L3MON - Hack Android Mobile Remotely [Step-by-Step]

In this guide, we will be using the l3mon android remote administration tool to hack an android mobile remotely by installing a malware on the victim android device. Over the years, android malware has evolved from simple to complex types. These malwares are being built having complex functions within them which allow attackers to have more control of the victim's device and access information remotely. Moreover, the malware can also be installed on the victim's device remotely and they operate in stealth mode to avoid detection by antivirus programs.

 

Prerequisites

  1. Have a PC with Windows or Linux operating system improved. (If you intend to continuously monitor multiple devices, using a server is recommended)
  2. Java Runtime Environment 8.
  3. Have NodeJs installed.
  4. Have a victim android device to monitor.
DISCLAIMER:

This guide has been made for education purposes only. Always make sure you obtain the consent of the parties involved before launching any attack against them.

 

Advertisement

L3mon remote android management tool

L3mon is a remote management tool that generates an android payload without using the command line. While using the l3mon tool, we generate the payload using the tool’s web panel. Some of the features of the payload generated using the l3mon tool include;

  • GPS information.
  • Microphone recording.
  • Contacts on the victim’s device.
  • Viewing SMS.
  • Sending SMS.
  • Viewing call logs.
  • Viewing installed apps.
  • Viewing stub permissions.
  • Live clipboard logging.
  • Live notification logging.
  • Viewing Wi-Fi networks. (Wi-Fi SSID of previously connected networks)
  • File explorer.
  • View downloaded files.
  • Commands queuing.

 

Install L3MON tool

To install the l3mon tool, we first need to install the required dependencies to make sure we don’t face errors as we try to launch the tool and generate a malicious android APK to be installed on the target device.

 

Install Java OpenJDK

We first need to make sure we have installed the Java Runtime Environment. To install, we will download the installer file from the Oracle downloads page. On the downloads page, we have various files from where we download the specific runtime environment we need with respect to our operating system. We can also use the terminal to install the Java Runtime Environment using the command.

sudo apt-get install openjdk-8-jre

l3mon

NOTE:

L3mon recommends using Java 1.8 to avoid running into errors while generating an android APK file.

 

Install pm2

Lastly, we need to install pm2 which is used to keep L3mon running. To install pm2 we run the command.

npm install pm2 –g

l3mon

 

Install L3mon

Having installed the required dependencies, we now are ready to install and use the l3mon tool.  We will download the tool’s file from the official GitHub repository either by manually downloading or via the command line using the command.

git clone https://github.com/D3VL/L3MON.git

l3mon

Advertisement

After the download is complete we navigate to the tool’s file to install the NodeJS required dependencies.

cd L3MON/server

We then install dependencies using the command.

npm install

 

Configure admin password

The last step of installing l3mon is editing the admin password. We open the maindb.json file and add our password in the below-indicated position.

l3mon

NOTE:

L3mon require us to enter the admin password as an md5 hash. You can use one of the many md5 hash generators found online to generate the hash for the password we intend to use.

 

Running l3mon remote android management suite

To launch l3mon, we can use one of the two available commands after we navigate into the server directory within the l3mon tool’s file.

cd L3MON/server

pm2 start index.js’ to start the script or ‘pm2 startup’ if we want to be running l3mon on startup as shown in the image below.

l3mon

 

We can now be able to access and use l3mon via the web browser using the address 127.0.0.1:22533. We will be required to provide the login credentials to log in as shown in the image below.

l3mon

 

By providing the correct login details we are able to access the home page of the panel form where we can see the connected apps and on the top, we can navigate to the app builder to generate a malicious android application as shown on the image below.

Advertisement

l3mon

 

Generating malicious payload

On the image shown below, we can see we only require an IP address and a port number to be able to create the apk. If your target is on the same network as you, you are supposed to use your local IP address and in a case where you want to access the target device over the internet, you will use your public IP address.

After providing the required information you just click build, sit back and wait for l3mon to complete generating the application. Once done an option to download the application will appear.

l3mon

 

Installing the malicious application on the target device

There is no specific way to install the malicious application on the target device. You can refer to our social engineering techniques guide to lure the victim to install the application and use the APK obfuscation technique we discussed earlier to avoid detection by antivirus programs on the target device. The success of this step depends on how well you know your target and the technique you will be using to lure the victim to install the application.

 

Accessing information and managing the victim’s device

At this stage, you have already installed your application on the target device. You can now be able to access the victim’s device remotely and you can issues commands to control the device provided that you are on the same network as the victim or the victim is connected to the internet. Below is an image which shows connected devices on the l3mon’s administration page.

l3mon

 

On the image, we can see that l3mon has two categories of devices, those that are currently online and those that are offline at the time. When we click the manage button we are able to access various types of information on the victim device and even be able to issue commands remotely as shown in the images below.

 

Available devices information

We can be able to view when the device was first connected and when it was last connected.

Advertisement

l3mon

 

GPS information

We can be able to view the device's GPS information, and the GPS log of previous locations and we can set the time intervals to check the device’s location.

l3mon

 

Access Microphone

Using the microphone option we can remotely record and listen to what is happening around where the victim device is at.

l3mon

 

Access Contacts

Viewing the saved contacts.

l3mon

 

Call logs

Accessing the call logs available on the target device.

l3mon

 

Clipboard log

Viewing the contents copied on the clipboard

l3mon

 

Access SMS Manager

Using SMS manager we can view messages received and sent by the victim device. We can also be able to send SMS from the l3mon administration panel.

Advertisement

l3mon

 

Access Installed applications

Checking the installed applications.

l3mon

 

Allowed permissions

Viewing the allowed permissions.

l3mon

 

Conclusion

Android remote monitoring tools are expensive, especially where we monitor more than one device. A lot of resources are used to make sure the monitoring system is running and performing as expected. L3mon android management suite being open source cuts down the cost of monitoring these devices as it is available for free. The tool requires minimal resources to operate making monitoring exercises affordable to individuals and organizations in need of such services. It is however a dangerous tool when used by the attackers in their mass monitoring campaigns. As we use l3mon we should ensure we are not breaking the laws set by the government under which we are.

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

4 thoughts on “L3MON - Hack Android Mobile Remotely [Step-by-Step]”

  1. Once we done with exploit data from victims phone….
    1. Is that installed apk can still running in background ????? Is it possible to make that app never die or uninstallable??????
    2. After closing the terminal and the L3MON web page where we get victims data showed ……how to access again the same victim’s phone data….like never disconnect with victims phone?????

    Reply
    • Once the app is installed on the target phone, it will automatically disappear it cannot be seen on the apps’ menu.
      L3mon will always resume the connections it had made earlier with the victim’s device as long as the app is still running on the victim’s device. If you are planning to use l3mon for a long time, it is advisable you run the “pm2 startup” command to ensure l3mon will always run when you power on your computer.

      Reply
      • Thank you so much for your reply, I appreciate that…..but what about once we close the terminal or that L3MON web page …..how can we regain access to that same device which we access earlier…

        Reply
        • Yes, the connection is persistent. Once you run L3MON the connection will resume as long as the target has not uninstalled the application.

          Reply

Leave a Comment

X