Android MCP Server — agentic threat model
The Android MCP Server presents an exceptionally high-risk profile due to its ability to execute arbitrary ADB commands, effectively granting an LLM full administrative control over connected physical or virtual Android devices.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.80 | |
| Opacity & Reflexivity | 0.70 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified, but it is highly vulnerable to prompt injection attacks that could be translated directly into malicious ADB commands executed on the target device.
Not certain from the listing — The agent ingests UI layout XMLs and screenshots from the device. This data could contain highly sensitive personal identifiable information (PII), credentials, or session tokens exposed on the screen.
The framework exposes highly privileged tools including arbitrary ADB command execution, screenshot capture, and package management. Insecure tool integration here allows direct translation of untrusted model outputs into system-level OS commands.
The deployment environment requires access to an ADB daemon (often over TCP or USB). If the MCP server or the ADB port is exposed without strict network isolation, it allows remote attackers to compromise the host or connected Android devices.
Not certain from the listing — There is no mention of built-in guardrails, command sanitization, or logging mechanisms to intercept, audit, or block destructive ADB commands (e.g., 'rm -rf' or installing malicious APKs).
Not certain from the listing — The tool lacks explicit authentication, authorization, or policy enforcement boundaries, relying entirely on the security of the host running the MCP server to prevent unauthorized device access.
As an MCP server, this agent is designed to be called by other host clients or agents. A compromised orchestrator agent could abuse this tool to silently exfiltrate device data, install spyware, or brick the connected Android device.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).