Exploring Android Platform - Mercury



The Heavy Metal That Poisoned  the Droid

Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits.




A number of published security assessment methodologies currently exist to support researchers reviewing the security of Android applications and devices. The majority of these methodologies include static analysis methods and require the use of custom scripts and tools to perform single tasks. The general process of assessing the security of Android applications typically involves the following steps:


 ºDownload the target application packages
 ºExtract the application manifests
 ºDecompile the application into readable source code or byte code representations
 ºAnalyse the application manifests and code
 ºWrite a custom application to test anomalies in the entry points of the applications
 ºExploring Android Platform: Mercury documentation


This general process often requires a separate approach for each step, many different tools and lots of time, especially when a large number of applications need to be assessed as part of a project. If the process can be  simplified and tools provided to automate the repetitive parts, it would enable a security researcher to assess applications and devices in a more consistent manner and ultimately perform more comprehensive assessments.  This could also be done in less time whilst providing more assurance. Mercury is a framework that solves this problem by providing interactive tools that allow for dynamic interactions  with the target applications running on a device. This dynamic interaction greatly benefits vulnerability hunters and auditors who are under time constraints. At the time of writing, there were no known frameworks for performing dynamic analysis on Android, making Mercury unique in its space.

This paper will lay the foundations for performing dynamic analysis and finding ways to automate some of the tasks that are needed when assessing the security of Android applications and devices. It will also delve into some  techniques that could be used by malicious applications with minimal permissions to steal information from devices.

Exploring Android Platform

Mercury allows you to assume the role of a low-privileged Android app, and to interact with both other apps and the system.

Use dynamic analysis on Android applications and devices for quicker security assessments
Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
Write custom tests and exploits, using the easy extensions interface

Mercury allows you to:

1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
3. Find information on installed packages with optional search filters to allow for better control
4. Built-in commands that can check application attack vectors on installed applications
5. Transfer files between the Android device and your computer
6. Create new modules to exploit your latest finding on Android, and playing with those that others have found


Mercury does all of this over the network: it does not require ADB.