Unleashing the Power of AVDs: Rooting and Installing Xposed Framework for Enhanced Penetration Testing

In the realm of penetration testing, having a reliable and versatile testing environment is crucial. Android Virtual Devices (AVDs) have proven to be an invaluable tool for simulating real-world scenarios and identifying vulnerabilities within Android applications. However, to truly harness the power of AVDs for penetration testing, one must go beyond their default capabilities.

This is where rooting an AVD and installing Xposed Framework can make a significant impact. By rooting an AVD, testers gain elevated privileges, allowing them to access and manipulate system files that are typically off-limits. Combined with Xposed Framework, a powerful open-source platform for advanced customization and module installation, penetration testers can unlock a whole new level of control and flexibility within their virtual testing environment.

In this Medium story, I will explore the step-by-step process of rooting an AVD and installing Xposed Framework specifically for penetration testing purposes.

Install an AVD from Android Studio. I used the x86 version with Android 8.0. Be careful, as Android 8.0 is the last version supported by the Xposed Framework. To do this, open Android Studio and click on ‘More Actions,’ then select ‘Virtual Device Manager’.

Virtual Device Manager in Android Studio

Then click on ‘Create Device’ and select any of the devices you want. I used ‘Pixel 6 Pro’ without ‘Play Store’ support.

Select Hardware Step

In the ‘System Image’ step, select the Android version and architecture. I used Android 8.0 — x86. Then wait for the System Image to complete its download process.

System Image Step

Download Process

When the downloading process is finished, in the ‘Verify Configuration’ step, you can change the name of your AVD, as well as adjust the memory and storage settings. Once you are done, press ‘Finish’.

Now that you have your own AVD and are ready to start the rooting process, please check the ADB is installed on your system before proceeding:

RootAVD can root AVDs, clone RootAVD from its repository, and run the command below. Please ensure that you have added ANDROID_HOME and $SDK_PATH$\system-images to your path. This command list all your AVDs installed on ‘$SDK_PATH$\system-images’ path.

# Windows
> .\rootAVD.bat ListAllAVDs

# Linux
$ ./rootAVD.sh ListAllAVDs

Then, run the command that points to the ramdisk.img of your desired AVD. In my case, I executed the following command:

# Windows
> .\rootAVD.bat system-images\android-26\google_apis\x86\ramdisk.img

# Linux
$ ./rootAVD.sh system-images\android-26\google_apis\x86\ramdisk.img

When the execution of the command is done, the AVD will shutdown automatically. Then, start the AVD again. In your apps, you should see ‘Magisk’. Tap on it and on the dialog, press OK and wait for ‘Magisk’ to be installed.

As a result, you now have a rooted AVD. I utilized ‘Rootbeer Sample’ to verify root access on my AVD.

Let’s install Xposed Framework on the AVD. At the time this story was written, the servers of the Xposed Framework were down, so you have to download the required files from my Github repository. Download the Xposed Installer APK file and the Framework file based on your AVD’s Android version and architecture. In my case I downloaded ‘xposed-v90-sdk26-x86-beta3.zip’ file.

Install Xposed Installer on your AVD via Drag and Drop or by using the ADB command as shown below:

> adb install Xposed_Installer_3.1.5.apk

As you can see in the picture above, ‘Xposed Framework is not installed’ and we need to install Xposed Framework. Extract the downloaded Xposed Framework and then push the ‘System’ directory to any path in your AVD.

>  adb push system /storage/emulated/0/Download

Additionally, push the ‘flash-script.sh’ file to the AVD. Please note that ‘flash-script.sh’ and ‘system’ must be placed together.

> adb push .\META-INF\com\google\android\flash-script.sh /storage/emulated/0/Download

Then power off the AVD and run the following command to start the AVD with a writable system:

$SDK_PATH$\emulator\emulator.exe -avd  "$AVD_NAME$" -writable-system

Get shell access to your AVD and run the following commands:

> adb shell
generic_x86:/ $ su
generic_x86:/ # cd /storage/emulated/0/Download
generic_x86:/ # mount -o rw,remount /system
generic_x86:/ # ./flash-script.sh
generic_x86:/ # reboot

From now on, you should run the following command to start your AVD. This command starts the AVD with a writable system, which helps Xposed Framework to execute properly.

> $SDK_PATH$\emulator\emulator.exe -avd  "$AVD_NAME$" -writable-system

Now you have a rooted AVD with Xposed installed. Enjoy :)