explaining how to do this over external network.

Hacking an android mobile devices is a very easy task.

I will today explain a very easy way which doesn’t require a lot of geeky knowledge but a little knowledge of the linux OS and an android user not that aware of the android security, which is almost more than 75% of the mobile phone user are.

Anyway Without further delay let’s start.

The complete hacking can be broken down into 3 simple steps as follows:

  1. Generating an evil android application.
  2. Installing that application into victim’s mobile phone.
  3. Waiting for him to run the application.

Step 1 : Payload (Evil android apk) generation

First of all for every step below we need a linux OS.

For generating the payload first we need to know our system IP.

Now let’s make our own evil apk.

Above command is used to create the evil apk to get the reverse shell on your attacker machine.

I will explain the above command:

msfvenom is the tool for payload generation, android/meterpreter/reverse_tcp is the type of reverse shell we are gonna create.

LHOST: Attacker IP.

LPORT: Port number on which attacker is going to listen the incoming reverse connection.

So, as can be seen from the above command the created payload is named as evil.apk

Our payload is generated.

Now, the main thing is how are you gonna install the application into any victim’s mobile.

  1. Host the application on a server and share the link to the victim and as they click the application is downloaded and installed.
  2. Otherwise smart hackers normally embed this malicious shell into a premium version of any application(Whatsapp, Youtube premium etc).

Now, We’re gonna set up our meterpreter listner to listen to the incoming reverse shell.

We will select the same android/meterpreter/reverse_tcp listener as the created payload(Evil.apk).

Now we need to set the host and the port as the payload.

LHOST is attacker’s IP.

LPORT is the port you want to listen to.

Well since being an ethical hacker I will not try to compromise any one, For educational purpose I am using my own android mobile and using the adb (Android debugging bridge) to install the apk using USB connected mobile.

Bingo the evil apk is installed.

As you can see below the app is installed and the icon name is shown as main activity, as I didn’t spend much creativity to change the name and logo since this is just for knowledge purpose and not an actual attack,

Now Let’s hack:

Go back to the msfconsole again, use the below commands and run.

Bingo Meterpreter session 1 is open.

We can use the help command to list down all the commands which we can execute.

Okay Let’s check our mobile is rooted or not:

Now, Let’s take shell.

Bingo we are inside the android shell now.

That’s all folks.

Security researcher, Blogger, Bug Bounty hunter