From af8c56675b24bd456a0773390ba09f7dde64400e Mon Sep 17 00:00:00 2001 From: Janik Besendorf Date: Fri, 7 Nov 2025 16:42:09 +0100 Subject: [PATCH] Fix root_binaries and mounts modules to use alertstore --- src/mvt/android/artifacts/mounts.py | 38 +++++++++++++------ .../modules/androidqf/root_binaries.py | 14 +++---- 2 files changed, 34 insertions(+), 18 deletions(-) diff --git a/src/mvt/android/artifacts/mounts.py b/src/mvt/android/artifacts/mounts.py index 6e7b0b6..7483cf5 100644 --- a/src/mvt/android/artifacts/mounts.py +++ b/src/mvt/android/artifacts/mounts.py @@ -133,13 +133,18 @@ class Mounts(AndroidArtifact): if mount["is_system_partition"] and mount["is_read_write"]: system_rw_mounts.append(mount) if mount_point == "/system": - self.log.warning( - "Root detected /system partition is mounted as read-write (rw). " + self.alertstore.warning( + self.get_slug(), + "Root detected /system partition is mounted as read-write (rw)", + "", + mount, ) else: - self.log.warning( - "System partition %s is mounted as read-write (rw). This may indicate system modifications.", - mount_point, + self.alertstore.warning( + self.get_slug(), + f"System partition {mount_point} is mounted as read-write (rw). This may indicate system modifications.", + "", + mount, ) # Check for other suspicious mount options @@ -151,10 +156,11 @@ class Mounts(AndroidArtifact): ): continue suspicious_mounts.append(mount) - self.log.warning( - "Suspicious mount options found for %s: %s", - mount_point, - ", ".join(suspicious_opts), + self.alertstore.warning( + self.get_slug(), + f"Suspicious mount options found for {mount_point}: {', '.join(suspicious_opts)}", + "", + mount, ) # Log interesting mount information @@ -177,10 +183,20 @@ class Mounts(AndroidArtifact): ioc = self.indicators.check_file_path(mount.get("mount_point", "")) if ioc: mount["matched_indicator"] = ioc - self.detected.append(mount) + self.alertstore.critical( + self.get_slug(), + f"Mount point matches indicator: {mount.get('mount_point', '')}", + "", + mount, + ) # Check device paths for indicators ioc = self.indicators.check_file_path(mount.get("device", "")) if ioc: mount["matched_indicator"] = ioc - self.detected.append(mount) + self.alertstore.critical( + self.get_slug(), + f"Device path matches indicator: {mount.get('device', '')}", + "", + mount, + ) diff --git a/src/mvt/android/modules/androidqf/root_binaries.py b/src/mvt/android/modules/androidqf/root_binaries.py index c5df729..762f4cb 100644 --- a/src/mvt/android/modules/androidqf/root_binaries.py +++ b/src/mvt/android/modules/androidqf/root_binaries.py @@ -46,17 +46,17 @@ class RootBinaries(AndroidQFModule): # All found root binaries are considered indicators of rooting for result in self.results: - self.log.warning( - 'Found root binary "%s" at path "%s"', - result["binary_name"], - result["path"], + self.alertstore.warning( + self.get_slug(), + f'Found root binary "{result["binary_name"]}" at path "{result["path"]}"', + "", + result, ) - self.detected.append(result) - if self.detected: + if self.results: self.log.warning( "Device shows signs of rooting with %d root binaries found", - len(self.detected), + len(self.results), ) def run(self) -> None: