Companies using Android mobile devices can now safeguard their assets and IT infrastructure
A new security testing tool for Android that should make the operating system safe for BYOD strategies is set to be launched at the beginning of August.
Companies using Android mobile devices can now safeguard their assets and IT infrastructure by using drozer, the new Android security testing framework from MWR InfoSecurity, to run full security assessments.
Previously known as Mercury, drozer allows for dynamic analysis of applications running on Android devices. The tool now has a new set of features that include the ability to compromise Android devices through publicly available exploits. These features are designed to help an organisation understand how a technical vulnerability on a mobile device can become a real threat to their business.
Android developers and security researchers will now be able to exploit vulnerabilities in Android's operating system and use them to install the application on the phone remotely, such as using a malicious document to deploy the app 'without the user noticing it'.
For example, security consultants employed by an organisation can use drozer in a red team exercise, where they have an open scope to attack assets belonging to a company to test its digital infrastructure and security standards. The tool will now allow them to expand the attack surface to include mobile devices as a path of entry into a company's network.
Tyrone Erasmus, senior security consultant at MWR InfoSecurity, said: 'It is a major step forward as previously, various remote Android exploits were scattered across the internet and in some cases were not very reliable. Taking up Mercury's lead, drozer unifies these publicly available exploits into a single framework and improves the quality of the exploitation code and payloads available to the penetration tester.'
He added: 'This opens the opportunity of embracing company smartphones and other Android devices when performing a full security assessment of an organisation's IT network, which is particularly important at times when companies are introducing BYOD strategies and taking up consumer devices for corporate use.'
The team from MWR Labs, the company's research arm, has successfully tested drozer and was able to gain access to personal information and pictures on Android devices, take screenshots and record from the microphone.
Erasmus said: 'By incorporating publicly available exploits into drozer, we enable businesses to simulate attacks against mobile devices in their network. For instance, by gaining access through a security breach in the user's mobile web browser, we are able to install the tool on the device and use it to help them understand how their business and entire IT infrastructure could be exposed to an attacker.'
MWR InfoSecurity will release drozer at Black Hat Arsenal in Las Vegas, USA, on 1 August. Similar to Mercury, drozer provides support for any Android device running Android 2.1 and all later versions, covering 99% of the devices in the market. It is an open source tool and will be available to download from the MWR Labs website.
