Tools no image

Published on April 26th, 2013 | by NJ Ouchn


Mercury The Android Assessment framework v2.2.0 in the wild

Mercury is a security assessment framework for the Android platform. It allows you to dynamically interact with the Inter-Process Communication (IPC) endpoints exported by an application installed on a device.

Mercury provides similar functionality to a number of static analysis tools, such as aapt, but offers far more flexibility by allowing you to interact with these endpoints from the context of an unprivileged application running on the same device.

The Android sandbox is designed to restrict the access of an unprivileged application to other applications and the underlying device, without requesting appropriate permissions. Once you’ve had a look with Mercury, you will be surprised at how much access you actually have.

Mercury was also a part of  the latest Blackhat Arsenal 2013 Session in Amsterdam, where the awesome team has demoed neat features and few tricks pentesters can leverage to bypass restrictions and exploit vulnerabilities on Android Smartphones.

Mercury allows you to:

  1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
  2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
  3. Find information on installed packages with optional search filters to allow for better control
  4. Built-in commands that can check application attack vectors on installed applications
  5. Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!)
  6. Create new modules to exploit your latest finding on Android, and playing with those that others have found

Here is the latest changelog information as embedded with Mercury package

– Connections between Consoles and Agents can be encrypted with SSL.
– The Agent can require a password to be provided to establish a session.
– New Mercury modules can be downloaded and installed from the Internet, and
the local file system.
– Significant performance improvements to the Agent.

In addition, the following Github Issues have been closed:


#   2 High CPU usage when polling for messages in
#   1 High CPU usage on active connection in Server/


#  50 Error when printing ContentProvider Path Permissions.
#  49 app.provider.delete does not work.
#  48 Python 2.x xrange/range optimization.
#  47 Some apps can crash scanner.provider.* modules.
#  44 Running app.package.manifest without specifying a package results in a
Null Pointer Exception.
#  43 Bug in app.provider.query.
#  34 Five, new 3rd Party ‘pilfer’ Modules.

The new console is compatible with the old agent, and vice-versa. However, this
configuration does not support SSL or password-on-connect.



Tags: , ,

About the Author

“Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses”

One Response to Mercury The Android Assessment framework v2.2.0 in the wild

  1. The Mercury Framework is a featured tool in my SANS Institute SEC575: Mobile Device Security and Ethical Hacking course. Students use Mercury in hands-on lab exercises to evaluate several custom Android applications, bypassing security restrictions and accessing data outside of the application sandbox. As an instructor, it’s awesome to see the wide-eyed students realizing the extent of permission vulnerabilities on the Android platform, and how simple developer mistakes can expose sensitive data on the platform.

    Many thanks to the MWR team for an awesome toolkit!


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑