android device hacking tricks and countermeasuresthe android’s webcam, decrypting the whatsapp...
TRANSCRIPT
Android Device Hacking Tricks and
Countermeasures
Khulood Al Zaabi College of Technological Innovation
Zayed University
Abu Dhabi, UAE
Abstract -- Cybercrimes have increased against Android
devices due to the increased usage of Instant Messaging,
Global Positioning Systems (GPS) and Webcam
Applications which are built into the Android device,
resulting in invasion of the victim’s privacy. The
existing studies demonstrate how to utilize the
vulnerabilities of the Android device; however, none
have proposed a comprehensive study highlighting the
hacking tricks and their countermeasures. This study
demonstrates how to discover and fully control the
Android device using existing tools. Furthermore, it
proposes a novel GPS Tracking Application. The
purpose of this research is twofold: 1. To demonstrate
how to disclose the victim’s sensitive information after
performing diverse hacking tricks; and 2. To implement
countermeasures for each Android hacking trick. The
author believe that such a scenario is needed for
implementing awareness among Android device users.
Also, it shows Android and Instant Messaging
Application developers to mitigate existing
vulnerabilities, thereby enhancing security levels.
Keywords----Android Hacking; GPS Hacking; WhatsApp
Hacking; Android Hacking Tricks; Android Hacking
Tools; Countermeasures
I. INTRODUCTION
In the Post-PC era, the use of small, portable
tablets and Smartphones has skyrocketed. They have
become the preferred choice for communication,
performing online banking transactions, taking and
uploading photos and videos, sending messages via
Instant Messaging Applications (i.e. WhatsApp),
pinpointing locations using the Global Positioning
System (GPS), and more. The number of Smartphone
users has reached around 7 billion worldwide.
Currently, the Android Operating System has gained
significant popularity over the Apple device since
being released into the mobile industry in 2008 [1, 2,
3]. The Smartphone is popular due to significant
improvements in its functionality, and because it has
the capacity to store a considerable amount of the
user’s sensitive data [2, 4]. However, the Smartphone
has also become more susceptible to cybercrimes that
violate the victim’s confidentiality, integrity, and
availability [1, 5, 6]. As stated by the Norton Report
in 2013 [5], 38 percent of Smartphone users are being
targeted by criminal activities. The scope of this
paper is to concentrate on the Android hacking tricks
and
countermeasures. In other words, the research paper
focuses on how criminals utilize the Android’s built-
in vulnerabilities, and showcases how they overtake
the victim’s phone by using diverse hacking
strategies in order to violate their victim’s personal
information. The remainder of this paper is organized
as follows: Section II presents the “Background and
Related Work” where I review the previous literature
regarding hacking tricks for Android devices. In
section III, I talk about the “Problem and
Motivation”. Section IV illustrates the “Proposed
Approach” and the tools and techniques used. This is
then followed by an overview of my “Experimental
Results” in section V, and the results are discussed in
the section titled “Experimental Discussion”. In
section VII, I conclude my research and propose
“Future Work”.
II. BACKGROUND AND RELATED
WORK
The domain of Android hacking is an ever-
evolving area at both the individual and business
level due to the unique characteristics, features, and
flexibilty of this device. In the following sections, the
research paper will introduce: 1. The Android device
platform; 2. An overview of the WhatsApp Instant
Messaging Application, and 3. The Global
Positioning System.
A. Android Device Platform
The Open Handset Alliance (OHA) developed an
open-market Operating System which strives to
“accelerate innovations in mobiles and offers
consumers a richer, less expensive, and better mobile
experience” [7]. Gartner Inc. stated that the Android
device embraced 25.5% of the world’s Smartphone
sales. According to the IDC Q2 2014 report [8], the
Android device occupied 85% of the market as seen
in Fig. 1. However, sophisticated criminal offenders
have become familiar with the Android device’s
built-in vulnerabilities and loopholes [1, 9].
Cybercriminals have made millions of dollars by
deceiving Android users by requesting them to
download malicious third-party Applications [5]. The
unverified Applications subsequently grant the
attacker full access to the victim’s sensitive data [5,
8].
Fig. 1. Distribution of mobile operating system in Q2 2014,
according to IDC. Source (media.kaspersky, 2014)
B. Overview of WhatsApp Instant Messaging
Application
In September 2015, the popularity of the
WhatsApp messaging application reached 900
million users worldwide as shown in Fig. 2 [10, 11,
12, 13]. WhatsApp is a free proprietary cross-
platform messaging application which is installed on
a client's Smartphone and is not operable without the
Internet. The user can then subscribe to the
WhatsApp service to send text messages, share
images, videos, locations and more with other
WhatsApp users [10, 13, 14, 15]. In late January
2015, Koum [10] announced on his Facebook page
that:
“Our web client is simply an extension of your
phone: the web browser mirrors conversations and
messages from your mobile device—this means all of
your messages still live on your phone”
Koum's announcement was about the release the
WhatsApp PC desktop version called “WhatsApp
Web” [10, 12, 13]. This version supports all desktop
browsers except for the Microsoft Internet Explorer
and was activated to work with Google Android,
Windows Phones, Nokia, iPhones, and BlackBerry
devices [10, 12, 14]. Due to the increase in the
numbers of WhatsApp Web users, now reaching 200
million, cyber-attacks are also on the rise, thus
compromising the personal data stored on the these
devices [11, 12].
Fig. 2. Number of monthly active WhatsApp users worldwide (in
millions). Source (statista, 2015)
C. Global Positioning System (GPS)
The Global Positioning System was developed by
the U.S Department of Defense (DoD) in 1995, using
24 satellites. This system is capable of operating with
civil, commercial, and military users around the
globe [16]. The Android GPS is part of the Google
Play Services, which tracks and pinpoints the exact
location of the users [17]. GPS users can utilize both
the built-in GPS and Network Location Provider
(NLP). The GPS is more accurate than the NLP;
however, it is only capable of being operated
outdoors. Moreover, the GPS takes a long time to
forward the requested location. On the other hand,
the NLP consumes less battery power than the GPS
and can be operated indoors and outdoors. However,
identifying the user's location is complicated because
the longitude and latitude becomes different every
time the user moves to a new place.
This section presents a comprehensive review of
the plethora of related research studies that cover
Android device hacking techniques. More
specifically, it focuses on the hacking of Android
Applications, Android Messaging Application such
as WhatsApp, Global Positioning Systems on
Android devices, describing the various types of
attacks and the countermeasures. Whether or not the
Application is running, Wu and Li [18] succeeded in
hacking the Android Application by proposing two
methods: static and dynamic methods. In the static
method, they modified the Application’s dex and
APK files, while in the dynamic method, they
modified the execute byte code. Moreover, they
concluded their research by discussing how to detect
and protect the Android Application against these
types of attacks [18].
Abura’ed et al. [19] discussed three exploitable
vulnerabilities: 1. Overriding the default behaviors of
buttons; 2. Access permissions, and 3. The lack of
identity indicators used to perform phishing attacks
using a Trojan. They succeeded in imposing a
significant threat without the victim’s knowledge,
and without degrading the victim’s machine
performance. In addition, they recommended
enhancing the Android’s security against these types
of attacks by monitoring the machine’s running
process, implementing the SSL certificate for each
trusted Application, and keeping the identity
indicator such as the watermark [19]. Erich and Cliff
[20] conducted a novel denial-of-convenience attack
against Android and iPhone devices for non-technical
users. The researchers exploited the Smartphone’s
connectivity management protocol by configuring a
fake Wi-Fi access point, and forcing their victims to
connect via the non-valid access point. This was done
with the purpose of disabling the Internet connection
availability of their victims. At the end of their
research, they proposed a novel Internet access
validation protocol as a defense against this type of
attack. The proposed solution used cellular networks
in order to send a secret key phrase to the Internet’s
validation server [20].
Furthermore, Yubo et al. [21] presented their
research on how to deploy a malware against a
Smartphone device such as the Android system. This
was accomplished by manipulating the Short
Message System (SMS) protocol and using the Short
Message Type (RS MT) as an attack vector. Next,
they attempted to forward this message to the
victim’s device by using a Software Defined Radio
(SDR). The authors achieved their goal after proving
that the device’s antivirus software was not able to
detect the injected attack [21]. Additionally, Nguyen
et al. [22] achieved their goal in stealthily discovering
the target’s location without the victim’s consent, by
developing an unauthorized Location Inference
(UnLocIn) approach. This approach was possible
with the insensitive Wi-Fi permission, as it bypassed
the malware detection technique. The researchers
examined 51 free Apps on Google Play, and
succeeded in inferring the target’s location with a 50-
meter accuracy range. This paper also discussed how
to counter the proposed UnLocIn attack [22]. While
[23] described the most common social engineering
attack techniques on knowledgeable workers,
Krombholz et al. presented comprehensive
terminology that assisted them in classifying the
social engineering attacks in terms of four
parameters. These parameters include the attack
channel, the attack operator, various kinds of social
engineering and realistic attack scenarios. Moreover,
this research included the most advanced attack
vectors within the common communication channels
and computer-supported collaboration, such as
Mobile Messaging Applications (i.e. WhatsApp). In
addition, the researchers supported their research by
describing countermeasures against this type of
attack [23]. In this paper, Krombholz et. al.
demonstrated the Cross-site scripting attack
(XSS)techniques used against the Android's
WebView, whereas, Bhavani [24] utilized the Web
Application vulnerabilities to exploit the victim’s
WebView, by launching a malicious code through the
HttpClient APIs. The researcher concluded that this
type of attack can result in disclosing the victim’s
sensitive information (i.e. phone contacts), session
hijacking, and stealing the cashed cookies in order to
impersonate the victim [24].
This paper complements the existing research by
conducting various types of hacking tricks against
Android devices. However, the previous work did not
demonstrate a comprehensive hacking phase such as
the one conducted in this research. The author of this
paper performed social engineering tricks to discover
the victim’s current geolocation (GPS hacking).
Moreover, the researcher intended to gain full control
of the victim’s Android device, such as overtaking
the Android’s Webcam, decrypting the WhatsApp
Instant Messaging, and more. Furthermore, the author
was able to discover all of the active devices which
were connected to the same attacker’s network using
the zANIT. Lastly, the researcher presented
countermeasures for each trick in order for the
victims to become savvy in safeguarding themselves
and also, protecting their private information from
being exposed to attackers.
III. PROBLEM AND MOTIVATION
As reported by the Google Investor website [9],
over 350,000 devices are being activated daily as of
February 2011. This is because of the Android’s
Smartphone features which enable communication
between individuals and businesses with a high level
of information management. However, the developer
of the Android device offers it in the open-market
model with limited controls. As a result, the Android
Operating System and its Applications have become
susceptible to critical security threats by sophisticated
criminals who spy on users and violate their privacy
via the Internet [1]. Kaspersky Lab’s security [8]
illustrates various types of attack statistics against
Android users in May 2012 (Fig. 3). Their study
stated that the number of Android attacks and the
targeted users grew dramatically during the period
between August 2013 and July 2014 [8].
Fig. 3. Detections by Kaspersky Lab’s security of cyber-attacks on
Android. Source (media.kaspersky, 2014)
The recently released WhatsApp Desktop version
not only attracts users, but also attracts
cybercriminals. It allows them to launch a series of
attacks such as spreading malicious messages for the
purpose of infecting the user's phone device and
invading their privacy for monetary benefits [25].
This is one of the reasons why the authors employed
hacking techniques against WhatsApp and the
Android device’s GPS. According to Ralf-Philipp
Weimann, a researcher at the University of
Luxembourg [26], the GPS is a critical Android
device vulnerability. The issue begins when the
Android device asks the victim to pinpoint their
approximate location on the cellular network. These
messages are then sent to an unsecured Internet link,
which encourages the attacker to trick the Android
device into exchanging the location message with
them, instead of the cellular network. As a result, the
attacker is able to track the victim’s location, and
also, to send a malicious code directly onto the
victim’s device processor. This is done with the
purpose of remotely controlling the victim’s
Smartphone [26]. The goal of the present research
was to identify these vulnerabilities, exploit them,
and implement countermeasures.
IV. PROPOSED APPROACH
To conduct the experimental scenarios, the author
configured a Laptop with the required mobile
hacking tools, as well as two Samsung Galaxy S3
devices. The "Rooted" Android device acted as an
attacker to exploit the victim’s device, while the other
one was used as the victim's device featuring various
types of vulnerabilities for exploitation purposes. The
devices were used for the purpose of performing
diverse types of Android hacking tricks by using
different tools and hacking techniques. By using the
Android Studio, NetBeans IDE, and PHP
respectively, the author proposed various types of
Android hacking tricks against the victim’s device.
GPS Tracking was the first trick used to identify the
current victim’s geolocation. Moreover, all of the
discovered live devices were connected to the same
network as the attacker using the zANTI Application,
as well as the victim’s built-in Webcam, decrypting
WhatsApp and the Kali Linux NetHuntertool (i.e.
Metasploitable Framework). The author’s intention in
this research was to alert WhatsApp users, as the App
plays a significant role in tracking their geolocation
and disclosing their privacy, especially after the
author’s success in exploring WhatsApp
vulnerabilities when overtaking the Android device.
The main thrust of this research was threefold: 1. To
discover the victim’s active device and its associated
features using the zANTI discovery tool; 2. To track
the victim’s geolocation, device ID, and Timestamp
using the GPS Tracking Application; and 3. To take
control of the victim’s Android device using Kali
Linux and its associated Applications (i.e.
Metasploit). In the following sections, the paper
presents the requirements and the installation
instructions for all of the hacking tricks conducted.
A. Network Map Discovery
The attacker browsed their Android device using
Starbucks' Wi-Fi public network for the purpose of
hunting their victim. The zANTI penetration testing
tool assisted them in achieving their goal. Therefore,
in order to install the zANTI, the attacker rooted her
Android device by installing the “KingRoot”
software, Kingroot.apk file from Play Store. The
rooted device was verified by installing the “Root
Checker Basic” as illustrated in Fig. 4.
Fig. 4. Root Checker Basic Software
Then the attacker downloaded the zANTI.APK file
from Zimperium Mobile Security, and installed it on
their Android device, allowing her to discover all of
the connected devices such as Laptops and mobile
devices. Fig. 5 illustrates the zANTIL software
interface, including all of the active devices that were
connected to the same network as the attacker. In
this scenario, the attacker started probing this
Android device with an IP address of “192.168.x.x”
and connected via “port 0”. All logs and Nmap scan
outputs were displayed for the targeted Android
devices. The attacker could then perform advanced
scans against her target, by specifying the scan types
from the “Operative Actions” option, then connecting
to the remote ports to exploit the open ports and
discovering vulnerabilities. This was conducted using
diverse types of attacks such as the Man-in-the-
Middle attack. In addition, it could also check and
crack weak passwords, as well as verify the target’s
“ShellShock” and “SSL Poodle” vulnerabilities.
Moreover, the attacker could perform “Smart
Scanning” which enabled her to automatically check
for vulnerabilities. In this scenario, the attacker
intended to perform an “Intense Scan”, which is also
known as an “Intrusive Scan” against the targeted
device. This type of attack permits the attacker to
detect versions and scripts of the Operating System.
Fig. 5. zANTI Software Interface
B. GPS Tracking
In this section, the attacker intended to track her
victim’s current geolocation with their permission, by
designing two different Applications. These are the
Android App “app-release.apk” (Android Application
Package File), using the Android Studio, and the
Desktop App “GPS_Tracker.jar", which is designed
using the NetBeans IDE. The Android App has three
classes: the GPS.java, the Launcher.java, and the
PostTask.java. The GPS.java is a type of Android
service and it implements the LocationListener which
is triggered when the GPS location is changed. In
addition, the “toString()” method is used to obtain the
location, based on the last updated time. Lastly, the
.java represents the launcher activity in the Android
java, and has a layout called “activity_launcher.xml”,
which consists of a label and a button. Therefore,
whenever the user clicks on the “Get GPS Position”
button, the launcher activity retrieves the current
geolocation from the GPS.java and displays it on that
label. Furthermore, the third class PostTask.java is
used to get the geolocation from the launcher.java,
and posts it onto the attacker’s Webserver. Fig. 6
illustrates the AndroidManifest.xml file.
Fig. 6. AndroidManifest.xml file
The second App, which is a desktop has one class
“Launcher.java”, which is linked with two functions:
the clearTable() and the refreshTable(). The
“ClearTable” function is used to connect to the server
and clears the database files which have old logs. The
“RefeshTable” function is used to connect to the
Webserver to search for and retrieve old records.
Moreover, this App has a JTable which encompasses
four columns: the Serial Number, the Device’s ID,
the GPS’ location (latitude and longitude), and the
Timestamp (in GMT). Normally, for the purpose of
Tracking Applications, the attacker creates two
scripts and one text file to be available on her
Webserver which are “gps.php”, “clear.php”, and
“gps.txt” respectively. The gps.php script is used to
receive data from the Android App and these records
are saved onto the “GPS.txt” file, while, the
“clear.php” script is used to delete all entries from the
gps.txt file located on the attacker’s Webserver. The
malicious user performed social engineering
techniques to send the “app-release.apk” file onto her
victim’s Android device. After downloading the
received .apk file and accepting the displayed
permissions, the victim installed the “My GPS
Finder” on their Android device’s App interface, as
illustrated in Fig. 7. Later, and whenever the victim
used the “GPS_TRACKER APP” to check the GPS
details, the App secretly sent details such as the
Android device’s ID, the current geolocation
(latitude and longitude), and Timestamp in GMT
time-zone, and recorded them onto the Webserver of
the hacker. Therefore, the victim’s sensitive
information was monitored and displayed onto the
attacker’s Desktop App which was linked with the
Webserver.
Fig. 7. My GPS Finder App Permission
C. Overtake Android Device
In this study, the attacker intended to take control
of the victim’s Android device, in particular the
Android’s Webcam and decrypting the WhatsApp
using the Kali Linux NetHunter which was installed
on the attacker's Android device. The Metasploit
Framework exists on the Kali Linux NetHunter,
which is a computer security project used for both
penetration testing and executing the exploit code
against the targeted machine. So, in order to install
the Kali Linux NetHunter onto the Android device
(i.e. Samsung) in chroot mode, the malicious users
need to install the following three Applications from
the Android’s Play Store:
Busy Box: which provides the user with
several UNIX tools in a single executable file;
Linux Deploy: an open-sourced software used
for easy installation of the Operating System
and GNU/Linux on the user’s Android device,
and
VNC Client, or VNC Viewer: is a remote
access and control software which is
compatible with Windows, Mac, UNIX and
Linux machine agents, or a centralized server
is required.
The next step was to install these Applications
onto the attacker’s Android device. As mentioned
earlier, the Busy Box should be installed first to grant
the attacker a Root user. Moreover, the attacker
should ensure that she has a good Internet connection
and she needs to keep the installation options as the
default. However, she should modify the distribution
by choosing “Kali Linux”. Then, the installation
process should run until it is completed in order to
move to the next step, which is clicking on the
“Start” button to run the container. Now, the VNC
Viewer Applications will be used to connect to the
container when entering these values such as
ADDRESS (i.e. localhost), NAME (i.e. Kali), and
PASSWORD. After setting these values, the
“Connect” button should be pressed to display the
Kali Linux interface and therefore, start the Webcam
snapping without the victim’s knowledge. The
attacker is now able to launch her attack by creating a
backdoor (.apk), typing the attacker's IP address
(LHOST) and attacker’s port number (LPORT)
respectively; msfvenom –p
android/meterpreter/reverse_tcp;
LHOST=<xxx.xxx.xx.xx>LPORT<xxxx> R >
/root/<filename.apk. Then, the Metasploit console
will be loaded to install a listener by setting up a
reverse payload, and the listener begins by typing the
“Exploit” command as the following: msfconsole
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
setLHOSTxxx.xxx.xx.xx
setLPORTxxxx
exploit
After that, the attacker performed social
engineering against her victim with the purpose of
convincing them to download the fake.apk file by
enabling the “Unknown sources: Allow the
installation of non-Market Apps” option as shown in
Fig. 8.
Fig. 8. Download .apk File onto the Victim’s Android Device
When the victim opened the fake.apk file and
downloaded it onto their device, the meterpreter
prompt popped-up. The intention was to hack the
victim's Webcam, so that the attacker could take
control of it by typing “webcam_list” to list all of the
victim’s front and back Webcams. The next step was
to take a photo without the victim's knowledge using
the “webcam_snap” 1command. Moreover, the
attacker performed various activities when she
successfully took control of the victim’s Android
device. These include discovering the Android’s
system information, disclosing the victim’s contacts
list, dumping the victim’s SMS messages, and
1By default, the webcam_snap command was used to take a photo using the first (Back) camera
sending SMS messages from the attacker's device
onto the one of the victim’s contacts list.
Furthermore, the malicious user intended to disclose
and decrypt the victim’s WhatsApp database by
employing the following files: the
“msgstore.db.crypt8” and the key which is used to
decrypt the encrypted database using commands.
Lastly, the researcher installed the “Windows
WhatsApp Viewer App” for the WhatsApp Database
decryption purposes. The first step was to insert the
“msgstore.db.crypt8” and the key files, generate the
“msgstore.decrypted” file, and view this file as
illustrated in Fig. 9.
Fig. 9. WhatsApp Viewer
V. EXPERIMENTAL RESULT
The author conducted various types of hacking
tricks against the victim’s Android device as was
mentioned in the previous section. The first hacking
trick was performed using scanning from Starbucks’
public network. This was done with the purpose of
discovering all active Android devices connected to
the same network of the attacker using the zANTI
penetration testing toolkit. Fig. 10 illustrates the
Nmap Scan Output of the zANTI. The victim’s
device (IP address) was detected, which
corresponded with all of the open/filtered and closed
ports that were associated with its service for both
protocols, UDP and TCP. This output displays the
existence of the vulnerable ports which were utilized
to launch an attack against the targeted device.
Moreover, the attacker received the following
message after OS fingerprinting for the targeted
device: “Too many fingerprints match this host to
give specific OS details”. Furthermore, the zANTI
network discovery tool obtained a lot of information:
traceroute results such as the number of hops (1
HOP), Round Trip Time (RTT: 13.18ms), the
targeted IP address (192.168.x.x), the number of
active hosts (1 host up), and all scanned ports were
closed.
For the second round of hacking tricks, the attacker
gained the current geolocation; latitude and
longitude, the device’s ID, and the Timestamp values
by performing GPS Tracking. These values varied in
accordance with the victim’s current geolocation, and
changed from minute-to-minute whenever the victims
attempted to check their GPS using the customized
Application called “My GPS Finder”.
Fig. 10. Nmap Scan Output of the zANTI
Fig. 11 illustrates the victim’s current geolocation
at Timestamp Thursday 10 10:30:51 GMT +05:30
2016, with a latitude value of “24.7531393” and a
longitude value of “78.8387845” while using the
“My GPS Finder” App.
Fig. 11. Victim’s Current Geolocation at Timestamp Thursday 10
10:30:51 GMT +05:30 2016
Moreover, the attacker was able to monitor her
victim’s current geolocation as illustrated in Fig. 12.
The “GPS Tracker Interface” Desktop App, displayed
four different latitude, longitude, device ID and
Timestamp values for three different locations and
Timestamps. Furthermore, the attacker continued her
malicious activities by taking control of the victim’s
Android device, more specifically, the Android’s
Webcam and by decrypting the victim’s WhatsApp
database.
Fig. 12. GPS Tracker Interface App
The attacker succeeded in taking control of the
Android’s Webcam and taking a photo using the back
camera of their victim’s Android device without their
knowledge. They saved the Webcam shot on this
path: /root/JHOJRDTz.jpeg. Table 1 illustrates the
victim’s sensitive information which was found on
the Android device after taking control of it.
Table 1. Outputs generated after Overtaking Victim’s Android
Device Command Output
sysinfo Computer : localhost
OS : Android 4.4.4 - Linux 3.4.0-2656 armv7l)
Meterpreter : java/android
dump_contacts [*] Fetching 6 contacts into list [*] Contacts list saved to:
contacts_dump_20160315121308.txt
dump_sms [*] Fetching 36 sms messages
[*] SMS messages saved to: sms_dump_20160315121421.txt
webcam_snap -
1 2
Webcam shot saved to:
/root/YPAxqHMj.jpeg
record_mic 5 Audio saved to: /root/EyYFewpa.wav
send_sms -d
+97150xxxxxx
x -t "Hi Khulood."
[+] SMS sent - Transmission successful
Furthermore, the decrypted WhatsApp database
was disclosed by the malicious user as shown in Fig.
13. The WhatsApp Viewer App detected sensitive
information about one of the victim’s WhatsApp
contact list. These include the phone number starting
with the country code, last message Timestamp, and
a WhatsApp chat between the attacker’s victim and
the victim’s WhatsApp contact list.
Fig. 13. msgstore.decrypted.db (WhatsApp Viewer)
VI. EXPERIMENTAL DISCUSSION
The attacker succeeded in discovering all live
devices with their open TCP or UDP ports associated
with the services running on the targeted device. The
scanning process is the second phase after
reconnaissance, which involves discovering all of the
target’s active IP addresses, open ports, and finding
vulnerabilities related to the device’s OS, and more.
An attacker commented that the zANTI pen-testing
tool was powerful while using it for Android hacking.
However, the “Too many fingerprints match this host
to give specific OS details” message appeared while
performing an intense scan (advanced scan) against
the target’s Android device. This message appeared
when there were no open ports responding to the
network traffic. As a result, the zANTI was not able
to perform an OS detection. Moreover, it relies on the
type of scan being used. In addition, the attacker
came to realize that the scan type used during the
experiment was not the best type if his intention was
to footprint the target device’s OS. However, the
current hacker was neither able to perform the Man-
in-the-Middle attack against her target’s device, nor
to crack the victim’s Android device as they received
a message that “cracking 192.168.x.x service
<Protocol> [http-get /], finished, no results”. In
addition, the attacker discovered that the target’s
device was not vulnerable to the ShellShock and SSL
Poodle vulnerabilities.
Currently, GPS Tracking is considered to be one of
the most crucial hacking tricks that threatens
Smartphone users around the globe. As discovered in
this study, it is capable of revealing the victim’s vital
information such as the device's ID and geolocation.
It can therefore assist the attacker to visit the victim’s
geolocation and perform advanced hacking
techniques such as social engineering, which can
result in stealing money from the attacker's victims.
The paper’s author was able to track the current
geolocation of the targeted Android device, and
disclose their device's ID for every Timestamp when
the victims used the phishing GPS App. Besides that,
the malicious Android App developer achieved her
goals by designing and linking the fake GPS App
onto her Webserver, and therefore, monitored and
displayed it onto her Desktop Interface as shown in
Fig. 12. This technique and the customized GPS App
updates the attacker regarding her victim’s
geolocation, records them onto the log files in
chronological order, and utilizes these records for
future cybercrime activities. Also, social engineering
plays a main role in performing GPS hacking.
Currently, an attacker can switch on/off the victim’s
GPS or even the Internet using the .apk file which
can be forwarded onto their victim via social
engineering tricks. In the case of this research, GPS
Tracking was performed with the victim’s permission
to specify the current geolocation specifications.
Also, the Android Studio tool assists the malicious
user in creating fake .apk files to track her victims.
Therefore, users should be aware of this type of
hacking trick. However, the GPS has advantages,
despite its risks. From the perspective of forensic
examiners, law enforcement agencies and parental
supervision, a GPS is beneficial in many ways. It can
assist them to detect crimes, reveal threats to the
parents’ children, or to monitor their children’s
movement. It can also be used to protect children
from pornography-related types of crime, by
preventing their children from sharing their location
to meet with others, for example.
Taking control of the victim’s Android device
played a significant role in this study. Using the
Metasploit which is a pen-test tool used by both pen-
tester and attacker simultaneously, the attacker was
able to fully control the victim’s device without their
knowledge. This trick is dangerous, as the attacker is
able to disclose the victim’s privacy such as dumping
the contacts list, WhatsApp list and conversations in
plain-text, Webcam snap and more. Furthermore, this
tool can launch malicious codes which are generated
by the same tool (fake.apk file), to then overtake the
victim’s device, either by being connected on the
same network (LAN), or a different network (WAN).
In this study, the malicious user snapped the victim’s
photo and saved it onto her website to be utilized
later for black mail, which is also called extortion
mail. This type of cybercrime has become
increasingly common nowadays. Table 1 illustrates
the researcher’s finding after controlling the Android
device and revealing crucial information about that
device, such as the Operating System installed on the
targeted device. By knowing the device’s OS, the
attacker can footprint the devices’ vulnerabilities by
performing Search Engine techniques to seek updated
vulnerabilities and their patches. This is conducted in
order to attempt to design a sophisticated exploitation
against the vulnerabilities of the security controls,
and therefore, continue her hacking activities.
Moreover, the device's OS assists the attacker in
creating fake patches for these OS, and she then
upload them onto the Android’s Play Store, which
results in a hacking activity. Furthermore, the paper’s
author succeeded in disclosing 6 of the victim’s
contacts lists and 36 of the victim’s SMS messages,
and then saved them onto her website. In addition,
the researcher was able to send SMS messages from
metasploit onto the victim’s contact list. This hacking
trick is widely used, not only to track more victims,
but also to impersonate a victim. She commit her
crimes using the victim’s device, which is also called
“Daisy Chaining”. This is done to hide her identity,
and therefore counter law enforcement agencies by
misleading and delaying their investigation process.
Furthermore, this trick is currently appearing in
cyberwar committed against countries in order to
deceive their enemies after taking over one of their
soldier’s phone devices. This trick is beneficial for
law enforcement agencies, especially if they would
like to discover the identity of the real criminal. Not
only that, but WhatsApp is also considered a crucial
cyber-attack platform at the present time to determine
the victim’s location. In this study, the researcher was
successful in dumping and decrypting the victim’s
WhatsApp database, including the victim’s contact
list of phone numbers with country codes, the
messages’ content, and the last message Timestamp.
The researcher implemented the following
countermeasures for each type of Android hacking
tricks for the purpose of mitigating or eliminating the
risks generated from the Android’s hacking tricks,
and thereby safeguarding the victims:
Avoid social engineering, by not loaning or
borrowing other Android phones, as this can
allow criminals to scan the WhatsApp QR code
(WhatsApp Web);
Avoid opening any suspicious links;
Use the relevant GPS radio jamming or phone
frequencies to counter satellite Tracking devices;
Avoid accepting any received .APK fake files;
Avoid sharing locations via WhatsApp;
Check the third party’s authenticity before
downloading its Applications;
Protect the Android device from being tricked by
SMS Trojans by implementing controls;
Pen-test the Android device using zANTI;
Be very cautious while browsing an Android
rooted device as it will have Superuser
privileges;
Avoid connecting the Android device to public
Wi-Fi connections and,
Make sure to disable this option: “Install Apps
from unknown sources”
VII. CONCLUSION
Overall, my research identifies the most critical
vulnerabilities within the Android device and/or with
its associated third party Applications such as
WhatsApp and GPS, which are currently considered
to be crucial cybercrime platforms within cyberwar. All users are advised to be wary while using their
Android device. They should co-operate with both
Android device companies and third party
Applications (i.e. WhatsApp) in identifying any
noticeable and critical vulnerabilities. These should
then be reported in order to mitigate any loopholes
before they are exploited by a potential attacker.
Furthermore, the Android device developer must
enhance the device's security levels to protect their
customers and avoid losing their trust. Also, Android
users should be wary of GPS Tracking by learning
about social engineering tricks that can prevent
attackers from accessing their GPS Tracking.
Moreover, zANTI may assist the security analyst in
thwarting the malicious users, by identifying and
alerting them to the device's vulnerabilities, and also,
may simultaneously assist the hacker in exploiting
the vulnerabilities of the victim’s device. The
recommended future research is to conduct reverse
engineering to regenerate a new .APK file with a
legitimate interface, so that it can be then uploaded
onto the App Store, to better analyze the
vulnerabilities of prospective victims worldwide.
Furthermore, it would be able to create an .apk file to
track the victim’s location. In other words, to switch
the GPS on whenever the attacker chooses.
Moreover, the paper’s author would like to conduct a
Stagefright attack code against vulnerable Android
device through text or MMS, for the purpose of trick
investigating other exploitable vulnerabilities with
Android devices.
REFERENCES
[1] Gupta, A. (2014, March). Learning Pentesting for Android
Devices (1st ed.).
[2] Packtpub. (2015). Practical Mobile Forensics. Retrieved March 06, 2016, from
https://www.packtpub.com/packtlib/book/ApplicationDevelopme
nt/9781783288311/pref05 [3] Casey, E., 2011, Digital evidence and computer crime:
Forensic science, computers, and the internet, Academic press
[4] Bommisetty, S., Tamma, R., & Mahalik, H. (2014, July). Practical Mobile Forensics (1st ed.). Birmingham, UK: Packt
Publishing.
[5] Ballano, M. (2014, August 11). Mobile Attacks: Cybercriminals' New Cash Cow. Retrieved March 06, 2016, from
http://www.symantec.com/connect/blogs/mobile-attacks-
cybercriminals-new-cash-cow [6] Chell, D., Erasmus, T., Colley, S., & Whitehouse, O. (2015).
The Mobile Application Hacker's Handbook.
[7] Lessard, J., & Kessler, G. (2010, September). Android Forensics: Simplifying Cell Phone Examinations. In Small Scale
Digital Device Forensics Journal, vol. 4, no. 1. [8] Kaspersky. (2014, October). Mobile Cyber Threats.
Retrieved March 06, 2016, from
http://media.kaspersky.com/pdf/Kaspersky-Lab-KSN-Report-
mobile-cyberthreats-web.pdf
[9] Hoog, A. (2011). Android Forensics Investigation, Analysis and Mobile Security for Google Android.
[10] Wikipedia. (2015). WhatsApp. Retrieved March 06, 2016, from https://en.wikipedia.org/wiki/WhatsApp
[11] Buchanan, I. (2015, September 9). 200 million Whatsapp
users open to attack. Retrieved March 06, 2016, from http://geekpower.co.uk/2015/09/200-million-whatsapp-users-
open-to-attack/
[12] Global Positioning System. (2007, January 11). Countermeasures against GPS trackers. Retrieved March 06,
2016, from
https://globalpositioningsystem.wordpress.com/2007/06/11/countermeasures-against-gps-trackers/
[13] Statista. (2015). Number of monthly active WhatsApp users
worldwide from April 2013 to September 2015 (in millions). Retrieved March 06, 2016, from
http://www.statista.com/statistics/260819/number-of-monthly-
active-whatsapp-users/ [14] TechAdvisor. (2011, September 12). WhatsApp Android app
review. Retrieved March 06, 2016, from
http://www.pcadvisor.co.uk/review/android-tablet-apps/whatsapp-android-app-review-3302802/
[15] The FORGE. (2015). Whatsapp: Overview. Retrieved March
06, 2016, from https://theforgecoc.wordpress.com/whatsapp-overview/
[16] Wikipedia. (2015). Global Positioning System.
Retrieved March 06, 2016, from https://en.wikipedia.org/wiki/Global_Positioning_System
[17] Developers. (2015). Location Strategies. Retrieved March
06, 2016, from http://developer.android.com/guide/topics/location/strategies.html
[18] Wu, X., & Li, X. (2013, October). Hack android application
and defense. In Computer Science and Network Technology (ICCSNT), 2013 3rd International Conference on (pp. 676-680).
IEEE.
[19] Abura’ed, N., Otrok, H., Mizouni, R., & Bentahar, J. (2014, November). Mobile Phishing Attack for Android Platform. In
Innovations in Information Technology (INNOVATIONS), 2014 10th International Conference on (pp. 18-23). IEEE.
[20] Zou, C., & Dondyk, E. (2013, January). Denial of
convenience attack to smartphones using a fake Wi-Fi access point. In Consumer Communications and Networking
Conference (CCNC), 2013 on (pp. 164-170). IEEE.
[21] Yubo, S., Zhiwei, Z., & Yunfeng, X. (2014, November). Using Short Message Service (SMS) to deploy Android exploits.
In Cyberspace Technology (CCT 2014), International Conference
on (pp. 1-5). IEEE. [22] Nguyen, L., Tian, Y., Cho, S., Kwak, W., Parab, S., Kim, Y.,
Tague, P., & Zhang, J. (2013, June). UnLocIn: Unauthorized
location inference on smartphones without being caught. Privacy and Security in Mobile Systems (PRISMS), 2013 International
Conference on (pp. 1-8). IEEE.
[23] Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2013). Social Engineering Attacks on the Knowledge Worker. In
Proceedings of the 6th International Conference on Security of
Information and Networks, 2013 on (pp. 28-35). ACM. [24] Bhavani, A B. (2013, April). Cross-site Scripting Attacks on
Android WebView. International Journal of Computer Science and
Network (IJCSN), Vol. 2, Issue 2, April 2013, ISSN: 2277-542 [25] Assolini, F. (2015, February 2). WhatsApp for Web in the
sight of cybercriminals. Retrieved March 06, 2016, from
https://securelist.com/blog/research/68631/whatsapp-for-web-in-the-sight-of-cybercriminals/
[26] Andrici, M. (2012, July 31). A-GPS vulnerability could let
hackers track your location, take over your phone. Retrieved March 06, 2016, from
http://www.androidauthority.com/a-gps-vulnerability-could-let-
hackers-track-your-location-take-over-your-phone-104532/