How To: Gain Complete Control of Any Android Phone with the AhMyth RAT

Gain Complete Control of Any Android Phone with the AhMyth RAT

There are more than 2 billion Android devices active each month, any of which can be hacked with the use of a remote administration tool, more commonly known as a RAT. AhMyth, one of these powerful tools, can help outsiders monitor a device's location, see SMS messages, take camera snapshots, and even record with the microphone without the user knowing.

Remote administration tools were first programs intended to provide technical support to remote computers by allowing an administrator to log in and control the device directly. However, hackers quickly saw the potential of these tools and started using them for more nefarious deeds. Today, advanced RATs are used to remotely access and control a wide variety of devices, but today we'll focus on one of the world's most popular — Android.

AhMyth is a new, up-and-coming, open-source Android RAT, currently in the beta stages of development, which uses a simple GUI interface. While Android RATs aren't a new thing, what makes this one stand out from the crowd is the simple and easy-to-understand graphical user interface. Additionally, AhMyth is multi-platform, available on Linux, Windows, and macOS.

The RAT consists of two parts. The first is a server-side application based on Electron framework, in our case, just our desktop or laptop, but this could be scaled up to some degree if needed. This acts as a control panel which we use to create and connect to the RAT. The second part is client side, which is the infected Android application we'll use as a backdoor.

Below you can see a quick video demonstration of AhMyth in action, courtesy of the AhMyth team.

Step 1: Download & Install AhMyth

There are two ways to download and install AhMyth. The first is to directly use the source code from GitHub. The second is to use the binaries they provide.

Method 1: From Source Code

If you chose to start with the source code, then you'll need to check that you have a few prerequisites installed.

  • Java — it's used to generate the APK backdoor.
  • Electron — it's used to start the desktop application.
  • Electron-builder and Electron-packer — they are used to build the binaries for macOS, Windows, and Linux.

Once you have those prerequisites, you're ready to proceed. First clone the code from GitHub with the following commands.

git clone https://github.com/AhMyth/AhMyth-Android-RAT.git

Then move to the AhMyth-Android-Rat directory with the following.

cd AhMyth-Android-RAT/AhMyth-Server

Once you're in, start AhMyth with the command below.

npm start

This program is still in beta development, and as such, it isn't as robust as it could be. Some users have gotten errors when attempting to start it. If you do, try again running it as root, as seen below.

sudo npm start --unsafe-perm

You'll know it's working when you see the GUI launch.

Method 2: From Binaries

The source code is one way to download it, but if you're lazy like me, there's a slightly easier way — use the binaries! It's particularly nice when you're working on a Windows computer and don't want to mess around with the command line. This shouldn't be a concern as most people will already have it, but do check that Java is updated on your computer.

Navigate to the AhMyth release page and download the release for your system. Currently, they only have Linux and Windows files uploaded.

Once you download the right file, open it up on your computer, and it should start installing. It will automatically open when it completes. After that, we should be ready to go!

Step 2: Build an APK

Now that we have the program up and running, it's time to build an Android application with a backdoor. At the top of the screen, select "APK Builder." The first thing to change is "Source IP." This needs to be the IP address of the computer you'll be sending and receiving commands from.

For testing purposes, I'll just be using my local Wi-Fi network. However, if you wanted it to work outside of the local network, you would need to port-forward your computer to the internet and use your public IP address.

AhMyth can build an APK two different ways. It can create a standalone APK or be used to infect another application in order to remain hidden on the target device. To do the latter, select the box beside "Bind With Another Apk" and then browse and select the APK you wish to use. Today I'll just be creating the default standalone APK, but if a malicious user were deploying this in the real, they would very likely be binding it with another APK.

Once you have all the settings selected you're ready to build the APK, just click on "Build."

You can navigate to to "C:\Users\UserName\AhMyth\Output" to find the built APK.

Step 3: Deploy the RAT

Now that you have a working APK, it's time to deploy it by downloading it on the target Android device. All of the standard attack methods apply — anything to get the user to download the APK. Social engineering tends to work best. For example, if you know the person, then recommend an app to them and infect it.

By far the most effective method is if you have physical access to the phone, it only takes a few seconds to download and hide it. If you chose this method, then an easy way to do it is by saving the APK to Google Drive and sending the phone a link. On most phones, the download should only take a second or two.

If the Android phone doesn't want to install it, they probably never enabled "Unknown sources" in their settings. Open up the Settings, then go to "Security" and check "Unknown sources." This is how apps that come from outside the Google Play Store can be installed.

Step 4: Start to Listen

In the top left of the AhMyth screen, select the "Victims" tab, then change the Port number to the one you are using. You can also leave it blank for the default. Next, click on "Listen." Once this is done, and the RAT is running properly on the victim, then it should appear here along with some basic info.

Step 5: Open the Lab

Now that you have a RAT up and running on the target device, you can start doing remote administration. Click on "Open The Lab" button, and a new pop-up window will appear. If you're familiar with other Android RATs like Cerberus, then you might be a little disappointed with how few features there are, but I would remind you that this is still only in the beta stages.

The features it does currently have are quite powerful. Let's take a look at a few of them. The "File Manager" is great because it lets you see everything on the device right down to the firmware. With this, you could potentially uncover all sorts of sensitive information, whether that be passwords and session cookies or compromising photos.

Another feature is the ability to record audio via "Mic." Since people take their phones with them everywhere they go, you, in effect, have a bug, or listening device, on them at all times.

Along the same lines as the last one, you also have a tracking function ("Location") so you can not only know what they said, but also where they said it. One note on this, however, is that it can be fooled by a simple GPS spoofer application. I used one on the victim device to take the screenshot below.

If you really like to sow chaos, then you'll love this next feature: the ability to not only read but also send "SMS" messages. A simple way to use this would be to hack someone's Facebook by resetting their password with an SMS text, then use the code that is sent. You can use your own imagination for all the things you can do by sending messages from the target's phone.

Now you may have noticed that I skipped over the "Camera" feature. I did that because I was unable to get it working on my device, which could just be a problem with the old Android I was using for testing. In principle, it's supposed to allow you to send commands to take pictures with the front or rear camera and have them sent back to you.

Protecting Yourself from Android RATs

There's not a whole lot you can do to protect yourself from RATs in general, but one thing you can do is not install Android apps that aren't from the Google Play Store. This doesn't mean that all the Google Play apps are safe, but they are much safer than some random app found online since Google does scan them for malware to the best of their abilities.

Installing from "Unknown sources" is disabled by default in Android, but if you allow this, you also greatly increase your risk as you will no longer get the security prompt. If you do ever have a legitimate reason to download an APK from outside Google Play, be sure to tap "Allow this installation only," otherwise you could accidentally permanently enable "Unknown sources."

Another way to protect yourself is to not take your phone to important meetings or anywhere you don't want people listening. Also, be careful who you let have your phone, as it only takes a few seconds to download one of these RATs. An example of this can be found in Mr. Robot, when Tyrell Wellick installed malware on an employee's Android phone in seconds.

One more probably obvious way to help prevent malicious software from installing on your Android device: keep it up to date. Install software updated when they come out, as Google and OEMs push on security fixes in almost every update, not just new features.

And last but not least, you can consider installing antivirus software on your Android device. This will not help you out all of the time, but it's better than nothing. You can find a good list of antivirus apps for Android over on Gadget Hacks.

Thanks for reading! If you have any questions, you can ask them here in the comments below or on Twitter @The_Hoid.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover image via AhMyth/YouTube; Screenshots by Hoid/Null Byte

38 Comments

just a bit sad that it's not cli based

What is the prerequisite to being able to listen to the affected device?
Like must it be near me? Does it have a range limit?
Like does the affected phone has to be connected to the same network?

And usually how long does it take to successfully listen and connect to a victim?

Thank you

Right, so the way I did it the listener and infected device would have to be on the same network, but that was just because I didn't want to expose my laptop to the internet. If a public IP were used to build the APK then the affected device could be anywhere in the world, as long it's connected to the internet via WiFi or a cellular network.

As far as connection time goes I'm not sure the exact time, but we're talking milliseconds from when the APK is launched. It will take longer depending on how far the listener and victim are from each other and internet speeds.

Thanks for asking, I hope that answers your questions.

Try using noip.com....it gives you a unique ip address.... without actually exposing your real ip address.....you can check the tutorials online....

Thank you....
Happy hacking...

If they're connected to the internet, it should work. If you're using it on a device on your network, use your private ip. If not, use your public ip.

KLAVIATUR

Um wow, not trying to be rude but you have no idea what this tool is or what you are doing. Before you mess with anything like this at all it is quite obvious you need to learn basics first. For one thing, you just showed you really have no idea what a RAT is.

If you never shot a gun of any kind before, you don't start with a submachine gun...

I would really like to solidly learn the basics.

There are a few other tools very similar to this you may wish to checkout also. =)

I tested it out.
It is an easier method than in Metasploit.
Things i noticed:

  1. Embeding into another .apk file won't work for me. I treid 5 different apks
  2. It doesn't work on cellular network or when somone's connected to other wifi than attacker (I did port forwoarding)
  3. Camera view won't work for some devices.

That's really interesting, all of those should be working. I guess you can chalk it up to the fact AhMyth is still in beta. I'd encourage you to start a new issue on the GitHub page.

One of the reasons I like this RAT is because of that easy to use GUI interface but honestly Cerberus might be a better option for the people that don't want to deal with the AhMyth growing pains but still want that GUI type environment.

Does this work well on Win 10?
or is it better to use this on linux on a virtual?
thank you all,

Mr Nul

I personally used it on a Win 10 machine to write this tutorial, however, a number of people on the GitHub have been having issues with it. I'd say if you're an experienced Linux user then that may be a better option otherwise try it out on Windows and if you have issues use Linux.

thank you, but where did you get the win 10 iso for the virtual?

I would always recommend using some version of LINUX for any serious pentesting activity hands down.

I install the apk in my mobile phone to test it, but Ahmyth says Listening on port => 42474 and it doensn't do anything, what's probably wrong?

Make sure the AhMyth app on the device actually launched, you may have to find it in the apps and click on it. Otherwise, it sounds like a problem with the IP used when building the APK. Are you sure you used the IP address of the computer you're running AhMyth on?

I'm sure im using the correct ip, and yes the app is also running on the mobile, just click on the apk and it doesn't do anything so i think that's what it has to happen, could be the error because of the port?

I had the same issue. Kinda sucks I like the user interface.. it is easier to use in that regard.

Did you use an internal IP or external IP? Because an internal IP will not work outside your LAN. Not trying to treat you stupid, just a lot of people do not understand the difference. If you have further questions please ask. =)

I tried this last night. I got the Ahmyth app to open on Kali. Then I was able to build the apk, but when I set it to listen, it could not find the device. I tested with Meterperter and it worked fine. idk what is up.

App Building failed...
What to do...
Prefer app suit for this...

Do you have the latest version of Java downloaded?

check your installation path, mine not working because of a space in the path, after deleting the spaces on my directory name it works.

The app gets built fine, but after opening the app on the phone, it doesn't get detected on the GUI.
I'm using AhMyth on Windows 10.
Will anyone be able to help me out?

The most likely reason would be that the app and computer aren't listening on the same port/IP. Otherwise, you can get better help from the developer on GitHub.

NOT WORKING

Its not working on my PC, even on virtualbox with bridged network it cant find any device while listening and im using local network ip... Also using external IP and forwarding ports not helping, this "virus" sucks

First of all EXPLOIT not virus. Secondly are you using Winblows or LINUX? Anyone studying ethical hacking that is serious about it you will need to learn and use LINUX. Trying to do it with Winblows is what script kiddies do. Do yourself a favor and start learning LINUX, learn at least basic networking, and your life will get much easier I promise.

well forwaded tcp port . working properly deployed apk still cant listen to victim not public ip nor on private ip. it just say listening to port XXXX

m working on windows 8.1 pro
is there anything that this Apk wont work on android version >6.0.1 ???
please help

Is there any safety measures before hacking

Sappa Scean, um...yes. In fact if you even ask that question you need to start from the beginning, not jump right into here or you will very soon end up in prison. Illegal hacking can have state and federal ramifications. An actual hacker first learns how to hide his presence and how to cover his tracks. There are steps to take. True hacking also begins with research, social engineering, and information gathering long before you get to this stage. Please understand I am not trying to be rude or even talk down to you, I am trying to save you some huge mistakes...

Ethical hacking means you have permission of the company or individual before you begin and even then always get agreements in writing.

Great article/tutorial HOID ;-)

Now, i did some testing and now i'm wondering if it is possible to enter a DDNS/hostname instead of an IP address (mine often changes).

Also: the resulting payload/apk gave a 6/35 ratio on nodistribute and among the 6 warnings there are some very known AV companies/software.

Do you know of a free software solution to make the b'doored .apk more FUD?

Thanks.

Correction: To make it more undetectable or FUD (both scantime and runtime)

What is possibly wrong here.
I launched it typing "sudo ahmyth" so it's running as root.
Well, first thing which IP should I enter. I also tried noip.com, still, it will give an error.

This is the error I get when I do not bind it with any other apk. You can see I put my public IP and default port.

I tried binding with an apk, this is what I get.

Can anyone tell where I am going wrong, or what else should I do? Please Help

It is working fine, but only particular types of APK builds will work with this method I know as far as binding. As for failing with a singular build I am not sure what would be causing that at all...

That is one I would ask of the developer on GIT to be honest.

Step 1:

The apk is failing to build even though everything is right.

I have a big question.question of the era?? How does the onboot method work. In my case it do not work.app builds successfully but my victim does not appear even after rebooting the device.now please give us the solution . It would be better if you make a video

H0S7

It all works fine here. Metasploit is not difficult to use, unless you are uncomfortable using a CLI. As for injecting into an existing apk, it will work that way also. The apk has to be susceptable to work, able to accept the injection hook. Skulltech wrote a great article explaining this:

SKULLTECH Article Click HERE

I use nothing but commercially available oringinal APKs for my injections. If that does not work well for you a DOC or PDF is always a great choice.

testing on ubuntu 18.04

unable to signing the app...showing error that signing app failed

Share Your Thoughts

  • Hot
  • Latest