For educational purposes only.
To do this, you'll need a Metasploit Framework (you can use Kali Linux as a workspace).
Basically what you do, is that you create a backdoor APK file and send it to the device. The victim then opens and installs the file.
What happens next is that Metasploit starts a reverse handler along with a payload handler. It estabilishes the connection and launches Meterpreter. Meterpreter is a powerful tool with a plenty of awesome functions. Let's check some of them right in the beginning.
As the command suggest, this will launch the shell on the target. If the victim uses a Linux-based system, like Android, and it's rooted, you can easily take full control over the device. Using commands like su, rm /system and others will brick the device right away.
This command returns a list of all available webcams on the target.
Takes a picture from the target and saves it to your disc (to your current workspace by default).
There are many more commands in Meterpreter, check HERE.
Back to hackz.
What we do next is the execution of msfpayload reverse_tcp with LHOST and finally creating an APK file. When the APK file is created, we can send it to the victim or arrange it somewhere, spread it to the world and whatanot.
Then we do some more funky stuff and start the meterpreter session.
By using sessions command, we can view active sessions (victim x attacker).
Using the command sesssion -i [number of session] we open the active session and start using the meterpreter command listed above. Pretty easy!
And here's a quick YouTube video I found. Check it out for more information. Happy hacking!