Mercury The Android Assessment framework v2.2.0 in the wild

Mercury is a security assessment framework for the Android platform. It allows you to dynamically interact with the Inter-Process Communication (IPC) endpoints exported by an application installed on a device.

Mercury provides similar functionality to a number of static analysis tools, such as aapt, but offers far more flexibility by allowing you to interact with these endpoints from the context of an unprivileged application running on the same device.

The Android sandbox is designed to restrict the access of an unprivileged application to other applications and the underlying device, without requesting appropriate permissions. Once you’ve had a look with Mercury, you will be surprised at how much access you actually have.

Mercury was also a part of  the latest Blackhat Arsenal 2013 Session in Amsterdam, where the awesome team has demoed neat features and few tricks pentesters can leverage to bypass restrictions and exploit vulnerabilities on Android Smartphones.

Mercury allows you to:

  1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
  2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
  3. Find information on installed packages with optional search filters to allow for better control
  4. Built-in commands that can check application attack vectors on installed applications
  5. Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!)
  6. Create new modules to exploit your latest finding on Android, and playing with those that others have found

Here is the latest changelog information as embedded with Mercury package

– Connections between Consoles and Agents can be encrypted with SSL.
– The Agent can require a password to be provided to establish a session.
– New Mercury modules can be downloaded and installed from the Internet, and
the local file system.
– Significant performance improvements to the Agent.

In addition, the following Github Issues have been closed:

Agent:

#   2 High CPU usage when polling for messages in Session.java.
#   1 High CPU usage on active connection in Server/Client.java.

Console:

#  50 Error when printing ContentProvider Path Permissions.
#  49 app.provider.delete does not work.
#  48 Python 2.x xrange/range optimization.
#  47 Some apps can crash scanner.provider.* modules.
#  44 Running app.package.manifest without specifying a package results in a
Null Pointer Exception.
#  43 Bug in app.provider.query.
#  34 Five, new 3rd Party ‘pilfer’ Modules.

The new console is compatible with the old agent, and vice-versa. However, this
configuration does not support SSL or password-on-connect.

Download

 

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"
Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

Black Hat Arsenal 2024 Next Stop Singapore !

Black Hat Arsenal 2024 Next Stop Singapore !

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community