Android Security Assessment Framework: drozer

ID N0WHERE:22454
Type n0where
Reporter N0where
Modified 2017-01-21T05:06:27


Android Security Assessment Framework

drozer (formerly Mercury ) is the leading security testing framework for Android.

drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).

drozer is open source software, maintained by MWR InfoSecurity

Android Security Assessment Framework: drozer

drozer is designed to allow new functionality to be added through stand-alone modules. If you want to build new checks, exploits or tools you should start with a module. If what you want to do is simply not possible through the module interface, you may need to extend the core.

The source code for drozer is distributed in a number of GitHub projects. Projects that you would encounter when developing for the assessment side of drozer are the following:

  • drozer : contains the Console and Server;
  • drozer-agent : contains the Android Agent
  • drozer-modules : the central drozer module repository where new modules can be added and made accessible to all other users
  • drozer-common : contains components that are shared between the Agent and Console.

drozer is a distributed system. It has two key components:

  • the Agent : a lightweight Android app, that runs on the device or emulator being used for testing; and
  • the Console : a command-line interface, running on your PC, which allows you to interact with the Dalvik VM through the Agent.

Since Version 2.0, drozer supports Infrastructure Mode, in which the Agent establishes a connection outwards to traverse firewalls and NAT. This allows more realistic attack scenarios to be created. This mode requires a Server:

  • the Server : provides a central point where consoles and agents can rendezvous, and routes sessions between them.

These components use the drozer Protocol to exchange data.

Design Principles

The drozer Agent is designed to represent an arbitrary, unprivileged application running on the Android device and, as such, only requests a single permission: the INTERNET permission. This permission is required because the agent needs to open socket connections to interact with the console or server.

drozer tries to avoid dependencies on external tools, such as ADB and AAPT , because these will only work with the device connected via USB.

drozer functionality should be implemented as modules, that make use of the reflection and class loading functionality of the agent to execute their tests. This allows the system to be extended, without requiring the Agent to be updated too frequently.

Android Security Assessment Framework: drozer Wiki

Faster Android Security Assessments

drozer helps to reduce the time taken for Android security assessments by automating the tedious and time-consuming.

  • Discover and interact with the attack surface exposed by Android apps.
  • Execute dynamic Java-code on a device, to avoid the need to compile and install small test scripts.

Test against Real Android Devices

drozer runs both in Android emulators and on real devices. It does not require USB debugging or other development features to be enabled; so you can perform assessments on devices in their production state to get better results.

Automate and Extend

drozer can be easily extended with additional modules to find, test and exploit other weaknesses; this, combined with scripting possibilities, helps you to automate regression testing for security issues.

Test your Exposure to Public Exploits

drozer provides point-and-go implementations of many public Android exploits. You can use these to identify vulnerable devices in your organisation, and to understand the risk that these pose.


git clone
cd drozer
python build
python install


Installing the Agent

Drozer can be installed using Android Debug Bridge (adb).

$ adb install drozer.apk

Starting a Session

You should now have the drozer Console installed on your PC, and the Agent running on your test device. Now, you need to connect the two and you’re ready to start exploring.

We will use the server embedded in the drozer Agent to do this.

If using the Android emulator, you need to set up a suitable port forward so that your PC can connect to a TCP socket opened by the Agent inside the emulator, or on the device. By default, drozer uses port 31415:

$ adb forward tcp:31415 tcp:31415

Now, launch the Agent, select the “Embedded Server” option and tap “Enable” to start the server. You should see a notification that the server has started.

Then, on your PC, connect using the drozer Console:

$ drozer console connect

If using a real device, the IP address of the device on the network must be specified:

$ drozer console connect --server

You should be presented with a drozer command prompt:

selecting f75640f67144d9a3 (unknown sdk 4.1.1)  

The prompt confirms the Android ID of the device you have connected to, along with the manufacturer, model and Android software version.

You are now ready to start exploring the device.

Command Reference

Command | Description
run | Executes a drozer module
list | Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run.
shell | Start an interactive Linux shell on the device, in the context of the Agent process.
cd | Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module.
clean | Remove temporary files stored by drozer on the Android device.
contributors | Displays a list of people who have contributed to the drozer framework and modules in use on your system.
echo | Print text to the console.
exit | Terminate the drozer session.
help | Display help about a particular command or module.
load | Load a file containing drozer commands, and execute them in sequence.
module | Find and install additional drozer modules from the Internet.
permissions | Display a list of the permissions granted to the drozer Agent.
set | Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by drozer.
unset | Remove a named variable that drozer passes to any Linux shells that it spawns.

Android Security Assessment Framework: drozer download