Mercury is a security assessment framework for the Android platform. It allows you to dynamically interact with the Inter-Process Communication (IPC) endpoints exported by an application installed on a device.
Mercury provides similar functionality to a number of static analysis tools, such as aapt, but offers far more flexibility by allowing you to interact with these endpoints from the context of an unprivileged application running on the same device.
The Android sandbox is designed to restrict the access of an unprivileged application to other applications and the underlying device, without requesting appropriate permissions. Once you’ve had a look with Mercury, you will be surprised at how much access you actually have.
Mercury was also a part of the latest Blackhat Arsenal 2013 Session in Amsterdam, where the awesome team has demoed neat features and few tricks pentesters can leverage to bypass restrictions and exploit vulnerabilities on Android Smartphones.
Mercury allows you to:
- Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
- Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
- Find information on installed packages with optional search filters to allow for better control
- Built-in commands that can check application attack vectors on installed applications
- Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!)
- Create new modules to exploit your latest finding on Android, and playing with those that others have found
Here is the latest changelog information as embedded with Mercury package
- Connections between Consoles and Agents can be encrypted with SSL.
- The Agent can require a password to be provided to establish a session.
- New Mercury modules can be downloaded and installed from the Internet, and
the local file system.
- Significant performance improvements to the Agent.
In addition, the following Github Issues have been closed:
Agent:
# 2 High CPU usage when polling for messages in Session.java.
# 1 High CPU usage on active connection in Server/Client.java.
Console:
# 50 Error when printing ContentProvider Path Permissions.
# 49 app.provider.delete does not work.
# 48 Python 2.x xrange/range optimization.
# 47 Some apps can crash scanner.provider.* modules.
# 44 Running app.package.manifest without specifying a package results in a
Null Pointer Exception.
# 43 Bug in app.provider.query.
# 34 Five, new 3rd Party ‘pilfer’ Modules.
The new console is compatible with the old agent, and vice-versa. However, this
configuration does not support SSL or password-on-connect.