Check receiver names for IoCs (#721)

* receiver names are checked if a known malicious app id is a substring * ruff syntax fixes --------- Co-authored-by: Viktor <vik@tor.me> Co-authored-by: besendorf <janik@besendorf.org>
2026-02-12 16:42:45 +00:00 · 2026-01-10 15:24:20 +01:00
parent 8f34902bed
commit 7173e02a6f
2 changed files with 38 additions and 0 deletions
--- a/src/mvt/android/modules/bugreport/dumpsys_receivers.py
+++ b/src/mvt/android/modules/bugreport/dumpsys_receivers.py
@@ -34,6 +34,20 @@ class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule):

        self.results = results if results else {}

+    def check_indicators(self) -> None:
+        for result in self.results:
+            if self.indicators:
+                receiver_name = self.results[result][0]["receiver"]
+
+                # return IoC if the stix2 process name a substring of the receiver name
+                ioc = self.indicators.check_receiver_prefix(receiver_name)
+                if ioc:
+                    self.results[result][0]["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    continue
+
+
+
    def run(self) -> None:
        content = self._get_dumpstate_file()
        if not content:
--- a/src/mvt/common/indicators.py
+++ b/src/mvt/common/indicators.py
@@ -768,6 +768,30 @@ class Indicators:

        return None

+
+    def check_receiver_prefix(self, receiver_name: str) -> Union[dict, None]:
+        """Check the provided receiver name against the list of indicators.
+        An IoC match is detected when a substring of the receiver matches the indicator
+        :param app_id: App ID to check against the list of indicators
+        :type app_id: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if not receiver_name:
+            return None
+
+        for ioc in self.get_iocs("app_ids"):
+            if ioc["value"].lower() in receiver_name.lower():
+                self.log.warning(
+                    'Found a known suspicious receiver with name "%s" '
+                    'matching indicators from "%s"',
+                    receiver_name,
+                    ioc["name"],
+                )
+                return ioc
+
+        return None
+
    def check_android_property_name(self, property_name: str) -> Optional[dict]:
        """Check the android property name against the list of indicators.