Using implants for hacking phones

edited February 2017 in RFID/NFC
(Edit: Updated title for accuracy)

Hello all,
First post here, and I don't use forums much. (usually strictly a lurker/troll/etc.)

tl;dr: I was able to hack a phone with my NFC implant and another phone.

I was reading a bit into this thread, and it got me thinking: What about the opposite? How could I use my shiny new NFC implant for hacking?

So here goes.

A rough outline of the use-case of using NFC for hacking:

First was the implant which is common enough of a conversation.
(I'm using xNTi from dangerousthings)

Attacker uses a special linux distro ported to an android phone to generate a malicious APK file for android in one click. 
(this file listens to a specified IP address for connection/commands.)

Attacker sets the connection IP address to listening server, where Attacker would have an interpreter listening for inbound connections.

Attacker uploads the file to some web server, possibly self owned webserver or a free webhosting service.

Attacker copies the malicious APK direct link over to the implanted tag and sets off to have fun.

exploitation is now as easy as asking someone to use their phone to make a call and hitting the chip to initiate a download. Install, and give the phone back*. (payload running silently in the background.)

(There are many factors dictating success here like the funny look they'll give you when you're rubbing your phone on your hand, and the phone's security implementations like the newer samsung knox** which will recognize and quarantine the malicious code. I haven't come across an NFC compatible phone that has any sort of security on the tech.)

Once installed, the server and the infected device establish a link and from there, the attacker can wreak some serious havoc.
(dump texts, call logs, pics, whatever (*delete the downloaded apk file and clear the url from history))

*If the attacker has some deft hands, Attacker may be able to delete the apk and clear the URL before giving the phone back without raising suspicion
** The newer samsung knox will detect the generic payloads if you do not craft them all crafty like :P

I've tested this on a few phones and it works great!

If you have questions, ideas, etc. let me know, I'm all about freedom of information and I will tell you whatever I know.

(moving forward, I'm trying to create some shellcode that is small enough to be written to the chip for an ultra small single tap payload.
if anyone knows of people fuzzing NFC for vulnerabilities please let me know, or let them know I'm looking for them.)


  • Real neat, not sure how useful it would be unless you are a spy. I just have one question, why? Welcome to the forum by the way.
  • Question: what are the advantages of this over than hacking with just the phone (assuming that it is possible)? I have no idea about computer hacking so just curious.
  • edited February 2017
    @actii Thanks! 

    Edit: Apparently I can't answer both questions at once haha

    The reason would be that I'm super into cybersecurity and finding loopholes in systems. The advantage of this approach is that it cuts out a lot of time where you might bring up red flags in the victim. Imagine asking to use a phone and typing away on their keyboard, they'll probably want to see what you're doing. This also requires you to remember the url (which would be easier if you use a shortening service like tinyurl).

    using the chip with the link on it circumvents a lot of potential awkward interaction.
  • edited February 2017
    @IvoTheSquire I'm probably doing this wrong but it doesn't seem to be letting me reply directly to you.

     If you were only using the other phone, you could pull off the same procedure, however it would require much more pretexting and technical prowess and has a greater chance of failure. (maybe you could break their bluetooth PIN since nobody I've seen changes that)

    an example of social engineering for exploitation:
    *see stranger on street*
    "Hey, I just got a call from my mom, she's in the hospital but my phone died before I got the room number, can I use your phone to call"
    *victim hands over phone*
    /activate chip
    *Hold phone to head while loading webpage, maybe pretend to talk*
    *Tap install and swipe away notification*
    "Thank you so much!"

    Before the implant, you would have to develop some sort of pretext in order for the person to let you start hacking away and be ok with it.

    The reason phones are such a target is because most people don't update them very frequently which leaves bugs like Stagefright available for use.

    Stagefright can infect other phones via text message.

    you can send texts from the phone once it's exploited, to all contacts. and send from those phones once they're exploited.
  • would you be able to provide the apk you used?
  • What distro did you use and what did you use to develop the payload? (unless you made it yourself).
  • Just google 'Android RAT', there is a couple.
    There's simpler payloads (just googled and there's 'android/meterpreter/reverse_tcp' for example) but if you don't know meterpreter then a RAT (Remote Administration Tool) is probably what you want.
  • I'll admit that it sounds neat and I've thought and researched extensively about various "hacking" [read: "malicious hacking to control someone else's device" as the word 'hacking' actually just means to do something in an untraditional or unintended manner] methods and exploits.

    That said, personally, I don't care who the average guy walking down the street is calling or texting, nor do I care for access to personal data, hypothetically bank account or other payment information could be nice, but unless you steal $1000 from 1000 people, that's really not the most useful thing in the world. It takes time, and is not as simple as the crime dramas on tv make it seem. Not always anyways.

    I'd be more interested in packet sniffing tech, as well as anything else password or encryption breaking. I imagine, one could have a small wifi enabled computer implanted, walk into some corporate office building, hang out in the public lobby/reception area, while said implant is attempting to crack the network password via a brute force attack or just via packet sniffing. Hypothetically though, can't picture a circumstance where you couldn't just do that with your phone sitting in your pocket. Unless, maybe it's the CIA. Or other place where you have to go through a body scanner of some sort just when you enter the building.

    I guess my thought is just that the NFC method really doesn't help much except that you won't have to type in a web address. No other part is automated.

    That said, I do like the work. It's a great idea, it just seems to have very limited application in my opinion.

    As a side note, how much good do any of those RATs you'd use do on a non-rooted device?
  • @Jupiter You wouldn't necessarily have to use the chip for anything other than a catalyst for the full effect.

    So if you had an ssh session configuration on your implant (or waiting in a package ), and used that to open a tunnel to a device that's on the network 8hrs per day, theoretically you could use that as an entry point for whatever you would like (including packet captures)

    With a pre-built package and some home(office)work you could easily gain root access depending on the version of Android through rudimentary exploits.

    The idea wouldn't necessarily be to perform a 'one and done' type exploit but to take some steps out and create a more streamlined approach after some social engineering.

  • @Lelouch you could use a live version of Kali Linux to start

  • @Umutof for an example you could use the meterpreter option to generate an apk, you'd have to create it with the correct IP and port settings for your specific setup

  • @S0lll0s there are also things like Veil Evasion to get around AV programs if you happen to use the meterpreter options

Sign In or Register to comment.