Framework for bug hunters to find Android vulnerabilities

Posted: March 20, 2012 in Penteration Testing, Vulnerabilities

A free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android. Use dynamic analysis on Android applications and devices for quicker security assessments. Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices. The easy extensions interface allows users to write custom modules and exploits for Mercury Replace custom applications and scripts that perform single tasks with a framework that provides many tools.

Mercury allows you to:

  • Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
  • Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
  • Find information on installed packages with optional search filters to allow for better control
  • Built-in commands that can check application attack vectors on installed applications
  • Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!)
  • Create new modules to exploit your latest finding on Android, and playing with those that others have found.

This demonstration shows how you can find and exploit SQL injection in Android applications using Mercury.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s