Mobile Hacker's banner

Mobile Hacker

@androidmalware2 • 59,946 subscribers

Mobile Offensive Security 🔴 #redteam Android Reverse Engineering | malware analysis

Shorts

BLE spam but for adult toys Using Flipper Zero or nRF Connect app, it is possible to send Bluetooth LE advertisement packets (without being paired) to adult toys in vicinity and make them all vibrate. It is also possible to start Denial of Pleasure by continuously broadcasting the stop packet by 🆆 🅷 🅸 🅳 -𝙒𝙚 𝙃𝙖𝙘𝙠 𝙄𝙣 𝘿𝙞𝙨𝙜𝙪𝙞𝙨𝙚

Sensitive content

BLE spam but for adult toys Using Flipper Zero or nRF Connect app, it is possible to send Bluetooth LE advertisement packets (without being paired) to adult toys in vicinity and make them all vibrate. It is also possible to start Denial of Pleasure by continuously broadcasting the stop packet by 🆆 🅷 🅸 🅳 -𝙒𝙚 𝙃𝙖𝙘𝙠 𝙄𝙣 𝘿𝙞𝙨𝙜𝙪𝙞𝙨𝙚

7,718,976 Aufrufe

0-days exploited by #Predator spyware were delivered via man-in-the-middle (MITM) attack and 0-click vulnerability against #iOS and #Android In the video below, I demonstrated how an attacker - using just smartphone - can trigger DNS spoofing attack to redirect device on the same wi-fi network to attacker controlled website. Such domain could deliver phishing or 0-day as in the case of Predator's browser exploit

0-days exploited by #Predator spyware were delivered via man-in-the-middle (MITM) attack and 0-click vulnerability against #iOS and #Android In the video below, I demonstrated how an attacker - using just smartphone - can trigger DNS spoofing attack to redirect device on the same wi-fi network to attacker controlled website. Such domain could deliver phishing or 0-day as in the case of Predator's browser exploit

435,795 Aufrufe

Include computers into #Bluetooth mesh network for Bitchat app ✅️ More devices = more nodes ✅️ Wider communication range by Kağan IŞILDAK

Include computers into #Bluetooth mesh network for Bitchat app ✅️ More devices = more nodes ✅️ Wider communication range by Kağan IŞILDAK

64,489 Aufrufe

Nice camouflage. This malware is hard to get rid of. Keeps changing its name and icon impersonating apps already installed on the device

Nice camouflage. This malware is hard to get rid of. Keeps changing its name and icon impersonating apps already installed on the device

140,519 Aufrufe

EvilLoader: Yesterday was published PoC for unpatched vulnerability affecting Telegram for Android The exploit has been sold on underground forum since January 2025 ✅Don't install external players if requested by received corrupted video file on Telegram

EvilLoader: Yesterday was published PoC for unpatched vulnerability affecting Telegram for Android The exploit has been sold on underground forum since January 2025 ✅Don't install external players if requested by received corrupted video file on Telegram

58,182 Aufrufe

Scanning Wi-Fi networks using desktop Kali Linux running on rooted Android This is a huge difference between the wifi networks discovered using an internal wifi chipset (wlan0) and an external wifi adapter (wlan1) #nethunter

Scanning Wi-Fi networks using desktop Kali Linux running on rooted Android This is a huge difference between the wifi networks discovered using an internal wifi chipset (wlan0) and an external wifi adapter (wlan1) #nethunter

62,525 Aufrufe

Smartphones constantly tell nearby devices which WiFi networks you've connected to and want to reconnect automatically. This information is visible for anyone, and anyone can, based on that, create such rogue Wi-fi Access Point to target specific devices. #karma #karmaattack

Smartphones constantly tell nearby devices which WiFi networks you've connected to and want to reconnect automatically. This information is visible for anyone, and anyone can, based on that, create such rogue Wi-fi Access Point to target specific devices. #karma #karmaattack

53,956 Aufrufe

Did you know you can monitor Bluetooth and BLE traffic in real-time with #Wireshark on a customized Android device? This helps you understand device-to-host communication and spot potential security issues (I've already found one in one of my device)

Did you know you can monitor Bluetooth and BLE traffic in real-time with #Wireshark on a customized Android device? This helps you understand device-to-host communication and spot potential security issues (I've already found one in one of my device)

37,738 Aufrufe

Finally, some Karma for Cheap Yellow Display 👏 I think it's time to update my old blog

Finally, some Karma for Cheap Yellow Display 👏 I think it's time to update my old blog

33,035 Aufrufe

Rooting Android: Exploiting Your GPU On Smartphone (CVE-2024-23380) by Eugene Rodionov PoC exploit is not available for download. [slides] #BlackHat

Rooting Android: Exploiting Your GPU On Smartphone (CVE-2024-23380) by Eugene Rodionov PoC exploit is not available for download. [slides] #BlackHat

28,402 Aufrufe

Videos

Anya Rossi

sweetdream.ai

SweetDream.ai•Sponsored•Livecam

Watch Anya Live

Anya is streaming live right now! Join her private show and enjoy exclusive content.

Exclusive private shows

1.2k viewers online

Private Show

Join now for exclusive access

Free preview available • Premium content

uConsole arrived - and I've been having way too much fun with it already

uConsole arrived - and I've been having way too much fun with it already

155,991 Aufrufe • vor 5 Monaten

A similar tool - Lockphish - is available on GitHub. It is convincing, and a user in a hurry can be easily tricked Lockphish is a tool for phishing the lock screen, designed to grab Windows credentials, Android PIN, and iPhone Passcode using a https link

A similar tool - Lockphish - is available on GitHub. It is convincing, and a user in a hurry can be easily tricked Lockphish is a tool for phishing the lock screen, designed to grab Windows credentials, Android PIN, and iPhone Passcode using a https link

629,638 Aufrufe • vor 2 Jahren

How to install #OpenClaw on Android and control it via WhatsApp using automated script #Termux

How to install #OpenClaw on Android and control it via WhatsApp using automated script #Termux

108,610 Aufrufe • vor 3 Monaten

Public WiFi: Quick demo for 2 devices on the same network 1. SSLstrip + DNS change leads to user input interception for HTTPS with HSTS bypass 2. DNS spoofing redirects user to attacker controlled website More in upcoming "NetHunter Hacker XIII: Overall guide to MITM framework"

Public WiFi: Quick demo for 2 devices on the same network 1. SSLstrip + DNS change leads to user input interception for HTTPS with HSTS bypass 2. DNS spoofing redirects user to attacker controlled website More in upcoming "NetHunter Hacker XIII: Overall guide to MITM framework"

534,341 Aufrufe • vor 2 Jahren

uConsole - Ultimate Portable Computer #uConsole is a modular, handheld Linux device designed for makers, developers, and tech enthusiasts who love flexibility and power on the go. Whether you’re coding, hacking, or building IoT projects

uConsole - Ultimate Portable Computer #uConsole is a modular, handheld Linux device designed for makers, developers, and tech enthusiasts who love flexibility and power on the go. Whether you’re coding, hacking, or building IoT projects

92,086 Aufrufe • vor 5 Monaten

uConsole Review: A Portable Linux Cyberdeck I have tested #uConsole since December - build, OS installs, expansion boards, and a reproducible use case

uConsole Review: A Portable Linux Cyberdeck I have tested #uConsole since December - build, OS installs, expansion boards, and a reproducible use case

42,239 Aufrufe • vor 2 Monaten

How to spoof #iOS devices with Bluetooth pairing messages using Android #DoS

How to spoof #iOS devices with Bluetooth pairing messages using Android #DoS

433,907 Aufrufe • vor 2 Jahren

Chat without internet via Bluetooth using #Bitchat app

Chat without internet via Bluetooth using #Bitchat app

149,184 Aufrufe • vor 10 Monaten

Is your wifi network well protected? 👉 In 3 minutes, I discovered 175 access points with 79 connected devices using just a smartphone #nethunter

Sensitive content

This media may contain sensitive content.

Is your wifi network well protected? 👉 In 3 minutes, I discovered 175 access points with 79 connected devices using just a smartphone #nethunter

227,305 Aufrufe • vor 1 Jahr

Bruteforcing PIN protection of popular app using $3 ATTINY85 #Arduino Testing all possible PIN combinations (10,000) would take less than 1,5 hours without getting account locked. It is possible coz, PIN is limited only to 4 digits, without biometrics authentication #rubberducky

Bruteforcing PIN protection of popular app using $3 ATTINY85 #Arduino Testing all possible PIN combinations (10,000) would take less than 1,5 hours without getting account locked. It is possible coz, PIN is limited only to 4 digits, without biometrics authentication #rubberducky

355,982 Aufrufe • vor 2 Jahren

Get external IP address of the user during #Telegram call. Now it works well and returns public instead of local IP

Get external IP address of the user during #Telegram call. Now it works well and returns public instead of local IP

239,097 Aufrufe • vor 2 Jahren

Guessing app's PIN using Flipper Zero as #BadUSB This "App Locker" app protects access to user selected apps - in this case, Instagram - using PIN code. It is possible to guess it with unlimited attempts, because the app developers haven't implemented brute-force protection and even timeout after few incorrect entered passwords. The app only allows to set 4 digit PIN. This allows us to try 10,000 PINs with unlimited attempts. After every try is 0.5 second delay. Because of that, it would take us 84 minutes to rotate through all the PIN combinations. ✅If you decide to use such an app lock protector, make sure not to use easy to guess and common passwords. If you are a developer, I advise you to implement a brute-force protection that includes timeout. #FlipperZero #Android #bruteforce

Guessing app's PIN using Flipper Zero as #BadUSB This "App Locker" app protects access to user selected apps - in this case, Instagram - using PIN code. It is possible to guess it with unlimited attempts, because the app developers haven't implemented brute-force protection and even timeout after few incorrect entered passwords. The app only allows to set 4 digit PIN. This allows us to try 10,000 PINs with unlimited attempts. After every try is 0.5 second delay. Because of that, it would take us 84 minutes to rotate through all the PIN combinations. ✅If you decide to use such an app lock protector, make sure not to use easy to guess and common passwords. If you are a developer, I advise you to implement a brute-force protection that includes timeout. #FlipperZero #Android #bruteforce

220,922 Aufrufe • vor 2 Jahren

Get the IP address of the user during #Telegram call to obtain geolocation of ISP It might have some bugs since on Android, it returns only local, not external IP

Get the IP address of the user during #Telegram call to obtain geolocation of ISP It might have some bugs since on Android, it returns only local, not external IP

219,366 Aufrufe • vor 2 Jahren

Can your phone be tracked without installing any malicious app? Yes. In my post I'll show how a simple link can reveal your smartphone’s location, demonstrate what a targeted user sees, how easy it is to set it up and how to prevent it

Can your phone be tracked without installing any malicious app? Yes. In my post I'll show how a simple link can reveal your smartphone’s location, demonstrate what a targeted user sees, how easy it is to set it up and how to prevent it

92,839 Aufrufe • vor 11 Monaten

Your Android can do way more than you imagine…unlock its real power. Share this with your iPhone friends so they know what they’re missing

Your Android can do way more than you imagine…unlock its real power. Share this with your iPhone friends so they know what they’re missing

34,226 Aufrufe • vor 3 Monaten

How to build portable hacking lab and control it with a smartphone

How to build portable hacking lab and control it with a smartphone

113,800 Aufrufe • vor 1 Jahr

Click farm with auto IG chat This is an #Instagram automatic fan machine. It appears to be programmed to chat with people on IG using "AI" and auto-clicks. It could be used as automated romance scam that lead to fake investments, often referred to as pig-butchering

Click farm with auto IG chat This is an #Instagram automatic fan machine. It appears to be programmed to chat with people on IG using "AI" and auto-clicks. It could be used as automated romance scam that lead to fake investments, often referred to as pig-butchering

120,648 Aufrufe • vor 1 Jahr

Bluetooth LE spam attack is now ported to dedicated Android app to push notifications for Android and Windows For Android, is can advertise over 170 devices

Bluetooth LE spam attack is now ported to dedicated Android app to push notifications for Android and Windows For Android, is can advertise over 170 devices

169,759 Aufrufe • vor 2 Jahren

Exfiltrate #WhatsApp chat, or internal data of any Android app, running on Android 12 or 13 by exploiting CVE-2024-0044 vulnerability

Exfiltrate #WhatsApp chat, or internal data of any Android app, running on Android 12 or 13 by exploiting CVE-2024-0044 vulnerability

135,250 Aufrufe • vor 1 Jahr

New Pixnapping Attack: allows any Android app without permissions to leak info displayed by other apps exploiting Android APIs and a hardware side channel (CVE-2025-48561) Pixnapping is not fixed and probably affects all Androids. PoC: Not available yet. Steal 2FA codes 👇

New Pixnapping Attack: allows any Android app without permissions to leak info displayed by other apps exploiting Android APIs and a hardware side channel (CVE-2025-48561) Pixnapping is not fixed and probably affects all Androids. PoC: Not available yet. Steal 2FA codes 👇

54,963 Aufrufe • vor 7 Monaten