- In this video I'm gonna show you how I can remotely
control an Android phone. If you install software
(upbeat music) or I use a special cable, an O.MG cable, to get that phone to download
and install software, I can remotely control the phone. I can read your SMSs. I can send SMSs from the
phone to another phone which I'll demonstrate. May this video be a warning
to both you and your family why you shouldn't download
untrusted software and run untrusted software on devices such as your phone or your laptop. (upbeat music) Before we get started,
I wanna make it clear that this video is for
educational purposes only and to make you aware
(soft music) of the potential
vulnerabilities in a device such as an Android phone. It's really important that you don't download untrusted software onto your devices because it can have
devastating consequences. Don't just trust any
software and download it. Also be aware that just because it'll
looks like a standard cable doesn't mean that it is a standard cable. I'm gonna show you in this video how a cable that looks
like a standard USB cable or an iPhone cable can be a malicious cable
and not what it looks like. Okay, let's get started with the video. Even though these two
cables may look the same, one of them is an O.MG cable that allows me to send
keystrokes to a phone. It acts like a normal cable
but has a lot of power. Here I've got a Samsung S22. I'm not gonna touch the phone. I'm running software in the cloud and notice what I can do. I can send a message from
the cloud to this phone to get that phone to send
a message to this phone. So what I'll do here is
use the command send_sms and let's call this Fake
SMS and press Enter. I'll go to Messages and as you can see, the Fake SMS was received by this phone. Let's try it again. This is a test SMS from
Android, press Enter. Once again, I'm connecting
to a server in the cloud. It's sending a message to this phone. I'm remotely controlling this phone which is then sending a
message via SMS to my iPhone because I've been able to
install malicious software on the Android device. I find it amazing that Android allows you to download and install
this kind of software. Let's hope they lock
Android down a lot more so that this type of
thing is not possible. Please note, in this example, it's showing up as
MainActivity on the phone. In a previous video, I showed
you how I could log keystrokes on a Windows 11 computer when software was downloaded
and run on a Windows 11 laptop. Use the link below to see that video. Now you can do many things here. As an example, if I type sysinfo, you can see that this phone
is running Android 12. If I go to Settings on the phone, you can see that the version
being used here is Android 12. I can read SMSs remotely. So if I use the command dump_sms, those messages are saved
to this file on the server and I could use the command cat, and I can read those SMS messages. I sent an SMS saying,
"Extremely important message. Do not share with anyone," "Very confidential message,
do not show anyone." Here is a one-time password from Three which is the cell phone
provider in this example. Here is my number which
we'll hide for this video so that I don't get a whole
bunch of spam messages. As you can see, messages
were received by this phone. I could send a message back
saying Hello from iPhone. So send those messages back to the phone, you can see here "Hello from iPhone". So on my server once again,
I could dump those SMSs. I'll read that file on the
server, cat Control + V. Here are the messages,
"Hello." "From iPhone." Here you can see the message, "This is a test SMS from
Android." "Fake SMS." Let's call the phone, I'll kill the call. Let's dump the call log. What I'm gonna do here is
use the command dump_calllog. Here's the file that's created. And I'll cat that information and you can see this call
was missed by the phone. Okay, but how do you get
the software on the phone? Now there are various ways to do this, you could use a phishing website. So you could trick the
user to going to a website and then downloading the
software and installing it. But they have to agree to install software that hasn't been verified, so you've gotta really do
some social engineering to get the user to install the software. What were gonna do in this demonstration is use an O.MG cable. If you haven't seen these before, these are made by Hak5. Well O.MG is actually the creator but he sells these cables with Hak5. This is a standard lightning cable, but here is a O.MG cable. So you probably can't see the difference between those two cables. One is an O.MG cable,
one is a standard cable. Very difficult to see the difference. They are essentially the same. They act like normal cables
but have a AP inside them that you can connect to using Wi-Fi. They can send keystrokes to
a device such as a phone. If I plug this in to a
phone, as an example, I could charge that phone normally, acts like a normal cable. But what it allows me to do is
send keystrokes to the phone to get to the phone to do something. So as an example, I could plug
this cable in to that phone. I'll just leave it here unconnected just to make the point that
I'm not gonna touch the cable. What I can do is connect to
an access point in the cable. So from my computer, I'm gonna
connect to the O.MG cable that's running an access point. And what I'm gonna do is
connect to an IP address, 192.168.4.1. I've covered some of
the O.MG functionality in separate videos. Have a look at this video as an example where I send keystrokes to the phone to get it to take a
photo or do other things but what I'm gonna do here is I'm gonna load a
pre-configured payload. I've created this payload. You can find this payload on GitHub, use the link below. It may or may not work
for your particular phone. In this example, this
payload has been created for a Samsung S22 phone. You may need to adjust
especially the timers. What were basically doing is sending keystrokes to the device and then there's delays
between the keystrokes. I've made them fairly large so that it doesn't go
too quickly on the video. But also if you make them too quick, it can break your script, so you may have to play
around with the timers to get this to work. What we basically doing
is getting the device to download a malicious
APK file from a server. The server is running on linode who I wanna thank for
sponsoring this video. You can use the link below
to get $100 60-day credit so that you can try this for yourself. I've already got the server running. Here it is, so Metasploit
Ubuntu APK server, and you'll notice that's
the IP address listed in the string that's
gonna be sent to the phone to download the malicious APK. What we are using here is
Metasploit and MSFvenom to create a malicious APK file which is then downloaded to the phone. Gets the phone to connect to my server, and then I can type various commands which I've demonstrated. So I've got Metasploit running
and I'll simply type run to run the software. I'll start my Python server, my Python HTTP server
is listing on port 8000. I've got my payload running, it's listing on port quadruple
four under this IP address. In the script running on the O.MG cable, that's the IP address
that we're gonna point to, port 8000, because of the Python server. We're gonna download the O.MG APK file. Okay, so let's see if it actually works. I'm not gonna touch the cable,
I'll move this keyboard away. All I'm gonna do is click run. Payload is running on the O.MG cable. It opens up a web browser, there you go. Connects to the server.
It downloads the APK file. I've once again put long
delays in the script to make sure that this works and to make sure that it
doesn't go too quickly. Installs the file. Were told that it's
blocked by Play Protect but we're gonna send keystrokes
to tell it to run it anyway and install it and then open up the file. It then allows that app to access everything
on the phone basically. And there you go, script has completed. We can see that a connection
was made to the server. Now we can type various commands. I can type ifconfig. That gives me the IP
address of the device. There's wlan0, there's the
IP address of the device. Now if the session breaks
just type run to run it again. The software should automatically connect. If it doesn't just run it manually again. So let's type sysinfo, we can see that this
is an Android 12 phone. Let's dump the SMSs again, so we'll use the command dump_sms. We're told that the SMSs
are dumped to that file. So ls on the server, it's to l. The file is this one. So cat that file. You can see that there
was an outgoing message called "This is a fake SMS." You can see that I topped up this phone so I put 10 pounds on it. You can see that I sent, "This is a very confidential message," "This is a test message." We could dump the call log, so calllog. That's the name of the file. So I'll cat that. And you can see various calls
were made to this phone. Okay, but we can also send
SMSs from the phone once again. So another test sms from metasploit. And there you go. Another TEST sms from metasploit. Just to make the point,
let's say last message. Now remember, I'm sending it
from a host on the internet. It's sending a message to that phone. That phone is then
sending SMS to this phone. "Last message". We shouldn't be able to do
this on an Android phone. It shouldn't accept
applications such as this. Default behavior should be to block all these types of applications. Do not download software from the internet that you don't trust. Don't just download an APK
and run it on your phone. Because someone could do stuff like this where they can read the
messages on your phone. They can do things on your phone that they shouldn't be able to do. I have attached a PDF
document below this video that shows you how to set this up. You need a O.MG cable. And then in this document I'll show you how to set up a server. I'll show you how to download
the Metasploit framework. I show you how to create
the malicious payload, so the OMG APK file. I then show you the
commands to set this up. You also need to set up a web server. If you enjoyed this video,
(upbeat music) please like it. Please consider subscribing
to my YouTube channel and clicking on the bell
to get notifications. I wanna wish you all the very best. (upbeat music)
Summary: YouTuber shows how easy it is to monitor and control an android phone. The government probably does this all the time.
Whoever said it only had to only be the government?
Cyber criminals exist too brotha.