AndroidMobile device penetration testing is one of the new capabilities released in Core Impact Pro 2014 R2. When it comes to BYOD, resistance is futile. Whether or not your organization has implemented a formal policy around it, employees are using mobile devices at work. Showing them how easily a bad habit or careless decision around mobile connectivity can lead to a major breach is critical to keeping them -- and your critical assets -- safe. That’s why, on top of our existing mobile functionality, we’ve added a Java-based Android agent to the latest version of Core Impact Pro. This agent can be introduced into the target device via:

  • A phishing attack. A URL will be sent to the target victim, and if they click and install, an agent will be deployed.
  • An innocuous-looking vulnerable application. If they open and use it, an agent will be deployed.

Once the agent is deployed, you will have the ability to:

  • Access the command shell
  • Manage the contact information (address book) on the device
  • Make phone calls and send SMS messages from the phone
  • Capture recently sent and received SMS messages
  • Upload or download files to/from the device
  • Access calls log info
  • Access the current location of the device, if available
  • Capture the phone number of the device
  • Capture device info (OS version, device manufacturer, etc.)


Also worth noting -- when used in conjunction with the Wi-Fi Fake/Karma Access Point functionality, users with Android applications vulnerable to the WebView addJavascriptInterface() vulnerability are highly susceptible to man-in-the-middle attacks. Impact will modify device traffic joined to the Fake AP in real-time and can easily install an Android agent on those vulnerable devices. After you’ve successfully carried out your attacks, you can use the results to inform policy decisions or simply hand off your findings to IT. Engage in a little hand-to-hand combat with BOYD’ers, and eliminate a whole lot of opportunities for attackers.