1PAG E
Building Your Own Open-source
Android Penetration Testing Platform
Amadeus Konopko
JP Mitri
2PAG E
We are not responsible for anything you do with this information or these tools. This is
intended for learning purposes.
Disclaimer
3PAG E
Graduated Seneca College in May 2017 from informatics and security degree program
Toward the end of the program focused heavily on Android mobile devices
Researched mobile vulnerabilities, exploits and phishing
Started working with Kali Linux and Metasploit, testing what was available to us …
About Us
4PAG E
Overview
• Android:
Growth, Attack Surface, Permissions and Malware
• Attacks:
Existing Tools, Attack Mediums & Platforms
• Starphish
• Demo
5PAG E
Android
Source https://9to5google.files.wordpress.com/2015/10/android-versions.jpg?quality=82&strip=all&w=1024
6PAG E
Android Growth Spurt
Android phones since last year have
risen to 86% market share
Emerging markets introduce new
affordable phones driving the market
share
Sources: http://www.nasdaq.com/article/the-evolution-of-smartphone-markets-where-growth-is-going-cm619105
7PAG E
Android Attack Surface
Sources: https://threatpost.com/how-google-shrank-the-android-attack-surface/127086/
https://source.android.com/images/android_framework_details.png
http://newandroidbook.com/AIvI-M-RL1.pdf
ApplicationBroadcast Receivers, Services, Content Providers,
Activities
BasebandCellular Voice and Data, SMS and
Radio Interface Layer (RIL)
WIFIPHY, MAC, MLME
8PAG E
Android Permissions
Sources: https://arxiv.org/pdf/1708.03520.pdf
https://eskang.github.io/papers/android-fm15.pdf
Permissions-based Security Model
Intra-library Collusion (ILC)
Protection Level Downgrade
9PAG E
Android Malware
Sources: http://www.alwayson-network.com/wp-content/uploads/2016/08/android-malware.jpg
10PAG E
Android Malware
What is it?
Malicious code through app installation
Existing app downloading a malicious update
Botnets, Rootkits, SPAM, Identity Theft, Banking Trojans, DDOS, Ad-
Click, FakeAV, Ransomware, Spyware...
Source: https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf
Attacker injecting malicious code
11PAG E
Android Malware
What does it do?
Installs code or modifies
files to achieve privilege
escalations and persistence
Malicious code runs on
device
Targeted social engineering
gets user to click or install
Takes control from a remote
C2 server
Access SMS, Email,
microphone, camera,
storage anytime
12PAG E
Android Malware
Phishing
25,000 tool used for phishing and keylogging.
12 million credentials stolen via phishing
Source: https:///security.googleblog.com/
https://www.getusecure.com/public/images/images/1502983087.jpg
Phishing poses the greatest threat to users next to
keyloggers and third-party breaches
13PAG E
Domain / Certificate Abuse
15,270 SSL certs containing the word “PayPal”
14,766 were phishing sites
Source: https://www.thesslstore.com/blog/lets-encrypt-phishing/
Not preventing or taking responsibility
14PAG E
Android Remote Control
Source: https://www.hackread.com/wp-content/uploads/2017/04/pegasus-malware-android-google.jpg
15PAG E
Android Remote Control
Sources: https://forensics.spreitzenbarth.de/android-malware/
https://blog.lookout.com/sonicspy-spyware-threat-technical-research
Spyware, Malware and Metasploit
Steals users text messages, emails, calls, photos, location and other data
Thousands of these apps on the Play Store
Metasploit makes it easier for an attacker to create and distribute custom malware
17PAG E
Attack Mediums
Attacking GSM/Telephony
SMS/MMS/WAP
Signaling System No. 7 (SS7)
Source: https://encrypt-the-planet.com/fight-stingray-imsi-catchers-with-android-imsi-catcher-detector/
Stingray/Surveillance/IMSI Catcher
18PAG E
Attack Mediums
Attacking USB
USBSwitcher
ADB
Source: https://github.com/ud2/advisories/tree/master/android/samsung/nocve-2016-0004
http://bbqand0days.com/Pork-Explosion-Unleashed/
Pork Explosion
19PAG E
Attack Mediums
Wifi Attacks
KRACKs
Evil Twin AP & Captive Portal
Source: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
http://www.thesecurityblogger.com/phishing-for-facebook-logins-with-the-wifi-pineapple-mark-v-from-hak5-setup-guide/pineappledash2/
https://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-twin-wireless-access-point-eavesdrop-data-0147919/
https://www.krackattacks.com/
https://blog.exodusintel.com/2017/07/26/broadpwn/
Broadpwn
20PAG E
Attack Mediums
Bluetooth AttacksBlueBorne
Bluejacking/Bluesnarfing/BlueBugging
Source: https://threatpost.com/wireless-blueborne-attacks-target-billions-of-bluetooth-devices/127921/
https://gcn.com/articles/2005/07/20/a-menu-of-bluetooth-attacks.aspx
http://www.digitalbulls.com/wp-content/uploads/2017/06/bluetooth-hack-01.jpg
DOS
21PAG E
Attack Mediums
NFC Attacks
Eavesdropping
Data Modification
Source:http://resources.infosecinstitute.com/near-field-communication-nfc-technology-vulnerabilities-and-principal-attack-schema/
https://www.intechopen.com/source/html/44973/media/image2.png
Relay Attack
23PAG E
Open-Source Platforms & Tools
Established
Metasploit Framework
Smartphone Pen-Test Framework / Dagah
What we were in search of
Open-Source, Automation, Evasion, Availability and
Scalability….
Source: https://www.metasploit.com/
https://thehackernews.com/2012/03/six-national-television-stations-of.html
Drozer
24PAG E
Starphish
Source: https://vignette.wikia.nocookie.net/angrybirds/images/6/65/Angry_Birds_Fight%21_-_Monster_Pigs_-_Seastar_Pig.png/revision/latest?cb=20151230031826
25PAG E
Starphish
What is it?
Open-Source platform that can create, modify, deploy and
manage exploits and attacks for Android based devices.
It leverages the Metasploit framework for a fully
featured Pen-Test suite
Can operate on multiple hardware
platforms from SoC to Cloud
26PAG E
Starphish
Architecture
Kali Linux
Metasploit framework, payloads and rpcd
king-phisher
pymetasploit by allfro
ClockworkSMS
Source: https://kadk.dk/sites/default/files/styles/media/public/2013-14_lukaszwlodarczyk_membranestudy_cita_blog_0.jpg?itok=Ld-MNCNs&c=e639107c8fe2d0311850f61170264dc9
27PAG E
Starphish
Create
Using our Malware-Builder script
Pulls Metasploit payloads from Github
Implements simple anti-virus evasion
Source: https://i1.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2017/01/FireCrypt-ransomware.png?resize=677%2C342
We use our own X.509 certificate to sign APKs
28PAG E
Starphish
Modify
The name of the malware to suit your campaign
The landing page
Phishing messages
Sources: http://www.eweek.com/imagesvr_ez/b2bezp/2016/08/290x195blueboxfakeid1_2.jpg?alias=article_hero
29PAG E
Starphish
Deploy
SMS, Email, WIFI, USB, QR Code, Social Media
Custom tailor the message to fit your campaign
Quickly deploy messages to many users at once
30PAG E
Starphish
Manage
Using a cloud based C2 server
or
A local deployment
https://www.getusecure.com/public/images/images/1502983087.jpg