L3MON - Hack Android Mobile Remotely [Step-by-Step]

In this guide, we will be using the l3mon android remote administration tool to hack an android mobile remotely by installing a malware on the victim android device. Over the years, android malware has evolved from simple to complex types. These malwares are being built having complex functions within them which allow attackers to have more control of the victim's device and access information remotely. Moreover, the malware can also be installed on the victim's device remotely and they operate in stealth mode to avoid detection by antivirus programs.

Prerequisites

Have a PC with Windows or Linux operating system improved. (If you intend to continuously monitor multiple devices, using a server is recommended)
Java Runtime Environment 8.
Have NodeJs installed.
Have a victim android device to monitor.

DISCLAIMER:

This guide has been made for education purposes only. Always make sure you obtain the consent of the parties involved before launching any attack against them.

L3mon remote android management tool

L3mon is a remote management tool that generates an android payload without using the command line. While using the l3mon tool, we generate the payload using the tool’s web panel. Some of the features of the payload generated using the l3mon tool include;

GPS information.
Microphone recording.
Contacts on the victim’s device.
Viewing SMS.
Sending SMS.
Viewing call logs.
Viewing installed apps.
Viewing stub permissions.
Live clipboard logging.
Live notification logging.
Viewing Wi-Fi networks. (Wi-Fi SSID of previously connected networks)
File explorer.
View downloaded files.
Commands queuing.

ALSO READ: SMTP Enumeration Tutorial [100% Working]

Install L3MON tool

To install the l3mon tool, we first need to install the required dependencies to make sure we don’t face errors as we try to launch the tool and generate a malicious android APK to be installed on the target device.

Install Java OpenJDK

We first need to make sure we have installed the Java Runtime Environment. To install, we will download the installer file from the Oracle downloads page. On the downloads page, we have various files from where we download the specific runtime environment we need with respect to our operating system. We can also use the terminal to install the Java Runtime Environment using the command.

sudo apt-get install openjdk-8-jre

NOTE:

L3mon recommends using Java 1.8 to avoid running into errors while generating an android APK file.

Install pm2

Lastly, we need to install pm2 which is used to keep L3mon running. To install pm2 we run the command.

npm install pm2 –g

Install L3mon

Having installed the required dependencies, we now are ready to install and use the l3mon tool. We will download the tool’s file from the official GitHub repository either by manually downloading or via the command line using the command.

git clone https://github.com/D3VL/L3MON.git

After the download is complete we navigate to the tool’s file to install the NodeJS required dependencies.

cd L3MON/server

We then install dependencies using the command.

npm install

Configure admin password

The last step of installing l3mon is editing the admin password. We open the maindb.json file and add our password in the below-indicated position.

NOTE:

L3mon require us to enter the admin password as an md5 hash. You can use one of the many md5 hash generators found online to generate the hash for the password we intend to use.

Running l3mon remote android management suite

To launch l3mon, we can use one of the two available commands after we navigate into the server directory within the l3mon tool’s file.

cd L3MON/server

‘pm2 start index.js’ to start the script or ‘pm2 startup’ if we want to be running l3mon on startup as shown in the image below.

ALSO READ: Perform a Local File Inclusion Attack [100% Working]

We can now be able to access and use l3mon via the web browser using the address 127.0.0.1:22533. We will be required to provide the login credentials to log in as shown in the image below.

By providing the correct login details we are able to access the home page of the panel form where we can see the connected apps and on the top, we can navigate to the app builder to generate a malicious android application as shown on the image below.

Generating malicious payload

On the image shown below, we can see we only require an IP address and a port number to be able to create the apk. If your target is on the same network as you, you are supposed to use your local IP address and in a case where you want to access the target device over the internet, you will use your public IP address.

After providing the required information you just click build, sit back and wait for l3mon to complete generating the application. Once done an option to download the application will appear.

Installing the malicious application on the target device

There is no specific way to install the malicious application on the target device. You can refer to our social engineering techniques guide to lure the victim to install the application and use the APK obfuscation technique we discussed earlier to avoid detection by antivirus programs on the target device. The success of this step depends on how well you know your target and the technique you will be using to lure the victim to install the application.

Accessing information and managing the victim’s device

At this stage, you have already installed your application on the target device. You can now be able to access the victim’s device remotely and you can issues commands to control the device provided that you are on the same network as the victim or the victim is connected to the internet. Below is an image which shows connected devices on the l3mon’s administration page.

ALSO READ: 5 DNS Enumeration Tools with Best Practices & Examples

On the image, we can see that l3mon has two categories of devices, those that are currently online and those that are offline at the time. When we click the manage button we are able to access various types of information on the victim device and even be able to issue commands remotely as shown in the images below.

Available devices information

We can be able to view when the device was first connected and when it was last connected.

GPS information

We can be able to view the device's GPS information, and the GPS log of previous locations and we can set the time intervals to check the device’s location.

Access Microphone

Using the microphone option we can remotely record and listen to what is happening around where the victim device is at.

Access Contacts

Viewing the saved contacts.

Call logs

Accessing the call logs available on the target device.

Clipboard log

Viewing the contents copied on the clipboard

Access SMS Manager

Using SMS manager we can view messages received and sent by the victim device. We can also be able to send SMS from the l3mon administration panel.

Access Installed applications

Checking the installed applications.

Allowed permissions

Viewing the allowed permissions.

Conclusion

Android remote monitoring tools are expensive, especially where we monitor more than one device. A lot of resources are used to make sure the monitoring system is running and performing as expected. L3mon android management suite being open source cuts down the cost of monitoring these devices as it is available for free. The tool requires minimal resources to operate making monitoring exercises affordable to individuals and organizations in need of such services. It is however a dangerous tool when used by the attackers in their mass monitoring campaigns. As we use l3mon we should ensure we are not breaking the laws set by the government under which we are.

ALSO READ: Top 5 Fuzzing Tools for Web Application Pentesting