Lab: Hacking an Android Device with MSFvenom [Updated 2020]

Learn penetration testing

Build your real-world pentesting skills through 34 hands-on labs. This skills course covers

⇒ Web app hacking
⇒ Hacking with Android
⇒ Ethical hacking

Start your free trial


In this lab, we are going to learn how you can hack an android mobile device using MSFvenom and the Metasploit framework. We will use MSFvenom for generating the payload, save it as an .apk file and set up a listener to the Metasploit framework. Once the user/victim downloads and install the malicious .apk, an attacker can easily get back the session on Metasploit. To accomplish this, an attacker needs to do some social engineering to install the .apk on the victim’s mobile device.

We will demonstrate this by using the following tools

  • Kali Linux
  • Android device/emulator
  • Zipalign
  • VMware or VirtualBox (virtual environment)

Once the following setup is confirmed without error, then we are ready.

NOTE: This lab is for education purposes only. The author and/or Infosec are not responsible for any illegal activity performed by the user. Kindly type commands instead of copy/paste in order to replicate the lab.


In this lab, we are using Kali Linux and an Android device to perform mobile penetration testing. Kali Linux is one of the Debian-based operating systems with several tools aimed at various information security tasks such as penetration testing, forensics and reverse engineering. Kali Linux is one of the most-used operating systems for penetration testing.

Android Emulator is used as an Android device on which penetration testing tasks can be performed (if you don’t have an actual Android device).

Virtual machines Needed: Kali Linux and Android Emulator VM

The walkthrough

Step 1: Starting Kali Linux

  • From your VM, start Kali Linux and log in with root/toor (user ID/password)
  • Open a terminal prompt and make an exploit for the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Jatin Jain. Read the original post at: