In this guide, we will be using the l3mon android remote administration tool to hack an android mobile remotely by installing a malware on the victim android device. Over the years, android malware has evolved from simple to complex types. These malwares are being built having complex functions within them which allow attackers to have more control of the victim's device and access information remotely. Moreover, the malware can also be installed on the victim's device remotely and they operate in stealth mode to avoid detection by antivirus programs.
Prerequisites
- Have a PC with Windows or Linux operating system improved. (If you intend to continuously monitor multiple devices, using a server is recommended)
- Java Runtime Environment 8.
- Have NodeJs installed.
- Have a victim android device to monitor.
L3mon remote android management tool
L3mon is a remote management tool that generates an android payload without using the command line. While using the l3mon tool, we generate the payload using the tool’s web panel. Some of the features of the payload generated using the l3mon tool include;
- GPS information.
- Microphone recording.
- Contacts on the victim’s device.
- Viewing SMS.
- Sending SMS.
- Viewing call logs.
- Viewing installed apps.
- Viewing stub permissions.
- Live clipboard logging.
- Live notification logging.
- Viewing Wi-Fi networks. (Wi-Fi SSID of previously connected networks)
- File explorer.
- View downloaded files.
- Commands queuing.
Install L3MON tool
To install the l3mon tool, we first need to install the required dependencies to make sure we don’t face errors as we try to launch the tool and generate a malicious android APK to be installed on the target device.
Install Java OpenJDK
We first need to make sure we have installed the Java Runtime Environment. To install, we will download the installer file from the Oracle downloads page. On the downloads page, we have various files from where we download the specific runtime environment we need with respect to our operating system. We can also use the terminal to install the Java Runtime Environment using the command.
sudo apt-get install openjdk-8-jre
Install pm2
Lastly, we need to install pm2 which is used to keep L3mon running. To install pm2 we run the command.
npm install pm2 –g
Install L3mon
Having installed the required dependencies, we now are ready to install and use the l3mon tool. We will download the tool’s file from the official GitHub repository either by manually downloading or via the command line using the command.
git clone https://github.com/D3VL/L3MON.git
After the download is complete we navigate to the tool’s file to install the NodeJS required dependencies.
cd L3MON/server
We then install dependencies using the command.
npm install
Configure admin password
The last step of installing l3mon is editing the admin password. We open the maindb.json
file and add our password in the below-indicated position.
Running l3mon remote android management suite
To launch l3mon, we can use one of the two available commands after we navigate into the server directory within the l3mon tool’s file.
cd L3MON/server
‘pm2 start index.js’ to start the script or ‘pm2 startup’ if we want to be running l3mon on startup as shown in the image below.
We can now be able to access and use l3mon via the web browser using the address 127.0.0.1:22533. We will be required to provide the login credentials to log in as shown in the image below.
By providing the correct login details we are able to access the home page of the panel form where we can see the connected apps and on the top, we can navigate to the app builder to generate a malicious android application as shown on the image below.
Generating malicious payload
On the image shown below, we can see we only require an IP address and a port number to be able to create the apk. If your target is on the same network as you, you are supposed to use your local IP address and in a case where you want to access the target device over the internet, you will use your public IP address.
After providing the required information you just click build, sit back and wait for l3mon to complete generating the application. Once done an option to download the application will appear.
Installing the malicious application on the target device
There is no specific way to install the malicious application on the target device. You can refer to our social engineering techniques guide to lure the victim to install the application and use the APK obfuscation technique we discussed earlier to avoid detection by antivirus programs on the target device. The success of this step depends on how well you know your target and the technique you will be using to lure the victim to install the application.
Accessing information and managing the victim's device
At this stage, you have already installed your application on the target device. You can now be able to access the victim’s device remotely and you can issues commands to control the device provided that you are on the same network as the victim or the victim is connected to the internet. Below is an image which shows connected devices on the l3mon’s administration page.
On the image, we can see that l3mon has two categories of devices, those that are currently online and those that are offline at the time. When we click the manage button we are able to access various types of information on the victim device and even be able to issue commands remotely as shown in the images below.
Available devices information
We can be able to view when the device was first connected and when it was last connected.
GPS information
We can be able to view the device's GPS information, and the GPS log of previous locations and we can set the time intervals to check the device’s location.
Access Microphone
Using the microphone option we can remotely record and listen to what is happening around where the victim device is at.
Access Contacts
Viewing the saved contacts.
Call logs
Accessing the call logs available on the target device.
Clipboard log
Viewing the contents copied on the clipboard
Access SMS Manager
Using SMS manager we can view messages received and sent by the victim device. We can also be able to send SMS from the l3mon administration panel.
Access Installed applications
Checking the installed applications.
Allowed permissions
Viewing the allowed permissions.
Conclusion
Android remote monitoring tools are expensive, especially where we monitor more than one device. A lot of resources are used to make sure the monitoring system is running and performing as expected. L3mon android management suite being open source cuts down the cost of monitoring these devices as it is available for free. The tool requires minimal resources to operate making monitoring exercises affordable to individuals and organizations in need of such services. It is however a dangerous tool when used by the attackers in their mass monitoring campaigns. As we use l3mon we should ensure we are not breaking the laws set by the government under which we are.
ok so how can we check to see if we have such a program installed on our phones ..
in other words prevent this .
can I access the device without any physical touch on victims device
Why does the Java version still display “Incorrect Java version installed. Openjdk version” 20.0.1 “20 after switching to 1.8.0. Please use Java 1.8.0 ”
cmd:
C:\Users\Administrator>java -version
java version “1.8.0_371”
Java(TM) SE Runtime Environment (build 1.8.0_371-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.371-b11, mixed mode)
C:\Users\Administrator>javac -version
javac 1.8.0_371
Hello,
Did I translate it correctly? I’m trying to build the APK, but it seems I’m getting many errors. Do you know why? Is it because the client is outdated, or is it just me? Can you help me with this, please?
https://user-images.githubusercontent.com/78589683/238977407-6f46cf7c-00f9-4515-8b14-d505514551c6.png
i wanted to ask I use lemon in linux on cloud does pubic ip will help me to get the connection between the victim and me . When they are away in any part of the world .
hello , i’ve done all already but my device tab is empty
i’ve tested the app using nc and msfconsole , it’s okay
Don’t know where the problem is .
thanks
Thanks for this tutorial, but where can we find the L3MON source code now that the git repository has been deleted ?
Hi,
You can check the L3MON-MOD from its GitHub repository (https://github.com/Basudev1/L3MON-MOD.git).But you have to build or edit the payload using apk editor or Android Studio, the client is here (https://github.com/Basudev1/L3MON-Mod-Client)
thanks a lot !
hey, can you provide a lil more detail on how ? can we now access it? like i have cloned both repositries, and when i open my browser, the app builder button does not works, what should i do
Once we done with exploit data from victims phone….
1. Is that installed apk can still running in background ????? Is it possible to make that app never die or uninstallable??????
2. After closing the terminal and the L3MON web page where we get victims data showed ……how to access again the same victim’s phone data….like never disconnect with victims phone?????
Once the app is installed on the target phone, it will automatically disappear it cannot be seen on the apps’ menu.
L3mon will always resume the connections it had made earlier with the victim’s device as long as the app is still running on the victim’s device. If you are planning to use l3mon for a long time, it is advisable you run the “pm2 startup” command to ensure l3mon will always run when you power on your computer.
Thank you so much for your reply, I appreciate that…..but what about once we close the terminal or that L3MON web page …..how can we regain access to that same device which we access earlier…
Yes, the connection is persistent. Once you run L3MON the connection will resume as long as the target has not uninstalled the application.
any video tutorial on this or telegram channel
acha