Android App Hacking Setup (Genymotion, Kali, Hyper-V) + FridaLabs

So far, I've used my physical device for Android apps testing, but I always found it inconvenient for training. With a new Kali setup, it was a good time to create virtual Android testing lab. In this post I will describe how to set up my lab and start learning frida.

I use:

• Genymotion version 3.7.1 (License for Personal Use) on Windows
• Hyper-V on Windows 11
• Kali version 2024.1
• Frida version 16.3.3 on Kali
• and other (Burp, adb, jadx, objection, ...)

Note that this is a setup on my private PC, I don't use it for professional purposes. 

For iOS apps testing, I recommend iOS App Testing Through Burp on Corellium by Evan Custodio

Android app hacking setup

For Kali on Hyper-V setup see this page.

Let's start with Genymotion. I use this solution for Android virtualization because:

1. It has a license for Personal use with enough functionalities.
2. Competitors have some stories about being untrustworthy.

Of course Android Studio has to be taken into account when creating labs. For this setup, I recommend this blogpost: Modern Android Penetration Testing Lab Environment.

Download .exe file from the official website: Download Genymotion

Since my Windows already has Hyper-V enabled, which is a prerequisite for QEMU hypervisor, I chose QEMU instead of VirtualBox which I would have to install just for this purpose.

QEMU virtualization can't be set from GUI, so before creating any device we need to run gmtool which is available in default installation directory: C:\Program Files\Genymobile\Genymotion\.

./gmtool config --hypervisor qemu

Next, create one or few devices. The process is very simple and there are no special settings. You will notice proxy option in device/Genymotion settings, but they are not the settings you are looking for if you want to set up Burp proxy. We will configure proxy directly in Android.

In the window name you can see some IP address and port. In my case - probably in every case with QEMU - it's 127.0.0.1:6555. This is the address on where ADB (Android Debug Bridge) of the device is listening. Generally in every online instruction there is an actual internal IP, but here it's localhost. Excuse me, what??

ADB configuration was the sole reason for writing this blogpost. It took me few hours to figure it out, but it's only a few steps. Let's see.

ADB configuration

Step 1. Open Kali and install adb.

sudo apt install adb

The command "adb devices" should show an empty list. There is no physical connection, but Kali and Android can see each other through..  Hyper-V Default Switch network. Yes, and no port forwarding needs to be configured. Apparently Genymotion's ADB listens on *:6555, not only on localhost, and it favors the QEMU hypervisor. I'm not sure how it would look like if Kali hasn't been installed on Hyper-V, but in VMware for example. 

Step 2. Check Windows IP address.

In the command line type "ipconfig" and copy the address described as Default Switch:

Note that this address is only temporary and it will change with every Windows reboot.

Step 3. Connect adb to the device using Windows IP address and port 6555.

adb connect 172.22.176.1:6555

Verify with "adb devices" and "adb shell" that you can interact with the device. Wait, it's offline?

Before I give you the answer, I want you to know that I've tried port forwarding, nmap enumeration, switching networks, proxying, device reinstallation, all possible configurations on Genymotion and gmtool, killing adb processes on Windows, wireless debugging... ha-ha...

Step 4. Restart USB debugging.

"Have you tried turning it off and on again?" 🙆

Go to device's Settings -> System -> Developer options -> Debugging and restart USB Debugging.

After this operation, go back to Kali and type:

adb disconnect

adb connect <IP>:6555

adb devices

The device should be online.

Burp connection

As mentioned ealier, Kali and Android can see each other is network without any special settings. Set the Burp proxy to listen on all interfaces and copy the Kali's IP address from the "ifconfig" command. Then you can install Burp's certificate on the system level.

All the steps are described in this PortSwigger documentation.

Frida Labs

Frida-Labs by AD2001 was the first CTF I did on the above setup and I had no issues with the apps. Even in the 0x5 challenge the author stated that there was an error for virtual Android device (but it worked on his physical device) but I did not encounter that and the script worked well on the first try.

I chose to try out this particular CTF because my familiarity with this tool was shameful.

The author states following prerequisites for the labs:

• Basics of Reverse Engineering using jadx.
• Should have the capability to understand Java code.
• Capability to write small JavaScript snippets.
• Familiarity with adb.
• Rooted device.

In my opinion the list is pretty accurate in order to finish the challenges with the possibility of focusing only on how to write and use frida scripts. Of course it's possible to catch up with some topics along the way - this CTF would be a good opportunity to check out, for example, jadx or adb.

Moreover, the solutions written by the author provide detailed explanation on the tasks, so there is no need to search for writeups. The solution to the first challenge (0x1) describes additionally the process of setting up frida on the mobile device and the Kali machine.

Except frida, following tools are needed:

• apktool file
• jadx installed by apt
• Ghidra/IDA installed on Windows
• some notepad where you can write your Java code

For additional context and alternate solutions, I found this writeup by sal:

Frida Lab: Challenge 0xA and 0xB Writeup

I hope this post was helpful, thanks for reading!