Getting Stared At Android Hacking Part 1: Environment Setup

Hello folks, today we’ll be discussing Android security from a Red Team perspective. Android, an open-source operating system based on the Linux kernel, started in 2003 under Android Inc., a company later acquired by Google in 2005. Originally intended as a smartphone operating system by 2004, Android has now become the most widely used OS globally. According to Business of Apps, Android is operational in over 190 countries with more than one billion active users. By 2023, the Google Play Store hosted over 2.6 million apps, leading to 113 billion downloads. With such a vast user base, Android security has become a critical area of focus.

Google reported a 50% increase in zero-day exploits in 2023 compared to the previous year, identifying 97 vulnerabilities—48 related to espionage actors and 49 attributed to financially motivated hackers. This surge in vulnerabilities highlights the need for deeper security insights, especially for Red Teamers. Android is based on an ARM Linux kernel, responsible for core functions like memory management and hardware-driver interaction. Its kernel also implements critical security mechanisms such as the permission system, integral to Android’s sandboxing model, which isolates apps from each other for enhanced security.

Android’s ecosystem includes native libraries written in C or C++, providing low-level functionality across various system components. Initially, Android app development relied heavily on Java, but in recent years, Kotlin has become the preferred language. Both languages remain interoperable, allowing developers to write apps using either.

The Hardware Abstraction Layer (HAL) provides a vital security boundary by enabling the operating system to interface with hardware components (e.g., cameras, sensors) without direct driver access. Meanwhile, the Android Runtime (ART), which replaced the older Dalvik VM, enhances performance and security by converting bytecode into native machine code using Ahead-of-Time (AOT) compilation.

Finally, the Application Framework delivers essential APIs for developers, offering structured access to Android’s core features. Components like the Activity Manager (app lifecycle management), Content Providers (data sharing), and the Resource Manager (handling UI layouts) streamline app development. Critical system services like the Location Manager and Notification Manager ensure efficient resource handling while maintaining modularity and security.

With this architecture in mind, Android’s security landscape presents both challenges and opportunities for those involved in vulnerability research and Red Team activities.

Figure 1 Android system architecture

Running Android as a Virtual Machine

VMware has made its Workstation Desktop Hypervisor products free for non-commercial personal use. These tools, widely used for creating virtual environments on Windows, Linux, and macOS, are essential for learning, testing software, and understanding virtualization.

VMware has announced changes to their product lineup following their integration with Broadcom, aiming to continue providing value to their community and customers. The free versions allow individuals to explore virtualization without cost, while commercial users can leverage them for development, testing, and vSphere integration.

Figure 2 VMware provide option for personal use.

Creating Android VM

While it’s not typically necessary to install Android on a physical computer, there are instances where running Android on a virtual machine (VM) can be useful, such as for app development and testing. We’ll setup the android on VMware, enable android debug bridge ADB with root access, then install Burp Suite certificates to intercept and manipulate the requests coming from the machine.

There are many aliases for ruining android like Android-x86 project or Bliss OS but for simplicity we’ll create Android x86 image on VMware.

• After installing VMware, go to File and select New Virtual Machine.

• A setup wizard will appear, select Typical then click Next.

• From chooses, select Linux and version of Other Linux 3.x kernel.

• Write a name to the VM, then locate where its files will be saved.

• Specify maximum disk capacity. Here we’ve two options either to store the virtual disk on a single file which recommended only if you’ve GPT portions on your disk. Or to split the virtual disk on multiple files in case you’re planning to take a backup or transfer your virtual disks anytime

• The configuration summary will appears to you, click Customize Harware ...

kernel /android-9.0-r2/kernel nomodeset xforcevesa root=/dev/ram0 androidboot.selinux=permissive SRC=/android-9.0-r2

• Go to CD/DVD (IDE) and chose the folder where you’ve the android .iso file, close the wizard and start the machine.

• When the machine start select Installation.

• Click C to begin with partitions creation.

• After finishing setup the partitions confirm the usage of GPT.

• Use ext4 as a filesystem.

• Confirm the formation of the partition.

• Confirm the installation of GRUP bootloader.
  

• Install /system directory as read and write.
  

• The VM will reload, select the boot form Android Pi 9.0 R2, then click e to edit the booting command and change quiet to nomodeset xforcevesa then click b to boot from it.

• Android is filly here! so let’s download some essentials apps.

• Click start button to begin with android interface.

• After a while the VirtWifi will appears and you can access the internet to enter a Google account to install apps.

• Set up the date and time, choose a username, and log in using your Gmail account, adjusting Google services settings if necessary. Once you’ve completed all the steps in the Android setup wizard, you’ll be taken to the main Android interface.

Edit GRUB Configuration

Previously, we modified the GRUB configuration to boot the Android VM in VMware, but those changes were not saved after a reboot. To make the changes permanent, we need to edit the GRUB configuration file.

1. Open the Console: After booting into Android, press Alt+F1 to open the console.
2. Create a Directory: Run the following command to create a directory for mounting the virtual disk:

   mkdir /mnt/sda

3. Mount the Virtual Disk: Use this command to mount the virtual disk to the created directory:

   mount /dev/block/sda1 /mnt/sda

4. Edit the GRUB Configuration: Open the GRUB bootloader menu file using the vi text editor:

   vi /mnt/sda/grub/menu.lst

5. Modify the Boot Option: Edit the first boot option by replacing quiet with nomodeset xforcevesa, so it looks like this:

   kernel /android-9.0-r2/kernel nomodeset xforcevesa root=/dev/ram0 androidboot.selinux=permissive SRC=/android-9.0-r2

6. Save and Exit: Press Esc, then type :wq to save the changes and exit the editor.

Your changes will now be permanent after rebooting the Android VM.

Install Wireless ADB

On Android 11 and above

• Go to Settings > About Phone.
• Tap Build Number repeatedly until you see a message saying, “You are now a developer!”.
  

• Go back to Settings > Developer Options and enable USB Debugging.
  

On Android 4.4.1 and above

• Make sure that your VM is connected as Bridge from Edit Virtual Machine Settins
  

• Go to Play Store and search for Wireless ADB

• Enable the wireless ADB then note down the IP and the port of the VM.
  

• Install SDK platform tools and Google android driver, then use ADB binary to connect to the machine as root

shell adb connect 192.168.0.112:5555 adb devices

Add Burp Suite Certificate

• Enable the Burp Suite to intercept the HTTP traffic generated by your Android device, you need to configure a proxy listener and bind it to an open port.

1. In Burp, open the Settings dialog.
2. Go to Tools > Proxy.
3. Under Proxy Listeners, click Add.
4. On the Binding tab, set Bind to port to any available port.
5. Set Bind to address to All interfaces.
6. Click OK and confirm your entries when prompted.

Configuration on the machine

1. On your machine , go to the network and internet settings.
2. Open the network details for the Wi-Fi network that you want to use for testing.
3. Enter edit mode.
4. In the advanced settings, choose the option to configure a proxy manually.
5. Set the Proxy hostname to the IP address of the machine you’re using to run Burp.
6. Set the Proxy port to the port you assigned to the new proxy listener you configured in Burp, see Configure a dedicated proxy listener in Burp
7. Save your changes and then connect to the Wi-Fi network. Your device’s web traffic is now proxied through Burp.

Mobexler Installation

Now we’ve completed configuring the android machine. It’s playing the role of real victims, let’s configure the attacker machine. We’ll be using the Mobexler OS that’s a powerful and versatile mobile security testing framework designed to help penetration testers and security researchers perform comprehensive assessments of mobile applications. It offers a wide range of tools and features tailored for both Android and iOS platforms.

Key capabilities of Mobexler include:

1. Static Analysis: Tools to analyze APK files, decompile code, and inspect application binaries for vulnerabilities.
2. Dynamic Analysis: Features to monitor and interact with running applications in real-time, allowing for dynamic testing and debugging.
3. Network Analysis: Capabilities to intercept and analyze network traffic, which is crucial for identifying vulnerabilities related to data transmission.
4. Forensics: Tools for extracting and analyzing data from mobile devices, useful for post-compromise analysis.
5. Exploitation: Modules for exploiting known vulnerabilities and testing the effectiveness of security controls.
6. Reporting: Features to generate detailed reports of findings, which can be used for documentation and remediation efforts.

Let’s start to make our machine ready for hacking:

• From File menu on VMware chose Open, then select the OVF file of the Mobexler

• It’ll be imported all what you’ve to do is to run the machine.

In today’s session, we’ve delved into Android security from a Red Team perspective, understanding both Android’s extensive architecture and the security mechanisms within. With over one billion active users globally, Android’s popularity makes it a prime target for vulnerabilities and exploitation. However, its layered architecture—complete with a sandboxing model, permission systems, and the Android Runtime (ART)—adds substantial security measures to protect users. Setting up an Android VM, configuring Wireless ADB, adding Burp Suite for network interception, and using Mobexler enhances our toolkit for rigorous security testing.

For Red Teamers, these tools are invaluable for identifying and addressing weaknesses before they can be exploited by malicious actors. By continuously adapting to new security developments, we can improve our defense strategies, making Android a safer OS for everyone.