Hackers can hack your phone (2023)
- In this articale I will show you how I can remotely control an Android telephone. Assuming you introduce programming (playful music) or I utilize an extraordinary link, an O.MG link, to get that telephone to download and introduce programming, I can remotely control the telephone. I can peruse your SMSs. I can send SMSs from the telephone to another telephone which I'll illustrate. May this articale be an admonition to both you and your family why you shouldn't download untrusted programming and run untrusted programming on gadgets like your telephone or your PC. (peppy music) Before we begin, I want to clarify that this articale is for instructive purposes just and to make you mindful (delicate music) of the likely weaknesses in a gadget, for example, an Android telephone. You should don't download untrusted programming onto your gadgets since it can have decimating outcomes. Have zero faith in any product and download it. Additionally know that since it'll seems as though a standard link doesn't imply that it is a standard link. I will show you in this articale how a link that seems to be a standard USB link or an iPhone link can be a vindictive link and not what it resembles. Alright, how about we get everything rolling with the articale. Despite the fact that these two links might appear to be identical, one of them is an O.MG link that permits me to send keystrokes to a telephone. It behaves like a typical link yet has a ton of force. Here I have a Samsung S22. I won't contact the telephone. I'm running programming in the cloud and notice what I can do. I can communicate something specific from the cloud to this telephone to get that telephone to make an impression on this telephone. So what I'll do here is utilize the order send_sms and we should call this Phony SMS and press Enter. I'll go to Messages and as may be obvious, the Phony SMS was gotten by this telephone. We should attempt it once more. This is a test SMS from Android, press Enter. Yet again i'm associating with a server in the cloud. It's making an impression on this telephone. I'm somewhat controlling this telephone which is then communicating something specific by means of SMS to my iPhone in light of the fact that I've had the option to introduce pernicious programming on the Android gadget. I find it astonishing that Android permits you to download and introduce this sort of programming. Hopefully they secure Android much more with the goal that this sort of thing is beyond the realm of possibilities. If it's not too much trouble, note, in this model, it's appearing as MainActivity on the telephone. at the point when programming was downloaded and run on a Windows 11 PC. Utilize the connection underneath to see that articale. Presently you can do numerous things here. For instance, assuming I type sysinfo, you can see that this telephone is running Android 12. Assuming I go to Settings on the telephone, you can see that the variant being utilized here is Android 12. I can peruse SMSs from a distance. So assuming I utilize the order dump_sms, those messages are saved to this document on the server and I could utilize the order feline, and I can peruse those SMS messages. I sent a SMS saying, "Critical message. Try not to impart to anybody," "Extremely classified message, don't show anybody." Here is a one-time secret key from Three which is the PDA supplier in this model. Here is my number which we'll stow away for this articale with the goal that I don't get an entire pack of spam messages. As may be obvious, messages were gotten by this telephone. I could communicate something specific back expressing Hi from iPhone. So send those messages back to the telephone, you can see here "Hi from iPhone". So on my server by and by, I could dump those SMSs. I'll peruse that document on the server, feline Control + V. Here are the messages, "Hi." "From iPhone." Here you can see the message, "This is a test SMS from Android." "Counterfeit SMS." We should call the telephone, I'll kill the call. How about we dump the call log. What I will do here is utilize the order dump_calllog. Here is the record that is made. Also, I'll feline that data and you can see this call was missed by the telephone. OK, yet how would you get the product on the telephone? Presently there are different ways of doing this, you could utilize a phishing site. So you could deceive the client to going to a site and afterward downloading the product and introducing it. However, they need to consent to introduce programming that hasn't been checked, so you've have to truly do a social designing to get the client to introduce the product. What planned to do in this exhibit is utilize an O.MG link. In the event that you haven't seen these previously, these are made by Hak5. Well O.MG is really the maker however he sells these links with Hak5. This is a standard lightning link, yet here is an O.MG link. So you presumably can't see the contrast between those two links. One is an O.MG link, one is a standard link. Undeniably challenging to see the distinction. They are basically something similar. They behave like ordinary links yet have an AP inside them that you can interface with utilizing Wi-Fi. They can send keystrokes to a gadget like a telephone. In the event that I plug this in to a telephone, for instance, I could charge that telephone ordinarily, behaves like an ordinary link. In any case, what it permits me to do is send keystrokes to the telephone to answer the telephone to follow through with something. So for instance, I could connect this link to that telephone. I'll simply leave it here detached just to mention that I won't contact the link. What I can do is associate with a passageway in the link. So from my PC, I will associate with the O.MG link that is running a passageway. Also, what I will do is associate with an IP address, 192.168.4.1. I've covered a portion of the O.MG usefulness in discrete articales. Examine this articale as an illustration where I send keystrokes to the telephone to inspire it to snap a picture or do different things yet what I will do here is I will stack a pre-designed payload. I've made this payload. You can track down this payload on GitHub, utilize the connection underneath. It could conceivably work for your specific telephone. In this model, this payload has been made for a Samsung S22 telephone. You might have to change particularly the clocks. What were fundamentally doing is sending keystrokes to the gadget and afterward there's defers between the keystrokes. I've made them genuinely huge so it doesn't go excessively fast on the articale. Yet additionally assuming you make them excessively fast, it can break your content, so you might need to mess with the clocks to get this to work. What we essentially doing is getting the gadget to download a malignant APK record from a server. The server is running on linode it is right here, so Metasploit Ubuntu APK server, and you'll see that is the IP address recorded in the string that will be shipped off the telephone to download the noxious APK. What we are utilizing here is Metasploit and MSFvenom to make a malevolent APK record which is then downloaded to the telephone. Gets the telephone to associate with my server, and afterward I can type different orders which I've illustrated. So I have Metasploit running and I'll basically type rush to run the product. I'll begin my Python server, my Python HTTP server is posting on port 8000. I have my payload running, it's posting on port fourfold four under this IP address. In the content running on the O.MG link, that is the IP address that we will highlight, port 8000, as a result of the Python server. We will download the O.MG APK record. Alright, so how about we check whether it really works. I won't contact the link, I'll move this console away. All I will do is click run. Payload is running on the O.MG link. It opens up an internet browser, that's it. Associates with the server. It downloads the APK record. Yet again i've placed long defers in the content to ensure that this works and to ensure that it doesn't go excessively fast. Introduces the document. Were informed that it's obstructed by Play Safeguard yet we will send keystrokes to advise it to run it in any case and introduce it and afterward open up the document. It then, at that point, permits that application to fundamentally get to everything on the telephone. Furthermore, there you go, script has finished. We can see that an association was made to the server. Presently we can type different orders. I can type ifconfig. That gives me the IP address of the gadget. There's wlan0, there's the IP address of the gadget. Presently in the event that the meeting breaks simply type rush to run it once more. The product ought to naturally interface. On the off chance that it doesn't simply run it physically once more. So how about we type sysinfo, we can see that this is an Android 12 telephone. We should dump the SMSs once more, so we'll utilize the order dump_sms. We're informed that the SMSs are unloaded to that document. So ls on the server, it's to l. The record is this one. So feline that record. You can see that there was an active message called "This is a phony SMS." You can see that I beat up this telephone so I put 10 pounds on it. You can see that I sent, "This is an extremely classified message," "This is a test message." We could dump the call log, so calllog. That is the name of the document. So I'll feline that. Also, you can see different calls were made to this telephone. OK, yet we can likewise send SMSs from the telephone by and by. So one more test sms from metasploit. Also, there you have it. One more TEST sms from metasploit. Just to come to the meaningful conclusion, suppose last message. Presently recollect that, I'm sending it from a host on the web. It's making an impression on that telephone. That telephone is then sending SMS to this telephone. "Last message". We ought not be ready to do this on an Android telephone. It shouldn't acknowledge applications like this. Default conduct ought to be to obstruct this multitude of sorts of utilizations. Try not to download programming from the web that you don't confide in. Try not to simply download an APK and run it on your telephone. Since somebody could do stuff like this where they can peruse the messages on your telephone. They can get things done on your telephone that they ought not be ready to do. I have connected a PDF record beneath this articale that tells you the best way to set this up. You really want an O.MG link. And afterward in this record I'll tell you the best way to set up a server. I'll tell you the best way to download the Metasploit system. I tell you the best way to make the vindictive payload, so the OMG APK record. I then, at that point, show you the orders to set this up. You likewise need to set up a web server.
