From cdbaad94cce9e22585415828432915314d578daa Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 09:43:23 +0100 Subject: [PATCH 01/13] Add new iOS versions and build numbers (#722) Co-authored-by: DonnchaC --- src/mvt/ios/data/ios_versions.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/mvt/ios/data/ios_versions.json b/src/mvt/ios/data/ios_versions.json index e606084..1ceccf6 100644 --- a/src/mvt/ios/data/ios_versions.json +++ b/src/mvt/ios/data/ios_versions.json @@ -1160,6 +1160,10 @@ "version": "18.7.2", "build": "22H124" }, + { + "version": "18.7.3", + "build": "22H217" + }, { "version": "26", "build": "23A341" @@ -1171,5 +1175,9 @@ { "version": "26.1", "build": "23B85" + }, + { + "version": "26.2", + "build": "23C55" } ] \ No newline at end of file From d7e058af43da5c68ab8f73d1b2d39cab4867d047 Mon Sep 17 00:00:00 2001 From: r-tx <138887278+r-tx@users.noreply.github.com> Date: Mon, 15 Dec 2025 08:48:11 +0000 Subject: [PATCH 02/13] add missing iPhone 16 and 17 models (#717) Co-authored-by: r-tx --- src/mvt/ios/data/ios_models.json | 36 ++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/mvt/ios/data/ios_models.json b/src/mvt/ios/data/ios_models.json index 8ceeeba..2503a4e 100644 --- a/src/mvt/ios/data/ios_models.json +++ b/src/mvt/ios/data/ios_models.json @@ -194,5 +194,41 @@ { "identifier": "iPhone16,2", "description": "iPhone 15 Pro Max" + }, + { + "identifier": "iPhone17,1", + "description": "iPhone 16 Pro" + }, + { + "identifier": "iPhone17,2", + "description": "iPhone 16 Pro Max" + }, + { + "identifier": "iPhone17,3", + "description": "iPhone 16" + }, + { + "identifier": "iPhone17,4", + "description": "iPhone 16 Plus" + }, + { + "identifier": "iPhone17,5", + "description": "iPhone 16e" + }, + { + "identifier": "iPhone18,1", + "description": "iPhone 17 Pro" + }, + { + "identifier": "iPhone18,2", + "description": "iPhone 17 Pro Max" + }, + { + "identifier": "iPhone18,3", + "description": "iPhone 17" + }, + { + "identifier": "iPhone18,4", + "description": "iPhone Air" } ] From 5c3b92aeee774e0e8285276d7cc9cba2f26ddf48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Dec 2025 19:28:36 +0100 Subject: [PATCH 03/13] Bump pydantic from 2.11.7 to 2.12.3 (#708) Bumps [pydantic](https://github.com/pydantic/pydantic) from 2.11.7 to 2.12.3. - [Release notes](https://github.com/pydantic/pydantic/releases) - [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md) - [Commits](https://github.com/pydantic/pydantic/compare/v2.11.7...v2.12.3) --- updated-dependencies: - dependency-name: pydantic dependency-version: 2.12.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index c23f83e..1e5d5b6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -31,7 +31,7 @@ dependencies = [ "PyYAML>=6.0.2", "pyahocorasick==2.2.0", "betterproto==1.2.5", - "pydantic==2.11.7", + "pydantic==2.12.3", "pydantic-settings==2.10.1", "NSKeyedUnArchiver==1.5.2", "python-dateutil==2.9.0.post0", From dd3d665beaebdf672ea5518f528d565c2f848798 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Dec 2025 12:42:20 +0100 Subject: [PATCH 04/13] Bump requests from 2.32.4 to 2.32.5 (#684) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [requests](https://github.com/psf/requests) from 2.32.4 to 2.32.5. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.32.4...v2.32.5) --- updated-dependencies: - dependency-name: requests dependency-version: 2.32.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Donncha Ó Cearbhaill --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 1e5d5b6..63718be 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -20,7 +20,7 @@ dependencies = [ "click==8.2.1", "rich==14.1.0", "tld==0.13.1", - "requests==2.32.4", + "requests==2.32.5", "simplejson==3.20.1", "packaging==25.0", "appdirs==1.4.4", From 5a1166c416acb4d810f45372b4db17d2c4338683 Mon Sep 17 00:00:00 2001 From: besendorf Date: Fri, 19 Dec 2025 12:44:43 +0100 Subject: [PATCH 05/13] Deprecate check-adb and recommend AndroidQF (#723) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Donncha Ó Cearbhaill --- docs/android/adb.md | 14 ++++++++++++++ src/mvt/android/cli.py | 37 +++++++++++++++++++++---------------- src/mvt/common/help.py | 2 +- 3 files changed, 36 insertions(+), 17 deletions(-) diff --git a/docs/android/adb.md b/docs/android/adb.md index d5c0660..fd3d3ef 100644 --- a/docs/android/adb.md +++ b/docs/android/adb.md @@ -16,6 +16,12 @@ Now you can try launching MVT with: mvt-android check-adb --output /path/to/results ``` +!!! warning + The `check-adb` command is deprecated and will be removed in a future release. + Whenever possible, prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and then analyze those acquisitions with MVT. + + Running `mvt-android check-adb` will also emit a runtime deprecation warning advising you to migrate to AndroidQF. + If you have previously started an adb daemon MVT will alert you and require you to kill it with `adb kill-server` and relaunch the command. !!! warning @@ -37,6 +43,14 @@ mvt-android check-adb --serial 192.168.1.20:5555 --output /path/to/results Where `192.168.1.20` is the correct IP address of your device. +!!! warning + The `check-adb` workflow shown above is deprecated. If you can acquire an AndroidQF acquisition from the device (recommended), use the AndroidQF project to create that acquisition: https://github.com/mvt-project/androidqf/ + + AndroidQF acquisitions provide a more stable, reproducible analysis surface and are the preferred workflow going forward. + ## MVT modules requiring root privileges +!!! warning + Deprecated: many `mvt-android check-adb` workflows are deprecated and will be removed in a future release. Whenever possible, prefer acquiring an AndroidQF acquisition using the AndroidQF project (https://github.com/mvt-project/androidqf/). + Of the currently available `mvt-android check-adb` modules a handful require root privileges to function correctly. This is because certain files, such as browser history and SMS messages databases are not accessible with user privileges through adb. These modules are to be considered OPTIONALLY available in case the device was already jailbroken. **Do NOT jailbreak your own device unless you are sure of what you are doing!** Jailbreaking your phone exposes it to considerable security risks! diff --git a/src/mvt/android/cli.py b/src/mvt/android/cli.py index ae225d9..b30d2e5 100644 --- a/src/mvt/android/cli.py +++ b/src/mvt/android/cli.py @@ -9,30 +9,30 @@ import click from mvt.common.cmd_check_iocs import CmdCheckIOCS from mvt.common.help import ( - HELP_MSG_VERSION, - HELP_MSG_OUTPUT, - HELP_MSG_SERIAL, - HELP_MSG_DOWNLOAD_APKS, - HELP_MSG_DOWNLOAD_ALL_APKS, - HELP_MSG_VIRUS_TOTAL, + HELP_MSG_ANDROID_BACKUP_PASSWORD, HELP_MSG_APK_OUTPUT, HELP_MSG_APKS_FROM_FILE, - HELP_MSG_VERBOSE, HELP_MSG_CHECK_ADB, - HELP_MSG_IOC, + HELP_MSG_CHECK_ANDROID_BACKUP, + HELP_MSG_CHECK_ANDROIDQF, + HELP_MSG_CHECK_BUGREPORT, + HELP_MSG_CHECK_IOCS, + HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK, + HELP_MSG_DISABLE_UPDATE_CHECK, + HELP_MSG_DOWNLOAD_ALL_APKS, + HELP_MSG_DOWNLOAD_APKS, HELP_MSG_FAST, + HELP_MSG_HASHES, + HELP_MSG_IOC, HELP_MSG_LIST_MODULES, HELP_MSG_MODULE, HELP_MSG_NONINTERACTIVE, - HELP_MSG_ANDROID_BACKUP_PASSWORD, - HELP_MSG_CHECK_BUGREPORT, - HELP_MSG_CHECK_ANDROID_BACKUP, - HELP_MSG_CHECK_ANDROIDQF, - HELP_MSG_HASHES, - HELP_MSG_CHECK_IOCS, + HELP_MSG_OUTPUT, + HELP_MSG_SERIAL, HELP_MSG_STIX2, - HELP_MSG_DISABLE_UPDATE_CHECK, - HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK, + HELP_MSG_VERBOSE, + HELP_MSG_VERSION, + HELP_MSG_VIRUS_TOTAL, ) from mvt.common.logo import logo from mvt.common.updates import IndicatorsUpdates @@ -201,6 +201,11 @@ def check_adb( cmd.list_modules() return + log.warning( + "DEPRECATION: The 'check-adb' command is deprecated and may be removed in a future release. " + "Prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and analyzing that acquisition with MVT." + ) + log.info("Checking Android device over debug bridge") cmd.run() diff --git a/src/mvt/common/help.py b/src/mvt/common/help.py index 9695e57..c90004e 100644 --- a/src/mvt/common/help.py +++ b/src/mvt/common/help.py @@ -47,7 +47,7 @@ HELP_MSG_APKS_FROM_FILE = ( "Instead of acquiring APKs from a phone, load an existing packages.json file for " "lookups (mainly for debug purposes)" ) -HELP_MSG_CHECK_ADB = "Check an Android device over ADB" +HELP_MSG_CHECK_ADB = "Deprecated: Check an Android device over ADB. Prefer using the external AndroidQF project (https://github.com/mvt-project/androidqf) to acquire AndroidQF images for analysis." HELP_MSG_CHECK_BUGREPORT = "Check an Android Bug Report" HELP_MSG_CHECK_ANDROID_BACKUP = "Check an Android Backup" HELP_MSG_CHECK_ANDROIDQF = "Check data collected with AndroidQF" From afab222f933db0c5234b9285d00a5b2f9f1fc58d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?= Date: Fri, 19 Dec 2025 12:54:29 +0100 Subject: [PATCH 06/13] Run CI tests against Python3.14 too (#724) Resolves #707 --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 37ac7f2..786518a 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -12,7 +12,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: ['3.10', '3.11', '3.12', '3.13'] + python-version: ['3.10', '3.11', '3.12', '3.13', '3.14'] steps: - uses: actions/checkout@v4 From c3dc3d96d56e494cbc490dbc5a73eaab810b8d28 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Dec 2025 13:09:59 +0100 Subject: [PATCH 07/13] Bump cryptography from 45.0.6 to 46.0.3 (#709) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.6 to 46.0.3. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/45.0.6...46.0.3) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Donncha Ó Cearbhaill --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 63718be..998a7bb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -27,7 +27,7 @@ dependencies = [ "iOSbackup==0.9.925", "adb-shell[usb]==0.4.4", "libusb1==3.3.1", - "cryptography==45.0.6", + "cryptography==46.0.3", "PyYAML>=6.0.2", "pyahocorasick==2.2.0", "betterproto==1.2.5", From 4bfad1f87dac021b566051554a13eb5bb1ed0b78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?= Date: Fri, 19 Dec 2025 13:12:23 +0100 Subject: [PATCH 08/13] Fix outdated security contact point (#725) --- SECURITY.md | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 3df1543..f32109a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,4 +2,61 @@ Thank you for your interest in reporting security issues and vulnerabilities! Security research is of utmost importance and we take all reports seriously. If you discover an issue please report it to us right away! -Please DO NOT file a public issue, instead send your report privately to *nex [at] nex [dot] sx*. You can also write PGP-encrypted emails to [this key](https://keybase.io/nex/pgp_keys.asc?fingerprint=05216f3b86848a303c2fe37dd166f1667359d880). +Please DO NOT file a public issue, instead send your report privately to the MVT maintainers at Amnesty International via `security [at] amnesty [dot] tech`. + +You can also write PGP-encrypted emails to key `CFBF9698DCA8EB2A80F48ADEA035A030FA04ED13`. The corresponding PGP public key is lited below. + +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGlFPwsBEADQ+d7SeHrFPYv3wPOjWs2oMpp0DPdfIyGbg+iYWOC36FegZhKY ++WeK96GqJWt8wD6kwFUVwQI795WZrjSd1q4a7wR+kj/h7xlRB6ZfVICA6O5DOOm6 +GNMvqy7ESm8g1XZDpb2u1BXmSS9X8f6rjB0e86kYsF1mB5/2USTM63jgDs0GGTkZ +Q1z4Mq4gYyqH32b3gvXkbb68LeQmONUIM3cgmec9q8/pNc1l7fcoLWhOVADRj17Q +plisa/EUf/SYqdtk9w7EHGggNenKNwVM235mkPcMqmE72bTpjT6XCxvZY3ByG5yi +7L+tHJU45ZuXtt62EvX03azxThVfSmH/WbRk8lH8+CW8XMmiWZphG4ydPWqgVKCB +2UOXm+6CQnKA+7Dt1AeK2t5ciATrv9LvwgSxk5WKc3288XFLA6eGMrTdQygYlLjJ ++42RSdK/7fCt/qk4q13oUw8ZTVcCia98uZFi704XuuYTH6NrntIB7j/0oucIS4Y9 +cTWNO5LBerez4v8VI4YHcYESPeIWGFkXhvJzo0VMg1zidBLtiPoGF2JKZGwaK7/p +yY1xALskLp4H+5OY4eB1kf8kl4vGsEK8xA/NNzOiapVmwBXpvVvmXIQJE2k+olNf +sAuyB8+aO1Ws7tFYt3D+olC7iaprOdK7uA4GCgmYYhq6QQPg+cxfczgHfwARAQAB +tD1TZWN1cml0eSBMYWIgYXQgQW1uZXN0eSBJbnRlcm5hdGlvbmFsIDxzZWN1cml0 +eUBhbW5lc3R5LnRlY2g+iQJRBBMBCAA7FiEEz7+WmNyo6yqA9IreoDWgMPoE7RMF +AmlFPwsCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQoDWgMPoE7RNr +2w//a88uP90uSN6lgeIwKsHr1ri27QIBbzCV6hLN/gZBFR2uaiOn/xfFDbnR0Cjo +5nMCJCT1k4nrPbMTlfmWLCD+YKELBzVqWlw4J2SOg3nznPl2JrL8QBKjwts0sF+h +QbRWDsT54wBZnl6ZJJ79eLShNTokBbKnQ7071dMrENr5e2P2sClQXyiIc51ga4FM +fHyhsx+GsrdiZNd2AH8912ljW1GuEi3epTO7KMZprmr37mjpZSUToiV59Yhl1Gbo +2pixkYJqi62DG02/gTpCjq9NH3cEMxcxjh4E7yCA8ggLG6+IN6woIvPIdOsnQ+Yj +d3H4rMNBjPSKoL+bdHILkCnp5HokcbVjNY3QAyOAF4qWhk4GtgpTshwxUmb4Tbay +tWLJC2bzjuUBxLkGzMVFfU3B96sVS4Fi0sBaEMBtHskl2f45X8LJhSq//Lw/2L/8 +34uP/RxDSn+DPvj/yqMpekdCcmeFSTX1A19xkPcc0rVhMRde4VL338R86vzh0gMI +1LySDAhXZyVWzrQ5s3n6N3EvCaHCn3qu7ieyFJifCSR7gZqevCEznMQRVpkMTzUt +rk13Z6NOOb4IlTW7HFoY3omJG8Z5jV4kMIE7n6nb0qpNYQiG+YvjenQ3VrMoISyh +lpS2De8+oOtwrxBVX3+qKWvQqzufeE3416kw2Z+5mxH7bx25Ag0EaUU/CwEQALyZ +b+kwLN1yHObTm2yDBEn5HbCT3H1GremvPNmbAaTnfrjUngoKa8MuWWzbX5ptgmZR +UpYY/ylOYcgGydz58vUNrPlhIZT9UhmiifPgZLEXyd0uFpr/NsbRajHMkK10iEZf +h5bHNobiB7pGCu4Uj9e1cMiIZ4yEaYeyXYUoNHf6ISP39mJhHy6ov5yIpm9q0wzm +tGUQPupxGXmEZlOPr3lxqXQ3Ekdv6cWDY5r/oOq71QJ/HUQ13QUuGFIbhnMbT8zd +zaS6f/v772YKsWPc4NNUhtlf25VnQ4FuUtjCe3p6iYP4OVD8gJm0GvXyvyTuiQbL +CSk/378JiNT7nZzYXxrWchMwvEoMIU55+/UaBc50HI5xvDQ858CX7PYGiimcdsO1 +EkQzhVxRfjlILfWrC2lgt+H5qhTn4Fah250Xe1PnLjXGHVUQnY/f3MFeiWQgf92b +02+MfvOeC5OKttP1z5lcx6RFWCIa1E/u8Nj7YrH9hk0ZBRAnBaeAncDFY8dfX2zX +VMoc0dV16gM7RrZ6i7D3CG3eLLkQlX0jbW9dzTuG/3f098EWB1p8vOfS/RbNCBRX +jqGiqacL/aFF3Ci3nQ4O5tSv1XipbgrUhvXnwm9pxrLPS/45iaO59WN4RRGWLLQ7 +LHmeBxoa9avv0SdBYUL+eBxY46GXb/j5VLzHYhSnABEBAAGJAjYEGAEIACAWIQTP +v5aY3KjrKoD0it6gNaAw+gTtEwUCaUU/CwIbDAAKCRCgNaAw+gTtEyvsEACnyFFD +alOZTrrJTXNnUejuiExLh+qTO3T91p5bte597jpwCZnYGwkxEfffsqqhlY6ftEOf +d5tNWE5isai4v8XCbplWomz4KBpepxcn2b+9o5dSyr1vohEFuCJziZDsta1J2DX5 +IE9U48kTgLDfdIBhuOyHNRkvXRHP2OVLCaiw4d9q+hlrraR8pehHt2BJSxh+QZoe +n0iHvIZCBIUA45zLEGmXFpNTGeEf2dKPp3xOkAXOhAMPptE0V1itkF3R7kEW4aFO +SZo8L3C1aWSz/gQ4/vvW5t1IJxirNMUgTMQFvqEkAwX3fm6GCxlgRSvTTRXdcrS8 +6qyFdH1nkCNsavPahN3N2RGGIlWtODEMTO1Hjy0kZtTYdW+JH9sendliCoJES+yN +DjM125SgdAgrqlSYm/g8n9knWpxZv1QM6jU/sVz1J+l6/ixugL2i+CAL2d6uv4tT +QmXnu7Ei4/2kHBUu3Lf59MNgmLHm6F7AhOWErszSeoJKsp+3yA1oTT/npz67sRzY +VVyxz4NBIollna59a1lz0RhlWzNKqNB27jhylyM4ltdzHB7r4VMAVJyttozmIIOC +35ucYxl5BHLuapaRSaYHdUId1LOccYyaOOFF/PSyCu9dKzXk7zEz2HNcIboWSkAE +8ZDExMYM4WVpVCOj+frdsaBvzItHacRWuijtkw== +=JAXX +-----END PGP PUBLIC KEY BLOCK----- +``` From a2c9e0c6cfc32e62a44ea5d38c547103b60e5f11 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Dec 2025 13:14:39 +0100 Subject: [PATCH 09/13] Bump simplejson from 3.20.1 to 3.20.2 (#699) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [simplejson](https://github.com/simplejson/simplejson) from 3.20.1 to 3.20.2. - [Release notes](https://github.com/simplejson/simplejson/releases) - [Changelog](https://github.com/simplejson/simplejson/blob/master/CHANGES.txt) - [Commits](https://github.com/simplejson/simplejson/compare/v3.20.1...v3.20.2) --- updated-dependencies: - dependency-name: simplejson dependency-version: 3.20.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Donncha Ó Cearbhaill --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 998a7bb..856fe85 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -21,7 +21,7 @@ dependencies = [ "rich==14.1.0", "tld==0.13.1", "requests==2.32.5", - "simplejson==3.20.1", + "simplejson==3.20.2", "packaging==25.0", "appdirs==1.4.4", "iOSbackup==0.9.925", From b183ca33b5aad54db64fa71b131b1a682ecacd67 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Dec 2025 13:17:12 +0100 Subject: [PATCH 10/13] Bump click from 8.2.1 to 8.3.0 (#696) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [click](https://github.com/pallets/click) from 8.2.1 to 8.3.0. - [Release notes](https://github.com/pallets/click/releases) - [Changelog](https://github.com/pallets/click/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/click/compare/8.2.1...8.3.0) --- updated-dependencies: - dependency-name: click dependency-version: 8.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Donncha Ó Cearbhaill --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 856fe85..abf5e9b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -17,7 +17,7 @@ classifiers = [ "Programming Language :: Python", ] dependencies = [ - "click==8.2.1", + "click==8.3.0", "rich==14.1.0", "tld==0.13.1", "requests==2.32.5", From 939bec82ff8490c7dc6ea405206b384b482a0462 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?= Date: Fri, 19 Dec 2025 13:43:20 +0100 Subject: [PATCH 11/13] Fix Makefile and PyProtject config for current Ruff (#726) --- Makefile | 7 +------ pyproject.toml | 6 +++--- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 16bde09..53b9b5c 100644 --- a/Makefile +++ b/Makefile @@ -1,14 +1,9 @@ PWD = $(shell pwd) -autofix: - ruff format . - ruff check --fix . - check: ruff mypy ruff: - ruff format --check . - ruff check -q . + ruff check . mypy: mypy diff --git a/pyproject.toml b/pyproject.toml index abf5e9b..6f1a126 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -80,7 +80,7 @@ packages = "src" addopts = "-ra -q --cov=mvt --cov-report html --junitxml=pytest.xml --cov-report=term-missing:skip-covered" testpaths = ["tests"] -[tool.ruff.lint] +[tool.ruff] select = ["C90", "E", "F", "W"] # flake8 default set ignore = [ "E501", # don't enforce line length violations @@ -95,10 +95,10 @@ ignore = [ # "E203", # whitespace-before-punctuation ] -[tool.ruff.lint.per-file-ignores] +[tool.ruff.per-file-ignores] "__init__.py" = ["F401"] # unused-import -[tool.ruff.lint.mccabe] +[tool.ruff.mccabe] max-complexity = 10 [tool.setuptools] From 8f34902bedd8ec3dd6924480f2fa375f32241a50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?= Date: Fri, 19 Dec 2025 13:48:15 +0100 Subject: [PATCH 12/13] Bump version for release v2.7.0 (#727) --- src/mvt/common/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mvt/common/version.py b/src/mvt/common/version.py index 4f16aec..7d659ab 100644 --- a/src/mvt/common/version.py +++ b/src/mvt/common/version.py @@ -3,4 +3,4 @@ # Use of this software is governed by the MVT License 1.1 that can be found at # https://license.mvt.re/1.1/ -MVT_VERSION = "2.6.1" +MVT_VERSION = "2.7.0" From 7173e02a6f29bd63f228460a38f1ee445e552eca Mon Sep 17 00:00:00 2001 From: viktor3002 <120377456+viktor3002@users.noreply.github.com> Date: Sat, 10 Jan 2026 15:24:20 +0100 Subject: [PATCH 13/13] Check receiver names for IoCs (#721) * receiver names are checked if a known malicious app id is a substring * ruff syntax fixes --------- Co-authored-by: Viktor Co-authored-by: besendorf --- .../modules/bugreport/dumpsys_receivers.py | 14 +++++++++++ src/mvt/common/indicators.py | 24 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/src/mvt/android/modules/bugreport/dumpsys_receivers.py b/src/mvt/android/modules/bugreport/dumpsys_receivers.py index 591af2f..a16bc3b 100644 --- a/src/mvt/android/modules/bugreport/dumpsys_receivers.py +++ b/src/mvt/android/modules/bugreport/dumpsys_receivers.py @@ -34,6 +34,20 @@ class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule): self.results = results if results else {} + def check_indicators(self) -> None: + for result in self.results: + if self.indicators: + receiver_name = self.results[result][0]["receiver"] + + # return IoC if the stix2 process name a substring of the receiver name + ioc = self.indicators.check_receiver_prefix(receiver_name) + if ioc: + self.results[result][0]["matched_indicator"] = ioc + self.detected.append(result) + continue + + + def run(self) -> None: content = self._get_dumpstate_file() if not content: diff --git a/src/mvt/common/indicators.py b/src/mvt/common/indicators.py index e23a996..b8aa829 100644 --- a/src/mvt/common/indicators.py +++ b/src/mvt/common/indicators.py @@ -768,6 +768,30 @@ class Indicators: return None + + def check_receiver_prefix(self, receiver_name: str) -> Union[dict, None]: + """Check the provided receiver name against the list of indicators. + An IoC match is detected when a substring of the receiver matches the indicator + :param app_id: App ID to check against the list of indicators + :type app_id: str + :returns: Indicator details if matched, otherwise None + + """ + if not receiver_name: + return None + + for ioc in self.get_iocs("app_ids"): + if ioc["value"].lower() in receiver_name.lower(): + self.log.warning( + 'Found a known suspicious receiver with name "%s" ' + 'matching indicators from "%s"', + receiver_name, + ioc["name"], + ) + return ioc + + return None + def check_android_property_name(self, property_name: str) -> Optional[dict]: """Check the android property name against the list of indicators.