In the latest episode of the PenTest+ PT0-003 series, Professor Erica dives into mobile attack vectors—a critical domain in penetration testing. The video covers APK reverse engineering using tools like apktool and jadx, dynamic analysis with Frida and Drozer, side-loading malicious applications via ADB, and SIM swapping social engineering.
The discussion begins with static analysis of Android APK files, where testers decompile apps to inspect code and resources. Tools like apktool can decode resources, while jadx converts Dalvik bytecode to readable Java source. Dynamic analysis follows, using Frida for runtime manipulation and Drozer for inter-app communication testing.
Side-loading—installing apps outside official stores—remains a common attack vector. The video demonstrates using ADB (Android Debug Bridge) to push and install apps on a device, bypassing app store security. This technique is often combined with social engineering to trick users into granting permissions.
SIM swapping is another growing threat. Attackers social-engineer mobile carriers into transferring a victim's phone number to a SIM card they control. This enables account takeover by intercepting SMS-based two-factor authentication codes. Professor Erica emphasizes the need for multi-factor authentication beyond SMS and carrier-side security protocols.
The episode also covers setting up a mobile pen testing lab using rooted Android devices and emulators, and wraps up with a quiz to reinforce key concepts.
Named breaches referenced include the Pegasus spyware deployment chain. Mobile attacks remain a high-priority area for security professionals, especially as mobile devices become central to both personal and enterprise workflows.