Android devices, while unable to put their wireless cards into monitor mode, can still be used to sniff wireless traffic. they are just limited to traffic that goes through them. So to get data to pass through your android device other than its own data we need to have it act as a rogue access point. A rogue access point is an AP that you will control and have your “clients” or *cough”victims*cough* connect to. android 2.2 has this ability to act as a mobile hotspot built in, 2.1 and earlier version will need Wireless Tether for Root Users. I actually prefer the 3rd party app the Android’s built in ability as it offers many more features. And in case this was not obvious from the start, you will need root to preform anything in this article.
The trick to make clients connect to your rogue AP is how you name it, If you are at *bucks then naming it “*bucks free wifi” might be a good idea, however *bucks and many other WiFi hotspots go through “AT&T’s global WiFi network” which is named “att wifi”, so naming your SSID “att wifi” would be even better, because you will get new connections, and you may even be able to have some existing connections re-conect to you if your signal is stronger, and it probably will be because you will be near everybody else vs. their AP somewhere in the back room.
Capturing Packets the Easy Way
If you don’t want to mother messing around with any command lines then luckily there are some nice apps that can handle packet capturing for android. First I want to mention Packet Sniffer. Packet Sniffer is a very crude app (and is in desperate need of a GUI overhaul), but is does offer the ability to sniff bluetooth, however I had no luck getting it to work.
The program that I want to praise is Shark for root. Shark utilizes tcpdump to save .pcap files of the traffic going through the phone, and it works flawlessly. the author even wrote Shark Reader to view the .pcap files on android, however you will most likely want to view them on Wireshark on a desktop.
Capturing Packets the Fun Way
If you installed Debian using this article, or some other method then you can use many more Linux tools. Once you get the traffic you want going through your phone you can install and run any Debian app you want. I will cover two.
Dsniff
Install:
apt-get install dsniff
Running:
In the above screenshot you can see dsniff capturing my username (root) and password (secret) when I logged into my router at 192.168.1.1 (I changed my password since then)
Ettercap
Ettercap is quite a bit more advanced that dsniff, and I will not teach you how to use it in this guide, you can learn more here.
Install:
apt-get install ettercap
Start:
ettercap -C
The -C option starts it in the TUI mode. (Text user interface). Ettercap can do everything dnsiff can, plus more, it was built for man-in-the-middle attacks, much like the one we are doing here with android.
Conclusion
Now that more and more people are getting smart-phones, this type of attack is becoming easier to pull off. And with everybody’s wireless devices always looking to connect to the global “linksys” or “NETGEAR” this becomes very practical. Anything that goes unencrypted over the air-waves could potentially be seen by others, even the inconspicuous guy in the corner plating on his phone 
And in case this was not obvious form the start, DON’T BE AN IDIOT. This article was written for information purposes, anything stupid you may do with this information is your own doing not mine.
Update 1/04/2012:
Recently there has been an explosion of ARP mitm attack type programs for android (all require root) Some good ones are: