Leveraging Social Engineering Techniques for Ethical Purposes: An Approach to Develop Fake Android App for Collecting Valuable Data Discreetly

Abstract

Social engineering techniques are often viewed negatively due to their association with deceptive practices. However, these techniques can also be utilized ethically, as many cybersecurity professionals do, particularly when evaluating vulnerabilities and testing security defenses. This paper presents EDC (Ethical Data Collector), an Android application that utilizes social engineering techniques to discreetly collect valuable data from an Android device for ethical purposes. EDC employs deception through a simulated UI (fake) to engage the target for a period, while secretly collecting data such as device information, active phone number, and images in the background, then sending them to a designated server via the internet. The researcher argues that EDC could help identify inexperienced cybercriminals or extortionists without complex efforts or significant cost, provided that its capabilities are judiciously utilized and subject to proper controls and oversight. EDC's development methodology emphasizes understanding the target's personality, predilections, and preferences to tailor the app experience as required for attracting the target to install and run the application. The paper describes the core functions and workflows for collecting and sending data. Additionally, permissions handling has been addressed as being critical for enabling EDC to collect the required information. Testing on Android emulators demonstrated that the EDC's APK file size is 4 MB, and data collection and transmission processes functioned as intended across various Android versions. The minimum SDK version required to run EDC is level 16. The total estimated time to complete the fake UI process (cumulative user engagement time) is 57-60 seconds, where each activity takes 8 seconds based on the adopted development approach.