Identifying Android Security Vulnerabilities with the Mercury Assessment Framework

In a recent post ( I mentioned the Mercury assessment framework which is a great tool for analyzing the security of Android devices. In this post which is intended to be the first of a series on using the Mercury framework, I’m taking a look at getting started with the framework. In future posts, I’ll show you how to use the tool to find vulnerabilities.

The Mercury framework consists of two main portions: an agent which is installed on the device which you are investigating and the Mercury client which is a Python application which runs on the machine you are running the tests from. You can run the agent on either a real device or on the Android virtual device (AVD) and the client on anything which supports Python (Windows / *nix / OS-X) For this post, I’m running the agent on an AVD and using Ubuntu to run the client, the instructions are equally valid if you are using Windows and / or a real Android device.


I’m assuming that you have already got the following set-up:

  • Android SDK installed
  • Android debug bridge (ADB) on the path
  • Python installed

The installation:

  1. Download Mercury from
  2. Unzip somewhere safe

On Windows, there is an installer so just run that. On Ubuntu, it is very slightly more complex. You need to do the following:

  1. Install the client: sudo easy_install ./mercury-2.0.0-py2.7.egg

At this point, I got an error indicating that python.h could not be located because the Python development files were not installed. Easily fixed by installing them (sudo apt-get install python-setuptools). Then I re-ran the installation.

Check the installation:

Once the installation is complete, check it by running the command mercury. You should see something like this:

The mercury client installed and ready to run

Install and configuring the agent on the target Android device:

Start the Mercury Agent

  1. From the directory into which Mercury was unzipped, run adb install agent.apk which will install the Mercury agent onto the Android device.
  2. Switch to the Android device and start the agent.
  3. When the agent starts: click the Embedded Server link at the bottom left of the screen.
  4. Check the box next to the text saying embedded server.
Mercury server running
Mercury server running

The server is now up and running waiting for us to send it a command. Just one final step to get the Android debug bridge to forward our commands: adb forward tcp:31415 tcp:31415

Start the Mercury client and connect to the agent:

Run mercury console connect you should get the prompt Mercury Console.
You are now ready to start exploring with Mercury.

Now,what can we do with it?

Running the command help returns:

Mercury commands
Mercury commands

The list command gives us a list of modules we can run so let’s try that:

Mercury modules
Mercury modules

I’ve cropped this image but as you can see, there are a lot of commands. It’s a little intimidating but check back for my next post where I’m going to show how to find an unprotected Content Provider. In the mean time, you can find out lot’s more about mobile security on Learning Tree’s new course on the topic: Mobile Application and Device Security: Hands-On

Mike Way

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.