From 7173e02a6f29bd63f228460a38f1ee445e552eca Mon Sep 17 00:00:00 2001
From: viktor3002 <120377456+viktor3002@users.noreply.github.com>
Date: Sat, 10 Jan 2026 15:24:20 +0100
Subject: [PATCH] Check receiver names for IoCs (#721)

* receiver names are checked if a known malicious app id is a substring

* ruff syntax fixes

---------

Co-authored-by: Viktor <vik@tor.me>
Co-authored-by: besendorf <janik@besendorf.org>
---
 .../modules/bugreport/dumpsys_receivers.py    | 14 +++++++++++
 src/mvt/common/indicators.py                  | 24 +++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/src/mvt/android/modules/bugreport/dumpsys_receivers.py b/src/mvt/android/modules/bugreport/dumpsys_receivers.py
index 591af2f..a16bc3b 100644
--- a/src/mvt/android/modules/bugreport/dumpsys_receivers.py
+++ b/src/mvt/android/modules/bugreport/dumpsys_receivers.py
@@ -34,6 +34,20 @@ class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule):
 
         self.results = results if results else {}
 
+    def check_indicators(self) -> None:
+        for result in self.results:
+            if self.indicators:
+                receiver_name = self.results[result][0]["receiver"]
+
+                # return IoC if the stix2 process name a substring of the receiver name
+                ioc = self.indicators.check_receiver_prefix(receiver_name)
+                if ioc:
+                    self.results[result][0]["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    continue
+
+
+
     def run(self) -> None:
         content = self._get_dumpstate_file()
         if not content:
diff --git a/src/mvt/common/indicators.py b/src/mvt/common/indicators.py
index e23a996..b8aa829 100644
--- a/src/mvt/common/indicators.py
+++ b/src/mvt/common/indicators.py
@@ -768,6 +768,30 @@ class Indicators:
 
         return None
 
+
+    def check_receiver_prefix(self, receiver_name: str) -> Union[dict, None]:
+        """Check the provided receiver name against the list of indicators.
+        An IoC match is detected when a substring of the receiver matches the indicator
+        :param app_id: App ID to check against the list of indicators
+        :type app_id: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if not receiver_name:
+            return None
+
+        for ioc in self.get_iocs("app_ids"):
+            if ioc["value"].lower() in receiver_name.lower():
+                self.log.warning(
+                    'Found a known suspicious receiver with name "%s" '
+                    'matching indicators from "%s"',
+                    receiver_name,
+                    ioc["name"],
+                )
+                return ioc
+
+        return None
+
     def check_android_property_name(self, property_name: str) -> Optional[dict]:
         """Check the android property name against the list of indicators.