Turning an Android Phone into a Hacker’s Tool
An ordinary Android mobile phone can become a formidable weapon in the hands of a hacker, both on its own and with the use of several additional devices. But hardware alone is not enough for complete success: in order to breathe life into a hacker smartphone, you need to take care of the software. We will talk about him today.
This article is a continuation of the series of posts on practical hacking and attacks using improvised devices that you can build at home. In these materials, we reveal simple ways to gain unauthorized access to protected information and show how to protect it from such attacks.
BadUSB
Modern Android devices have rich USB emulation support out of the box. For example, when connected to a computer, the phone usually asks how it can be determined – how network device, removable disk or otherwise. All this is emulation through the so-called USB gadgets. You can explore for yourself which gadgets are already implemented in your current kernel using the USB Gadget Tool mobile app (net.tjado.usbgadget). Among them, there is probably gadget support for all possible BadUSB attacks.
From the phone, you can easily imitate the keyboard and execute arbitrary commands using automatic input – this attack was described in the article “Very bad flash drive. Let’s analyze the BadUSB attack in detail. We need the USB hid function. keyboard , and with the following simple commands, an attacker can enable hidden keyboard emulation features in the phone:
badusb/hid/start.sh
#!/bin/bash if ! grep -q configfs /proc/mounts ; then sudo mount -t configfs none / sys/ kernel/ config ; fi cat < < EE | sudo bash cd / sys/ kernel/ config/ usb_gadget/ g1/ mkdir -p functions/ hid. keyboard cd functions/hid. keyboard/ echo 1 > protocol echo 1 > subclass echo 8 > report_length echo -ne ‘ \ \ x05 \ \ x01 \ \ x09 \ \ x06 \ \ xa1 \ \ x01 \ \ x05 \ \ x07 \ \ x19 \ \ xe0 \ \ x29\\xe7\\x15\\x00\\x25\\x01\\x75\\x01\\x95\\x08\\x81\\x02\\x95\\x01\\x75\\x08\\x81\ \x03\\x95\\x05\\x75\\x01\\x05\\x0
EE
echo 0 > os_desc/ use echo 1 > idVendor echo 0 > bcdDevice echo 0 > bcdUSB echo 0 > bDeviceClass echo 0 > bDeviceSubClass echo 0 > bDeviceProtocol echo 0 > bConfigurationValue ln -s functions/hid. keyboard configs/ c. 1/ hid. keyboard echo 1 > os_desc/ use echo 0xcdab > idVendor echo 0x1234 > idProduct echo 0x0100 > bcdDevice echo 0x00 > bcdUSB echo 0 > bDeviceClass echo 0 > bDeviceSubClass echo 0 > bDeviceProtocol echo 0 > bConfigurationValue ln -s functions/hid. keyboard configs/ c. 1/ hid. keyboard
The above commands enable the phone to emulate a keyboard and execute arbitrary commands. This attack vector is one of the most dangerous and widespread.
To protect against such attacks, it is important to remember that physical access to the device is a serious threat. It is necessary to ensure that the device is protected from unauthorized access, and also to use the latest security updates.