This repository documents an Open Ended Lab (OEL) focused on remote hacking of Android devices using custom-built payloads and ethical hacking frameworks. The lab demonstrates how Android exploitation can be performed without relying on inbuilt payloads, emphasizing payload creation, hosting, delivery, and remote control in a controlled testing environment.
⚠️ Disclaimer:
This project is strictly for educational and ethical hacking purposes only. All experiments were conducted on emulators or test devices with proper authorization. Unauthorized exploitation of real devices is illegal and unethical.
To create and deploy custom Android payloads capable of exploiting Android devices remotely without using default inbuilt payloads, and to analyze post-exploitation capabilities using ethical hacking tools.
- Kali Linux (Virtual Machine)
- Apache2 Web Server
- Android Studio Emulator
- Ngrok
- AhMyth Android RAT
- AndroRAT
- Veil Framework
- Test Android Devices (Emulator & Physical Device)
- Identify the IP address of the Kali Linux virtual machine.
- Update system repositories and install required tools.
- Install and enable Apache2 to host malicious APK payloads.
- Configure Veil Framework for payload obfuscation and evasion.
- Create and boot an Android emulator (Android 8.0) using Android Studio.
- Required libraries and dependencies were installed to support AhMyth and AndroRAT.
- Python virtual environments were used where required to avoid system conflicts.
AhMyth Android RAT is a GUI-based Android exploitation framework that allows:
- APK payload generation
- Remote access and control
- File system access
- Live victim monitoring
- Configured AhMyth with ngrok TCP tunnel IP and port to make the payload globally accessible.
- Generated a custom APK payload using AhMyth’s APK builder.
- Embedded the payload into a legitimate-looking Android application (e.g., game APK).
- Hosted the generated APK on the Apache2 web server.
- Configured permissions to allow external downloads.
- Used social engineering techniques to lure the victim into installing the APK.
- Victim device successfully connected back to the attacker.
- Device information and file history were accessed.
- Multiple victims (emulator and physical Android device) were detected and controlled.
- Successful exploitation confirmed on Android 8 and Android 9 devices.
AndroRAT is a CLI-based Android Remote Administration Tool used for ethical hacking and research.
- Downloaded AndroRAT from GitHub.
- Created a Python virtual environment to run the framework.
- Installed required Python dependencies.
- Built a malicious APK (
helloworld.apk) configured with attacker IP and port.
- Hosted the APK on Apache2.
- Delivered the payload to the victim device using social engineering.
- Ensured correct IP and port configuration (local listener, not ngrok forwarding port).
- Remote session successfully established.
- Attacker gained control over victim device.
- Demonstrated command execution and monitoring features.
To evade detection by antivirus and security mechanisms through payload obfuscation and encryption.
- Installed and launched the Veil framework.
- Selected evasion mode to generate encrypted payloads.
- Integrated Veil-generated payloads into the Android exploitation workflow.
- Custom payload creation significantly improves stealth and effectiveness.
- Ngrok is essential for bypassing NAT and enabling global reachability.
- Hosting payloads via Apache2 simulates real-world attack delivery methods.
- Emulators and physical devices respond differently to exploits.
- Encryption and obfuscation are critical for bypassing security controls.
This Open Ended Lab successfully demonstrated remote Android exploitation using custom payloads, covering the full attack lifecycle:
- Payload creation
- Hosting and delivery
- Victim compromise
- Post-exploitation control
By using tools like AhMyth, AndroRAT, and Veil, the lab highlights how Android devices can be compromised through social engineering and malicious applications. The exercise reinforces the importance of mobile security awareness, application verification, and defensive controls.
This repository is intended solely for academic, research, and defensive security training purposes. Any misuse of the techniques demonstrated here is strictly prohibited and may result in legal consequences.