Payload Idea - NFC App installed to Android phone

[Dave-ee Jones]

So I was recently looking into NFC and how cool it is to read/write to a tag to be able to use it to control your phone, clone a card (don't do dis - illegal) and other cool stuff and I thought about making a payload that installs an app on an Android (can use HID if you wanted to..) phone then runs the app in the background. What this app does is it waits to read an NFC tag which then executes a command. The command is stored on the NFC tag itself (so you install the app on the phone and come back later with your NFC tags to do all your fancy work).

Works, basically, (dare I say it..) like a 'Powershell agent'. You could make like 10 different tags that can do different things on the phone. You only have to brush the tags near the phone for the phone to execute the commands.

Commands could be:

- Send an SMS to yourself (phone number is stored on NFC tag so it won't be stored on the phone itself) with phone data
- Call someone (prank call but..you pranked the actual call itself)
- Open a webpage and download a file
- Download an app from the app store
- Add a contact (dunno why..)
- Execute a Linux command (requires rooted Android)
- Enable hotspot with specified password (you could use their data..more of an annoyance than anything else - would need rooted device to change the password)
- Enable Bluetooth/WiFi
- Change the volume of the device (shoot it up, make it silent..)
- Make it vibrate for the next 10 minutes (That would be hilarious)
- Make it start randomly ringing
- Add a huge number of alarms that go off every minute/hour
- Enable hotspot and start a server so that you could join it and remotely manage files/apps/settings (includes starting an ADB server...oooooooo..)

Possibilities are endless...

Just an idea. Installing the app from the Bash Bunny onto the device is the tricky part.

Edited May 25, 2017 by Dave-ee Jones