Posted on 10 Comments

Hack Android with Mercury browser parseuri exploit

Good Evening Friends. Today we will drift a little bit from our system hacking and get into mobile hacking. Actually I thought of skipping this howto as it has been a long time since this exploit has been released and I thought developers of Mercury browser may have patched it but recently checked out that the vulnerable version( Mercury v3.2.3) of this Mercury browser is still available for download. So let us see today how to hack Android with Mercury Browser parseuri exploit. Start Metasploit and load the exploit as shown below. Set the required options ( i.e actually we need to set only one option, localhost )

Then type command “exploit” as shown below. A server will start at the localhost as shown below.

Now the only thing we need to do is make the Android users open the above url with Mercury browser. Once the android user opens the link, the exploit will run as shown below.

Now, on your localhost ( attacker machine ), open a browser and type  the android user’s IP address as shown below. We got the IP address in the above picture only. As shown below, you can access all the data of our victim.

Given below are the victim’s Whatsapp data.

That’s how we hack Android with the Mercury Browser parse URI exploit. See how to recover deleted messages from Android.

Follow Us

10 thoughts on “Hack Android with Mercury browser parseuri exploit

  1. After typing use auxiliary/server/andriod_mercury_pasueri
    It says it failed to load the module.
    Do u have a solution
    Thank you.

    1. Hey Real, update your metasploit framework by typing command “msfupdate” in the terminal.

  2. Do u need Linux to install

    1. Evillgoby, I didn’t get your question. If you are talking about mercury browser app, it is available in play store.

  3. after I type “exploit”


    Auxiliary failed: Rex: :BindFailed The address is already in use or unavailable: (
    call stack:

    What must be do?

    1. Try a different port like 8081 or 9000

  4. what should we know about victim’s Smart phone like IP address or how can we enforce victim to install Mercury Browser

    1. @MAK, there are no fixed steps to do this. Use your creativity.

  5. [-] Auxiliary failed: Rex::BindFailed The address is already in use or unavailable: (
    [-] Call stack:
    [-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/comm/local.rb:187:in `rescue in create_by_type’
    [-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/comm/local.rb:174:in `create_by_type’
    [-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/comm/local.rb:33:in `create’
    [-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket.rb:49:in `create_param’
    [-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/tcp_server.rb:39:in `create_param’
    [-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/rex-socket-0.1.23/lib/rex/socket/tcp_server.rb:29:in `create’
    [-] /usr/share/metasploit-framework/lib/rex/proto/http/server.rb:145:in `start’
    [-] /usr/share/metasploit-framework/lib/rex/service_manager.rb:81:in `start’
    [-] /usr/share/metasploit-framework/lib/rex/service_manager.rb:25:in `start’
    [-] /usr/share/metasploit-framework/lib/msf/core/exploit/http/server.rb:139:in `start_service’
    [-] /usr/share/metasploit-framework/lib/msf/core/exploit/socket_server.rb:40:in `exploit’
    [-] /usr/share/metasploit-framework/modules/auxiliary/server/android_mercury_parseuri.rb:151:in `run’
    [*] Auxiliary module execution completed


    i am your student in hackademy institute in 2015 batch you are my trainer

    1. Change the port and try again

Comments are closed.