Monitoring Android file system with fsmon

Monitoring Android file system with fsmon

mhLeave a comment

Loading

fsmon is a FileSystem Monitor utility created by by Sergi Àlvarez at Nowsecure can run on Linux, Android, iOS, FireFox OS, and OS X. It retrieves file system events from a specific directory and displays them in a colorful format or in JSON. You can filter the events happening from a specific program name directory or process ID (PID).

Benefits

The primary benefit of fsmon is its ability to provide real-time monitoring of file system changes. This can be particularly useful in a variety of scenarios, such as:

  • Security analysis: By monitoring filesystem events, you can detect potential security vulnerabilities, such as insecure storage.
  • Malware analysis: Identify altered files, dropped payloads, created and removed files.

Quick benefits are summarized in the video below.

Usage

Using fsmon is possible by connecting a computer via ADB to non-rooted or rooted Android device and executing the binary. The result of file monitoring is then conveniently displayed on the computer’s screen. However, it can be run even without computer, by running it via any terminal application, such as Termux directly on the smartphone to monitor file system while on the go. I will show you few examples in the following sections. You can download compiled fsmon from GitHub or compile it yourself.

Non rooted Android

You can monitor file changes on external and shared storage using command:

fsmon /storage/emulated/0/

Figure 1. Monitor file system changes on non-rooted Android via ADB debugging

Using Termux app, you can in the background monitor file system directly on Android.

Figure 2. Monitor file system changes on non-rooted Android itself using Termux app

You can also monitor Android Wear file system on your smartwatches.

Figure 3. Monitor file changes on non-rooted Android smartwatch

Rooted Android

With superuser rights, is file system monitoring is more useful since it allows to scan file changes for each app installed on device. This could be helpful for bug bounty hunters to identify access files by the app for insecure storage.

Malware researchers could identify dropped payloads, and files created or deleted by malware using

fsmon /data/data/com.as.youtube.downloader/ | egrep "\.dex|\.apk|\.jar|\.so"

Figure 4. Monitor file changes for specific directory on rooted Android

Alternatives

Benefit of fmon is that it can run on non-rooted Android system with real-time monitoring, however with obvious system defined limitations. The same result could be achieved using Frida toolkit, but only on rooted devices. If you are interested only in loaded binaries by specific Android app, it might be enough to just display process information, however you will lack information when each of loaded files were loaded and what operation was when executed, such as create, write, read or delete. Here is an example of a command to list loaded files by the process:

adb shell "su -c 'cat /proc/<PID>/maps | grep <package_name>'"

Figure 5. Display loaded binaries by specific process on rooted Android

Conclusion

fsmon is a powerful tool for anyone interested in Android security. Its ability to monitor file system events in real-time can provide valuable insights into the workings of an application and help identify potential security vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *