The following article will briefly show how you could end up with your Trojanized mobile device when downloading applications of dubious origin or not paying attention to the permissions they request.
For the demonstration that can be seen in the video below, I use the renowned Metasploit framework that allows you to easily create an .apk application with a Meterpreter module adapted for Android.
In this way, once this special application is run on the device, it is possible to remotely control it and perform various actions such as taking pictures with the camera, accessing all photos and videos, activating the microphone to listen to the ambient sound, viewing all text messages, calls made and much more.
The commands necessary to generate the test environment in Metasploit are the following:
In an actual attack, an application with functions similar to those in this demonstration would be used, the installation could be carried out by having physical access to the device or by means of some social engineering technique.
In the latter case, the permissions requested during the installation would be the minimum necessary to avoid suspicion.
For this reason, it is important to avoid downloading applications of dubious origin and pay attention to the permissions they request during installation. The safest way to download applications is to do it from Google Play, although not all Apps should be fully trusted.
The use of an antivirus is recommended, but it should be borne in mind that they are not 100% effective and it will not be difficult for an attacker to evade them. In this sense, I recommend you see this conference of the DragonJAR Security Conference 2016 where the basic operation of antivirus on Android is explained and how the .apk generated by Metasploit could be camouflaged.