EvilZone

Set up a normal back door using nc set to start on boot, if nc is detected by the av then think about writing a PE file but remember the most simple option is most likely to work. As for stealing credentials you can either use a keylogger or you could even go old school and change the host file to add a fake login pages for banks (phishing) or inject JavaScript into web requests which silently reads the value of the the password field and creates a hidden image element to send it back to a server you control (remember you can also steal credentials through hidden fields if auto complete is enabled and you change the action value of the form to your script) the list of possibilities is endless!

You can do this right from your android phone.
check out the app zANTI [size=78%]https://www.zimperium.com/zanti-mobile-penetration-testing[/size]
with it you can inject javascript for drive-by-downloads or replace downloaded files
content with your own. Both methods would allow you to get your malicious app
onto their phone. You can set up your own AP either with your laptop or with a phone
and then use ARP spoofing to inject the javascript or malicious file.


[fazed]