Press Release

drozer - The new Android security testing tool

News

MWR InfoSecurity will release drozer at Black Hat Arsenal in Las Vegas, USA, on August 1st.

Companies using Android mobile devices can now safeguard their assets and IT infrastructure by using drozer, the new Android security testing framework, to run full security assessments.

Previously known as Mercury, drozer allows for dynamic analysis of applications running on Android devices. The tool now has a new set of features that include the ability to compromise Android devices through publicly available exploits. These features are designed to help an organisation understand how a technical vulnerability on a mobile device can become a real threat to their business.

“We added a number of aspects to drozer that weren’t included in Mercury, but the major new feature consists of a means of getting the application onto an Android device remotely. Traditionally, it had to be downloaded from the marketplace or installed using the developer features,” said Daniel Bradberry, Head of Security Tools Development at MWR InfoSecurity.

Tyrone Erasmus, Senior Security Consultant at MWR InfoSecurity, said: “It is a major step forward as previously, various remote Android exploits were scattered across the internet and in some cases were not very reliable. Taking up Mercury’s lead, drozer unifies these publicly available exploits into a single framework and improves the quality of the exploitation code and payloads available to the penetration
tester.”

He added: “This opens the opportunity of embracing company smartphones and other Android devices when performing a full security assessment of an organisation’s IT network, which is particularly important at times when companies are introducing BYOD (Bring Your Own Devices) strategies and taking up consumer devices for corporate use.”

Android developers and security researchers will now be able to exploit vulnerabilities in Android’s operating system and use them to install the application on the phone remotely, such as using a malicious document to deploy the app ‘without the user noticing it’.

For example, security consultants employed by an organisation can use drozer in a red team exercise, where they have an open scope to attack assets belonging to a company to test its digital infrastructure and security standards. The tool will now allow them to expand the attack surface to include mobile devices as a path of entry into a company’s network.

The team from MWR Labs, the company’s research arm, has successfully tested drozer and was able to gain access to personal information and pictures on Android devices, take screenshots and record from the microphone.

Tyrone Erasmus said: “By incorporating publicly available exploits into drozer, we enable businesses to simulate attacks against mobile devices in their network. For instance, by gaining access through a security breach in the user’s mobile web browser, we are able to install the tool on the device and use it to help them understand how their business and entire IT infrastructure could be exposed to an attacker.”

Daniel Bradberry added: “The development of drozer has been driven by substantial feedback from the community. Mercury had security assessment and post-exploitation neatly covered off but lacked the capability of being installed remotely on a device through exploitation. This is why we decided to add this new feature and change the name to drozer.”

Similar to Mercury, drozer provides support for any Android device running Android 2.1 and all later versions, covering 99% of the devices in the market. It is an open-source tool and will be available to download from the MWR Labs website – http://mwr.to/drozer – immediately after being presented at Black Hat USA.

Daniel Bradberry and Tyrone Erasmus will be tweeting useful hints and tips from @mwrdrozer.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.