SECurity FUNdamentals

Building Your Own Open-source Android Penetration Testing Platform


Security Fundamentals (803) November 15, 2017 10:15 am - 11:15 am Feedback     

Bookmark and Share

Amadeus Konopko
Jean-Paul Mitri

Android has had a major growth spurt over the last few years and as a result the attack surface is expanding. Many tools for remotely controlling smartphones and obtaining the sensitive information that reside on them have been developed. At the same time, the penetration testing community hasn’t developed an established open source platform for facilitating dangerous attacks on a corporate network using compromised mobile devices.

Starphish is a PoC, open-source platform for building an Android command and control (C2) server, developing trojans that evade Anti-Virus (AV), and deploying trojans through USB, Wi-Fi, or a phishing campaign. For each campaign, the penetration tester can quickly modify the entire platform for specific needs. The Starphish is built upon the community accepted Metasploit framework and can run on a low powered computer or the Amazon cloud.

In this presentation, attendees will learn how to build their own Starphish to effectively utilize mobile attack vectors during an engagement. We will cover how to build your own persistent Android trojan and Android C2 server. Attendees will also learn about the Android permission model and the pitfalls of Android AV. We will also discuss any barriers encountered during the development of the Starphish. This talk is geared towards penetration testers and IT personnel. The platform will be released at the end of the talk.