RoboDroid: Introducing human-like behaviors in next-generation Cyber Ranges
Mobile devices have become ubiquitous in today’s world. People use smartphones for almost every aspect of their lives, including banking, shopping, and communication. As a result, mobile devices are now a primary target for cybercriminals.
However, the security of mobile devices is often overlooked in cybersecurity training and testing environments. This can leave organizations vulnerable to attacks that exploit the weaknesses of mobile devices. Therefore, it is important to introduce mobile components in next-generation cyber-ranges to adapt to the current world that is more and more smartphone-addicted.
The goal of RoboDroid is to provide a simple way to introduce mobile components in Cyber Range environments. Its main objective is to provide users with an easy-to-use platform that allows them to simulate human-like behaviors and actions on mobile devices.
⚡Goal
RoboDroid leverages Frida technology to run behaviors that are specific to applications, while using ADB for all other operations. This powerful combination enables users to create workflows of preset behaviors that can simulate a mobile user's actions.
One example of a workflow that can be used in a cyber range environment involves simulating a mobile user receiving a phishing email, clicking on the link contained in the email, and subsequently downloading a malware.
The following picture summarizes it:
The workflow can be broken down into the following steps:
- The user receives a phishing email containing a link that appears legitimate.
- The user clicks on the link, which redirects them to a malicious website.
- The website prompts the user to download an app, which they do.
- The app is installed on the user’s device and begins executing malicious code.
- The malware gains access to sensitive data on the device, such as passwords, credit card information, and other personal details.
By creating and running workflows like this, users can simulate realistic cyber attack scenarios and test their defenses against a wide range of threats. This helps to ensure that systems and networks are well-protected against potential vulnerabilities, and that users are prepared to respond effectively in the event of an attack.
📱How it works
The pre-defined behaviors for specific apps are provided by a custom Frida Agent called RoboDroid Library.
RoboDroid ommunicates with the Frida Agent via messages, providing efficient interaction. When the RoboDroid begins a specific behavior, it awaits a message from the Frida Agent. The message could be of either FAILURE or COMPLETED type.
If the message type is FAILURE RoboDroid restarts the current behavior to ensure successful completion. If the message type is COMPLETED the current step is marked as finished, and RoboDroid moves to the next step.
Furthermore, a message of type COMPLETED can also contain outputs that can be used in subsequent steps. This ensures that the tool can optimize its behavior to achieve accurate simulation of human-like actions on mobile devices.
By providing this robust communication process, RoboDroid ensures the seamless integration of the Frida Agent into its toolset, and facilitates the creation of complex workflows for the simulation of mobile devices in a Cyber Range environment.
To actually use RoboDroid a config file must be written that tells which behaviors must be executed, what are the inputs and what is the order of the steps. The following picture summarizes it:
📚 Current Behaviors
This section describes the behaviors actually available in the RoboDroid Library at the time of writing. So more and more behaviors will be added in the future to further enrich the user experience.
Currently all the available behaviors are created using open-source applications since it could be painful to use closed-source applications.
- firefox-android-open-and-download: This behavior automatically performs the download of a given resource based on an input URL using the Firefox Android app.
- k9-mail-refresh-and-get-link: This behavior automatically waits for new emails in the K9 Mail app, opens the last one and returns the first link found in the email. This is a common attack vector, as cybercriminals often use phishing emails to trick users into clicking on malicious links.
- k9-mail-account-setup: This behavior automatically performs the setup of an email account on the K9 Mail Android app.
Users are encouraged to create their own scripts using the Frida framework and add them to the library through a Pull Request.
🔌How to Install and Run
You can easily install it by running:
pipx install robodroidWe suggest you to use pipx instead of pip because in future Python versions package installation with pip will be removed outside virtual environments.
RoboDroid has built-in support for automatic behaviors download (and soon auto-update) from the RoboDroid Library repository, so you don’t need to manually download or install it.
To run it you just need to type robodroid in your shell.
🚀Demo
There is also a YouTube video that shows a working example of a workflow that can be used in a Cyber Range to simulate a realistic human behavior towards a phishing email:
🕵🏼Conclusion
- Have you ever heard of Cyber Ranges? Did you know that they are important for improving your organization’s cybersecurity posture?
- Have you considered the possibility of a mobile device being a potential entry point for a cyber attack? Do you have a strategy in place to detect and defend against these threats?
This tool provides specific feature to add mobile components in next-generation Cyber Ranges, and given the current situation it is a necessary step to take towards cybersecurity issues.
If you have any idea on how to make it better don’t be afraid and leave a comment or (even better) make a Pull Request!
If you just liked the tool, please leave a star on GitHub!
