Table of Contents
In this guide, we will be using the l3mon android remote administration tool to hack an android mobile remotely by installing a malware on the victim android device. Over the years, android malware has evolved from simple to complex types. These malwares are being built having complex functions within them which allow attackers to have more control of the victim's device and access information remotely. Moreover, the malware can also be installed on the victim's device remotely and they operate in stealth mode to avoid detection by antivirus programs.
- Have a PC with Windows or Linux operating system improved. (If you intend to continuously monitor multiple devices, using a server is recommended)
- Java Runtime Environment 8.
- Have NodeJs installed.
- Have a victim android device to monitor.
L3mon remote android management tool
L3mon is a remote management tool that generates an android payload without using the command line. While using the l3mon tool, we generate the payload using the tool’s web panel. Some of the features of the payload generated using the l3mon tool include;
- GPS information.
- Microphone recording.
- Contacts on the victim’s device.
- Viewing SMS.
- Sending SMS.
- Viewing call logs.
- Viewing installed apps.
- Viewing stub permissions.
- Live clipboard logging.
- Live notification logging.
- Viewing Wi-Fi networks. (Wi-Fi SSID of previously connected networks)
- File explorer.
- View downloaded files.
- Commands queuing.
Install L3MON tool
To install the l3mon tool, we first need to install the required dependencies to make sure we don’t face errors as we try to launch the tool and generate a malicious android APK to be installed on the target device.
Install Java OpenJDK
We first need to make sure we have installed the Java Runtime Environment. To install, we will download the installer file from the Oracle downloads page. On the downloads page, we have various files from where we download the specific runtime environment we need with respect to our operating system. We can also use the terminal to install the Java Runtime Environment using the command.
sudo apt-get install openjdk-8-jre
Lastly, we need to install pm2 which is used to keep L3mon running. To install pm2 we run the command.
npm install pm2 –g
Having installed the required dependencies, we now are ready to install and use the l3mon tool. We will download the tool’s file from the official GitHub repository either by manually downloading or via the command line using the command.
git clone https://github.com/D3VL/L3MON.git
After the download is complete we navigate to the tool’s file to install the NodeJS required dependencies.
We then install dependencies using the command.
Configure admin password
The last step of installing l3mon is editing the admin password. We open the
maindb.json file and add our password in the below-indicated position.
Running l3mon remote android management suite
To launch l3mon, we can use one of the two available commands after we navigate into the server directory within the l3mon tool’s file.
‘pm2 start index.js’ to start the script or ‘pm2 startup’ if we want to be running l3mon on startup as shown in the image below.
We can now be able to access and use l3mon via the web browser using the address 127.0.0.1:22533. We will be required to provide the login credentials to log in as shown in the image below.
By providing the correct login details we are able to access the home page of the panel form where we can see the connected apps and on the top, we can navigate to the app builder to generate a malicious android application as shown on the image below.
Generating malicious payload
On the image shown below, we can see we only require an IP address and a port number to be able to create the apk. If your target is on the same network as you, you are supposed to use your local IP address and in a case where you want to access the target device over the internet, you will use your public IP address.
After providing the required information you just click build, sit back and wait for l3mon to complete generating the application. Once done an option to download the application will appear.
Installing the malicious application on the target device
There is no specific way to install the malicious application on the target device. You can refer to our social engineering techniques guide to lure the victim to install the application and use the APK obfuscation technique we discussed earlier to avoid detection by antivirus programs on the target device. The success of this step depends on how well you know your target and the technique you will be using to lure the victim to install the application.
Accessing information and managing the victim’s device
At this stage, you have already installed your application on the target device. You can now be able to access the victim’s device remotely and you can issues commands to control the device provided that you are on the same network as the victim or the victim is connected to the internet. Below is an image which shows connected devices on the l3mon’s administration page.
On the image, we can see that l3mon has two categories of devices, those that are currently online and those that are offline at the time. When we click the manage button we are able to access various types of information on the victim device and even be able to issue commands remotely as shown in the images below.
Available devices information
We can be able to view when the device was first connected and when it was last connected.
We can be able to view the device's GPS information, and the GPS log of previous locations and we can set the time intervals to check the device’s location.
Using the microphone option we can remotely record and listen to what is happening around where the victim device is at.
Viewing the saved contacts.
Accessing the call logs available on the target device.
Viewing the contents copied on the clipboard
Access SMS Manager
Using SMS manager we can view messages received and sent by the victim device. We can also be able to send SMS from the l3mon administration panel.
Access Installed applications
Checking the installed applications.
Viewing the allowed permissions.
Android remote monitoring tools are expensive, especially where we monitor more than one device. A lot of resources are used to make sure the monitoring system is running and performing as expected. L3mon android management suite being open source cuts down the cost of monitoring these devices as it is available for free. The tool requires minimal resources to operate making monitoring exercises affordable to individuals and organizations in need of such services. It is however a dangerous tool when used by the attackers in their mass monitoring campaigns. As we use l3mon we should ensure we are not breaking the laws set by the government under which we are.