1PAG E

Building Your Own Open-source

Android Penetration Testing Platform

Amadeus Konopko

amadeuskonopko@gmail.com

JP Mitri

jpmitri@gmail.com

2PAG E

We are not responsible for anything you do with this information or these tools. This is

intended for learning purposes.

Disclaimer

3PAG E

Graduated Seneca College in May 2017 from informatics and security degree program

Toward the end of the program focused heavily on Android mobile devices

Researched mobile vulnerabilities, exploits and phishing

Started working with Kali Linux and Metasploit, testing what was available to us …

About Us

4PAG E

Overview

• Android:

Growth, Attack Surface, Permissions and Malware

• Attacks:

Existing Tools, Attack Mediums & Platforms

• Starphish

• Demo

5PAG E

Android

Source https://9to5google.files.wordpress.com/2015/10/android-versions.jpg?quality=82&strip=all&w=1024

6PAG E

Android Growth Spurt

Android phones since last year have

risen to 86% market share

Emerging markets introduce new

affordable phones driving the market

share

Sources: http://www.nasdaq.com/article/the-evolution-of-smartphone-markets-where-growth-is-going-cm619105

7PAG E

Android Attack Surface

Sources: https://threatpost.com/how-google-shrank-the-android-attack-surface/127086/

https://source.android.com/images/android_framework_details.png

http://newandroidbook.com/AIvI-M-RL1.pdf

ApplicationBroadcast Receivers, Services, Content Providers,

Activities

BasebandCellular Voice and Data, SMS and

Radio Interface Layer (RIL)

WIFIPHY, MAC, MLME

8PAG E

Android Permissions

Sources: https://arxiv.org/pdf/1708.03520.pdf

https://eskang.github.io/papers/android-fm15.pdf

Permissions-based Security Model

Intra-library Collusion (ILC)

Protection Level Downgrade

9PAG E

Android Malware

Sources: http://www.alwayson-network.com/wp-content/uploads/2016/08/android-malware.jpg

10PAG E

Android Malware

What is it?

Malicious code through app installation

Existing app downloading a malicious update

Botnets, Rootkits, SPAM, Identity Theft, Banking Trojans, DDOS, Ad-

Click, FakeAV, Ransomware, Spyware...

Source: https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf

Attacker injecting malicious code

11PAG E

Android Malware

What does it do?

Installs code or modifies

files to achieve privilege

escalations and persistence

Malicious code runs on

device

Targeted social engineering

gets user to click or install

Takes control from a remote

C2 server

Access SMS, Email,

microphone, camera,

storage anytime

12PAG E

Android Malware

Phishing

25,000 tool used for phishing and keylogging.

12 million credentials stolen via phishing

Source: https:///security.googleblog.com/

https://www.getusecure.com/public/images/images/1502983087.jpg

Phishing poses the greatest threat to users next to

keyloggers and third-party breaches

13PAG E

Domain / Certificate Abuse

15,270 SSL certs containing the word “PayPal”

14,766 were phishing sites

Source: https://www.thesslstore.com/blog/lets-encrypt-phishing/

Not preventing or taking responsibility

14PAG E

Android Remote Control

Source: https://www.hackread.com/wp-content/uploads/2017/04/pegasus-malware-android-google.jpg

15PAG E

Android Remote Control

Sources: https://forensics.spreitzenbarth.de/android-malware/

https://blog.lookout.com/sonicspy-spyware-threat-technical-research

Spyware, Malware and Metasploit

Steals users text messages, emails, calls, photos, location and other data

Thousands of these apps on the Play Store

Metasploit makes it easier for an attacker to create and distribute custom malware

16PAG E

Attack Mediums

GSM

Bluetooth

USB

WIFI

NFC

17PAG E

Attack Mediums

Attacking GSM/Telephony

SMS/MMS/WAP

Signaling System No. 7 (SS7)

Source: https://encrypt-the-planet.com/fight-stingray-imsi-catchers-with-android-imsi-catcher-detector/

Stingray/Surveillance/IMSI Catcher

18PAG E

Attack Mediums

Attacking USB

USBSwitcher

ADB

Source: https://github.com/ud2/advisories/tree/master/android/samsung/nocve-2016-0004

http://bbqand0days.com/Pork-Explosion-Unleashed/

Pork Explosion

19PAG E

Attack Mediums

Wifi Attacks

KRACKs

Evil Twin AP & Captive Portal

Source: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

http://www.thesecurityblogger.com/phishing-for-facebook-logins-with-the-wifi-pineapple-mark-v-from-hak5-setup-guide/pineappledash2/

https://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-twin-wireless-access-point-eavesdrop-data-0147919/

https://www.krackattacks.com/

https://blog.exodusintel.com/2017/07/26/broadpwn/

Broadpwn

20PAG E

Attack Mediums

Bluetooth AttacksBlueBorne

Bluejacking/Bluesnarfing/BlueBugging

Source: https://threatpost.com/wireless-blueborne-attacks-target-billions-of-bluetooth-devices/127921/

https://gcn.com/articles/2005/07/20/a-menu-of-bluetooth-attacks.aspx

http://www.digitalbulls.com/wp-content/uploads/2017/06/bluetooth-hack-01.jpg

DOS

21PAG E

Attack Mediums

NFC Attacks

Eavesdropping

Data Modification

Source:http://resources.infosecinstitute.com/near-field-communication-nfc-technology-vulnerabilities-and-principal-attack-schema/

https://www.intechopen.com/source/html/44973/media/image2.png

Relay Attack

22PAG E

Platforms

Source: https://pctechmag.com/wp-content/uploads/2013/02/opens.jpg

23PAG E

Open-Source Platforms & Tools

Established

Metasploit Framework

Smartphone Pen-Test Framework / Dagah

What we were in search of

Open-Source, Automation, Evasion, Availability and

Scalability….

Source: https://www.metasploit.com/

https://thehackernews.com/2012/03/six-national-television-stations-of.html

Drozer

24PAG E

Starphish

Source: https://vignette.wikia.nocookie.net/angrybirds/images/6/65/Angry_Birds_Fight%21_-_Monster_Pigs_-_Seastar_Pig.png/revision/latest?cb=20151230031826

25PAG E

Starphish

What is it?

Open-Source platform that can create, modify, deploy and

manage exploits and attacks for Android based devices.

It leverages the Metasploit framework for a fully

featured Pen-Test suite

Can operate on multiple hardware

platforms from SoC to Cloud

26PAG E

Starphish

Architecture

Kali Linux

Metasploit framework, payloads and rpcd

king-phisher

pymetasploit by allfro

ClockworkSMS

Source: https://kadk.dk/sites/default/files/styles/media/public/2013-14_lukaszwlodarczyk_membranestudy_cita_blog_0.jpg?itok=Ld-MNCNs&c=e639107c8fe2d0311850f61170264dc9

27PAG E

Starphish

Create

Using our Malware-Builder script

Pulls Metasploit payloads from Github

Implements simple anti-virus evasion

Source: https://i1.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2017/01/FireCrypt-ransomware.png?resize=677%2C342

We use our own X.509 certificate to sign APKs

28PAG E

Starphish

Modify

The name of the malware to suit your campaign

The landing page

Phishing messages

Sources: http://www.eweek.com/imagesvr_ez/b2bezp/2016/08/290x195blueboxfakeid1_2.jpg?alias=article_hero

29PAG E

Starphish

Deploy

SMS, Email, WIFI, USB, QR Code, Social Media

Custom tailor the message to fit your campaign

Quickly deploy messages to many users at once

30PAG E

Starphish

Manage

Using a cloud based C2 server

or

A local deployment

https://www.getusecure.com/public/images/images/1502983087.jpg

31PAG E

Demo

http://wallpapers.androlib.com/wallicons/wallpaper.big-wzD.cs.png