Skip to Main Content
October 13, 2022

Set Up an Android Hacking Lab for $0

Written by Kurt Muhl

With the ever-increasing demand for mobile technology, it seems like there is an app to do just about anything you can think of, right on your cell phone. From banking to mobile gaming and even controlling the RGB lights installed in your home office, everything is interconnected now. With the rise of this functionality also comes the responsibility of ensuring that these apps are safe to use. When it comes to learning about mobile security, setting up a lab is a great first step. The intent of this writeup is to provide the building blocks to getting a lab set up and starting the process of learning how to assess a mobile application.


1    Emulator Setup

An Android emulator is the core of this setup. Since Android is an open-source technology, it costs nothing to set up. Within Android Studio, it is possible to set up multiple devices with a variety of operating systems that can be used for testing purposes.

To get started, launch Android Studio and select New Project.

Figure 1 - Android Studio New Project

Choose No Activity and click next—this is just to get a project started to run an emulator,and any code generated will not actually be used. On the next page, give the project a name and click Finish.

Figure 2 - Phone and Tablet Template with No Activity
Figure 3 - New Project Details

Once the project is created, in the top center of Android Studio, there should be a dropdown menu that says No Devices. Within this menu, open the Device Manager and select Create device.

Figure 4 - Device Manager

The options used for this device are:

  • Category – Phone
  •  Pixel 5

Click Next

  • System Image ‘S’ (this may need to be downloaded)

Click Next

  • Choose a name for the virtual device
  • Make sure that the startup orientation is “Portrait”

Click Finish

Figure 5 - Android Virtual Device (AVD) Configuration

Back in Device Manager, a new device with the name Pixel 5 API 31 should be there. Click Play to start the emulator. The emulator will start as a window at the bottom of the Device Manager. Click and drag the Emulator header to have the device in its own window.

Figure 6 - New Interactive AVD

One nice benefit of using an AVD is that super user permissions should be enabled by default. This allows for full access to the operating system without having to explicitly root the device. Connectivity can quickly be verified by using Android Debug Bridge (ADB), which is part of the Platform-Tools. In a terminal, run adb devices to see a list of devices that are accessible.

Figure 7 - Emulator Accessible by ADB

Super user access can be verified by dropping into a shell and running whoami. Similar to a traditional Linux system, su can be used to elevate privileges.

Figure 8 - Confirming Root Access

Another useful feature of Android Studio is the Device File Manager. This allows direct access to the files and folders of the AVD and can be useful when needing to quickly move files to or from the device during testing.

Figure 9 - Accessing AVD Files Through Android Studio

2    Sideloading an APK

As a consultant, there are generally two (2) ways an application is provided for testing: a client provides the APK, or the app is downloaded from the Google Play Store.

When the APK is provided, ADB can be used to install the app. The command adb install dvba.apk can be used to sideload the app onto the device.

Figure 10 - Successful Install With ADB
Figure 11 - Application Inside the Emulator

Once the app is installed, clicking on it should load the login page. It is worth noting that apps with adequate root detection in place may close out and not allow access to the functionality; this would require a root detection bypass.

Figure 12 - Vulnerable Banking App Successfully Running

3    Extracting an APK

For situations where the application is downloaded from the Google Play store, it can be beneficial to pull the APK off of the device so that it can be extracted for static code analysis. Within the host terminal, the command adb shell pm list packages can be used to list all installed packages on the device. The list provided can sometimes be quite lengthy, and ideally, the package name is consistent with the name of the app being tested.

Figure 13 - Vulnerable Banking App Package Name

Grep can be paired with the list function to narrow down the possible package names.

Figure 14 - Grep Showing Fewer Package Names

With the package name, the path function can be used to list the location of the APK on the device. From the host terminal, ADB’s pull functionality can be used to download that file to the local system.

$ adb shell pm path
$ adb pull /data/app/~~pWHFJ-giZ4urm-3QK2Ngrg==/ ./Desktop
Figure 15 - APK File Path and Download

4    Frida Setup

Frida is one of the tools that will enable runtime analysis and manipulation of the application. The first step is to get the Frida-server running on the AVD. Be sure to grab the correct file based on the AVD’s architecture. From the host terminal, adb shell getprop ro.product.cpu.abi will show the device’s architecture.

Figure 16 - AVD Architecture

The device that was set up is x86_64. Going to the Frida’s release repository on Github, the file that needs to be downloaded will be named similarly to ‘frida-server-x.x.x.x-android-x86_64.xz'. At the time of writing of this article, the current version is 15.2.2.

Figure 17 - Search for Frida-server Matching Architecture

Once downloaded, the archive can be extracted, uploaded, and run on the AVD. Walking through each step of the process, start by using ADB from the host terminal to push the Frida-server executable to the phone’s /data/local/tmp directory.

$ adb push Desktop/frida-server-15.2.2-android-x86_64 /data/local/tmp/frida-server

ADB shell can then be used to modify the file permissions of the Frida-server to allow it to run.

$ adb shell "chmod 755 /data/local/tmp/frida-server"

Finally, ADB shell can be used to elevate to root access, navigate to the tmp directory, and run the server.

$ adb shell
[emulator]$ su
[emulator]$ cd /data/local/tmp
[emulator]$ ./frida-server &
Figure 18 - Commands to Upload and Run Frida-server

In a new terminal, the Frida client needs to be installed that matches the server version that was just run—in this case, version 15.2.2. It is worth noting that updates to Python libraries can break Frida functionality. Installing the Frida client within a Python virtual environment can reduce the chance of accidentally breaking things in the future. The client can be installed using pip3 install frida==15.2.2 and pip3 install frida-tools. Frida-tools is a set of command line tools that can be useful for interacting with the Android operating system, such as listing or killing system processes. Once the client has been successfully installed, view the running processes on the AVD using frida-ps -U -a. Note that the vulnerable banking app is listed within the running processes, including its process ID (PID), name, and identifier.

Figure 19 - Frida and Tools Install
Figure 20 - Frida Version and Process List

The next step is to verify that the vulnerable banking app can be hooked by Frida using the command frida -U DamnVulnerableBank. With the process officially hooked, Java functions can be run against the app to begin looking for vulnerabilities.

Figure 21 - Process Hooked With Frida

For those that may be a bit rusty with their Java skills, like myself, Objection can ease some of that burden. Objection is a tool that is built on top of Frida and has a lot of pre-built Frida scripts.

5    Objection Setup

Objection can be installed using pip3 install objection. The vulnerable banking app can be hooked using objection --gadget explore. A good place to start analyzing the app is running env to list some details about the environment. For this application, some path locations are provided, and it might be interesting to see what is stored when the application is in use.

Figure 22 - Hooked Process and Environment Information

At this point, a virtual Android device has been set up with root access. An application has successfully been sideloaded for testing, and the process can be hooked using Frida and Objection to start analyzing the application. The next steps are to take some time to start using the target application, identifying security checks that may be in place, and hacking the functionality. In the next post, we will take a look at how to use some of the most common tools in Objection to assess an Android application.