Companies using Android mobile devices can now safeguard their assets and IT infrastructure by using drozer, the new Android security testing framework, to run full security assessments.
Previously known as Mercury, drozer allows for dynamic analysis of applications running on Android devices. The tool now has a new set of features that include the ability to compromise Android devices through publicly available exploits. These features are designed to help an organisation understand how a technical vulnerability on a mobile device can become a real threat to their business.
“We added a number of aspects to drozer that weren’t included in Mercury, but the major new feature consists of a means of getting the application onto an Android device remotely. Traditionally, it had to be downloaded from the marketplace or installed using the developer features,” said Daniel Bradberry, Head of Security Tools Development at MWR InfoSecurity.
Tyrone Erasmus, Senior Security Consultant at MWR InfoSecurity, said: “It is a major step forward as previously, various remote Android exploits were scattered across the internet and in some cases were not very reliable. Taking up Mercury’s lead, drozer unifies these publicly available exploits into a single framework and improves the quality of the exploitation code and payloads available to the penetration
He added: “This opens the opportunity of embracing company smartphones and other Android devices when performing a full security assessment of an organisation’s IT network, which is particularly important at times when companies are introducing BYOD (Bring Your Own Devices) strategies and taking up consumer devices for corporate use.”
Android developers and security researchers will now be able to exploit vulnerabilities in Android’s operating system and use them to install the application on the phone remotely, such as using a malicious document to deploy the app ‘without the user noticing it’.
For example, security consultants employed by an organisation can use drozer in a red team exercise, where they have an open scope to attack assets belonging to a company to test its digital infrastructure and security standards. The tool will now allow them to expand the attack surface to include mobile devices as a path of entry into a company’s network.
The team from MWR Labs, the company’s research arm, has successfully tested drozer and was able to gain access to personal information and pictures on Android devices, take screenshots and record from the microphone.
Tyrone Erasmus said: “By incorporating publicly available exploits into drozer, we enable businesses to simulate attacks against mobile devices in their network. For instance, by gaining access through a security breach in the user’s mobile web browser, we are able to install the tool on the device and use it to help them understand how their business and entire IT infrastructure could be exposed to an attacker.”
Daniel Bradberry added: “The development of drozer has been driven by substantial feedback from the community. Mercury had security assessment and post-exploitation neatly covered off but lacked the capability of being installed remotely on a device through exploitation. This is why we decided to add this new feature and change the name to drozer.”
Similar to Mercury, drozer provides support for any Android device running Android 2.1 and all later versions, covering 99% of the devices in the market. It is an open-source tool and will be available to download from the MWR Labs website – http://mwr.to/drozer – immediately after being presented at Black Hat USA.
Daniel Bradberry and Tyrone Erasmus will be tweeting useful hints and tips from @mwrdrozer.