mirror of
https://github.com/mvt-project/mvt.git
synced 2026-07-09 22:38:41 +02:00
V3 (#716)
* Run bugreport and backup modules during check-androidqf Adding support to automatically run ADB backup and bugreport modules automatically when running the check-androidqf command. This is a first step to deduplicate the code for Android modules. * Deduplicate modules which are run by the sub-commands. * Raise the proper NoAndroidQFBackup exception when a back-up isn't found * Remove check-adb command and update docs * Remove check-apk code and old dependencies * Major refactor to add structured alerting and typed indicators This commit makes a structural change to MVT by changing binary detected/not detected logic into a structured multi-level system of alerts. This gives far more power to extend MVT and manage alerts. This commit also begins the process of adding proper typing for key objects used in MVT including Indicators, IndicatorMatches, and ModuleResults. This will also be keep to programmatically using the output of MVT. * Fix up, remove ADB module base * Rework old detections tracking into stuctured alert levels * Quote STIX path in log line * Fix profile events log line * Close open archive (zip/tar) file handles * Fix root_binaries and mounts modules to use alertstore * Update tests to use alertstore instead of detected attribute * Fix alertstore method calls - use high() instead of warning() * Fix remaining test errors - Add log_latest() call in root_binaries to log each alert - Fix UnboundLocalError in cmd_check_androidqf by initializing bugreport variable - Remove incorrect backup.close() call since load_backup() returns bytes - Remove duplicate from_ab method in cmd_check_backup that was using old attributes * Log alerts on add * Remove slug from alertstore calls * update alerts.py * update alerts.py * move indicator_match to alert object * . * - Remove timeline_detected and route to alertstore * fix typing for mypy * Remove unused type imports * Fix check_receiver_prefix and check_android_property_name - check_receiver_prefix() used dict syntax (ioc["value"]) on Indicator dataclass objects from get_iocs(). Changed to ioc.value/ioc.name. - check_receiver_prefix() returned raw ioc instead of IndicatorMatch. Now returns IndicatorMatch with descriptive message. - Fixed return type annotations on both methods to Optional[IndicatorMatch]. - Removed unused Union import. * Fix residual self.detected usage in packages and dumpsys_receivers These modules still used self.detected.append() which no longer exists after the alertstore migration. Converted to alertstore calls: - packages.py: ROOT_PACKAGES detection → alertstore.high() - dumpsys_receivers.py: receiver IOC match → alertstore.critical() * Fix SMS module alertstore.high() call passing slug as message The first argument was self.get_slug() (module slug) instead of a human-readable message. The module is already auto-detected via AlertStore._get_calling_module(). Also removed redundant log_latest(). * Apply suggestions from code review Fix JSON serialization in `module.save_to_json` and fix argument order in iOS alertstore calls. Co-authored-by: tes <tesitura@users.noreply.github.com> * Remove unsupported ADB modules * Fail removed check-adb command * Fix alert serialization and logging * Close sqlite connections in iOS modules * Fix DEBUG messages not reaching handlers, save_to_json for dictionary results and TypeError on mixed event_time types in safary_history * add matched_indicator via alertstore instead of directly modifying json objects * Alert on battery daily uninstall and downgrade * Lower alert severity to medium for suspicious items * Switch version to 2026.4.28 CalVer --------- Co-authored-by: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org> Co-authored-by: tes <tesitura@users.noreply.github.com> Co-authored-by: Janik Besendorf <janik.besendorf@reporter-ohne-grenzen.de>
This commit is contained in:
@@ -22,4 +22,4 @@ class TestAndroidqfFilesAnalysis:
|
||||
run_module(m)
|
||||
assert len(m.results) == 3
|
||||
assert len(m.timeline) == 6
|
||||
assert len(m.detected) == 0
|
||||
assert len(m.alertstore.alerts) == 0
|
||||
|
||||
@@ -26,7 +26,7 @@ class TestAndroidqfGetpropAnalysis:
|
||||
assert m.results[0]["name"] == "dalvik.vm.appimageformat"
|
||||
assert m.results[0]["value"] == "lz4"
|
||||
assert len(m.timeline) == 0
|
||||
assert len(m.detected) == 0
|
||||
assert len(m.alertstore.alerts) == 0
|
||||
|
||||
def test_getprop_parsing_zip(self):
|
||||
fpath = get_artifact("androidqf.zip")
|
||||
@@ -38,7 +38,7 @@ class TestAndroidqfGetpropAnalysis:
|
||||
assert m.results[0]["name"] == "dalvik.vm.appimageformat"
|
||||
assert m.results[0]["value"] == "lz4"
|
||||
assert len(m.timeline) == 0
|
||||
assert len(m.detected) == 0
|
||||
assert len(m.alertstore.alerts) == 0
|
||||
|
||||
def test_androidqf_getprop_detection(self, indicator_file):
|
||||
data_path = get_android_androidqf()
|
||||
@@ -52,5 +52,5 @@ class TestAndroidqfGetpropAnalysis:
|
||||
m.indicators = ind
|
||||
run_module(m)
|
||||
assert len(m.results) == 10
|
||||
assert len(m.detected) == 1
|
||||
assert m.detected[0]["name"] == "dalvik.vm.heapmaxfree"
|
||||
assert len(m.alertstore.alerts) == 1
|
||||
assert m.alertstore.alerts[0].event["name"] == "dalvik.vm.heapmaxfree"
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
import logging
|
||||
from pathlib import Path
|
||||
|
||||
from mvt.common.indicators import Indicator, IndicatorMatch
|
||||
from mvt.common.module import run_module
|
||||
|
||||
from ..utils import get_android_androidqf, list_files
|
||||
@@ -72,6 +73,38 @@ class TestAndroidqfMountsArtifact:
|
||||
(("by-name/data" in s or "/data" in s) and "rw" in s) for s in concatenated
|
||||
), f"No data-like tokens (data + rw) found in parsed results: {concatenated}"
|
||||
|
||||
def test_mount_ioc_alert_uses_indicator(self):
|
||||
from mvt.android.artifacts.mounts import Mounts as MountsArtifact
|
||||
|
||||
indicator = Indicator(
|
||||
value="/system",
|
||||
type="file_path",
|
||||
name="TestMalware",
|
||||
stix2_file_name="indicators.stix2",
|
||||
)
|
||||
m = MountsArtifact()
|
||||
m.indicators = type(
|
||||
"MountIndicators",
|
||||
(),
|
||||
{
|
||||
"check_file_path": lambda self, path: IndicatorMatch(
|
||||
ioc=indicator, message="matched file path"
|
||||
)
|
||||
if path == "/system"
|
||||
else None
|
||||
},
|
||||
)()
|
||||
|
||||
m.parse("/dev/block/by-name/system on /system type ext4 (rw,seclabel)")
|
||||
m.check_indicators()
|
||||
|
||||
indicator_alerts = [
|
||||
alert for alert in m.alertstore.alerts if alert.matched_indicator
|
||||
]
|
||||
assert len(indicator_alerts) == 1
|
||||
assert indicator_alerts[0].matched_indicator == indicator
|
||||
assert indicator_alerts[0].message == "matched file path"
|
||||
|
||||
|
||||
class TestAndroidqfMountsModule:
|
||||
def test_androidqf_module_no_mounts_file(self):
|
||||
@@ -94,4 +127,6 @@ class TestAndroidqfMountsModule:
|
||||
assert len(m.results) == 0, (
|
||||
f"Expected no results when mounts.json is absent, got: {m.results}"
|
||||
)
|
||||
assert len(m.detected) == 0, f"Expected no detections, got: {m.detected}"
|
||||
assert len(m.alertstore.alerts) == 0, (
|
||||
f"Expected no detections, got: {m.alertstore.alerts}"
|
||||
)
|
||||
|
||||
@@ -47,38 +47,35 @@ class TestAndroidqfPackages:
|
||||
def test_non_appstore_warnings(self, caplog, module):
|
||||
run_module(module)
|
||||
|
||||
assert len(module.detected) == 4
|
||||
assert len(module.alertstore.alerts) == 5
|
||||
|
||||
# Not a super test to be searching logs for this but heuristic detections not yet formalised
|
||||
assert (
|
||||
'Found a non-system package installed via adb or another method: "com.whatsapp"'
|
||||
in caplog.text
|
||||
)
|
||||
adb_message = "Found a non-system package installed via adb or another method:"
|
||||
whatsapp_detected = [
|
||||
pkg for pkg in module.detected if pkg["name"] == "com.whatsapp"
|
||||
alert
|
||||
for alert in module.alertstore.alerts
|
||||
if alert.event["name"] == "com.whatsapp"
|
||||
]
|
||||
assert len(whatsapp_detected) == 1
|
||||
assert adb_message in whatsapp_detected[0].message
|
||||
|
||||
assert (
|
||||
'Found a package installed via a browser (installer="com.google.android.packageinstaller"): '
|
||||
'"app.revanced.manager.flutter"' in caplog.text
|
||||
)
|
||||
browser_message = 'Found a package installed via a browser (installer="com.google.android.packageinstaller"): '
|
||||
revanced_detected = [
|
||||
pkg
|
||||
for pkg in module.detected
|
||||
if pkg["name"] == "app.revanced.manager.flutter"
|
||||
alert
|
||||
for alert in module.alertstore.alerts
|
||||
if alert.event["name"] == "app.revanced.manager.flutter"
|
||||
]
|
||||
assert len(revanced_detected) == 1
|
||||
assert browser_message in revanced_detected[0].message
|
||||
|
||||
assert (
|
||||
'Found a package installed via a third party store (installer="org.fdroid.fdroid"): "org.nuclearfog.apollo"'
|
||||
in caplog.text
|
||||
)
|
||||
# We do not currently flag a third party store as a detection, we only flag the app in the logs.
|
||||
third_party_message = 'Found a package installed via a third party store (installer="org.fdroid.fdroid")'
|
||||
appollo_detected = [
|
||||
pkg for pkg in module.detected if pkg["name"] == "org.nuclearfog.apollo"
|
||||
alert
|
||||
for alert in module.alertstore.alerts
|
||||
if alert.event["name"] == "org.nuclearfog.apollo"
|
||||
]
|
||||
assert len(appollo_detected) == 0
|
||||
assert len(appollo_detected) == 1
|
||||
assert third_party_message in appollo_detected[0].message
|
||||
|
||||
def test_packages_ioc_package_names(self, module, indicators_factory):
|
||||
module.indicators = indicators_factory(app_ids=["com.malware.blah"])
|
||||
@@ -86,13 +83,13 @@ class TestAndroidqfPackages:
|
||||
run_module(module)
|
||||
|
||||
possible_detected_app = [
|
||||
pkg for pkg in module.detected if pkg["name"] == "com.malware.blah"
|
||||
alert
|
||||
for alert in module.alertstore.alerts
|
||||
if alert.event["name"] == "com.malware.blah"
|
||||
]
|
||||
assert len(possible_detected_app) == 1
|
||||
assert possible_detected_app[0]["name"] == "com.malware.blah"
|
||||
assert (
|
||||
possible_detected_app[0]["matched_indicator"]["value"] == "com.malware.blah"
|
||||
)
|
||||
assert possible_detected_app[0].event["name"] == "com.malware.blah"
|
||||
assert possible_detected_app[0].matched_indicator.value == "com.malware.blah"
|
||||
|
||||
def test_packages_ioc_sha256(self, module, indicators_factory):
|
||||
module.indicators = indicators_factory(
|
||||
@@ -104,12 +101,14 @@ class TestAndroidqfPackages:
|
||||
run_module(module)
|
||||
|
||||
possible_detected_app = [
|
||||
pkg for pkg in module.detected if pkg["name"] == "com.malware.muahaha"
|
||||
alert
|
||||
for alert in module.alertstore.alerts
|
||||
if alert.event["name"] == "com.malware.muahaha"
|
||||
]
|
||||
assert len(possible_detected_app) == 1
|
||||
assert possible_detected_app[0]["name"] == "com.malware.muahaha"
|
||||
assert possible_detected_app[0].event["name"] == "com.malware.muahaha"
|
||||
assert (
|
||||
possible_detected_app[0]["matched_indicator"]["value"]
|
||||
possible_detected_app[0].matched_indicator.value
|
||||
== "31037a27af59d4914906c01ad14a318eee2f3e31d48da8954dca62a99174e3fa"
|
||||
)
|
||||
|
||||
@@ -123,11 +122,13 @@ class TestAndroidqfPackages:
|
||||
run_module(module)
|
||||
|
||||
possible_detected_app = [
|
||||
pkg for pkg in module.detected if pkg["name"] == "com.malware.muahaha"
|
||||
alert
|
||||
for alert in module.alertstore.alerts
|
||||
if alert.event["name"] == "com.malware.muahaha"
|
||||
]
|
||||
assert len(possible_detected_app) == 1
|
||||
assert possible_detected_app[0]["name"] == "com.malware.muahaha"
|
||||
assert possible_detected_app[0].event["name"] == "com.malware.muahaha"
|
||||
assert (
|
||||
possible_detected_app[0]["matched_indicator"]["value"]
|
||||
possible_detected_app[0].matched_indicator.value
|
||||
== "c7e56178748be1441370416d4c10e34817ea0c961eb636c8e9d98e0fd79bf730"
|
||||
)
|
||||
|
||||
@@ -22,4 +22,4 @@ class TestAndroidqfProcessesAnalysis:
|
||||
run_module(m)
|
||||
assert len(m.results) == 15
|
||||
assert len(m.timeline) == 0
|
||||
assert len(m.detected) == 0
|
||||
assert len(m.alertstore.alerts) == 0
|
||||
|
||||
@@ -42,7 +42,7 @@ class TestAndroidqfRootBinaries:
|
||||
|
||||
# Should find 4 root binaries from the test file
|
||||
assert len(module.results) == 4
|
||||
assert len(module.detected) == 4
|
||||
assert len(module.alertstore.alerts) == 4
|
||||
|
||||
# Check that all results are detected as indicators
|
||||
binary_paths = [result["path"] for result in module.results]
|
||||
@@ -113,4 +113,4 @@ class TestAndroidqfRootBinaries:
|
||||
run_module(m)
|
||||
|
||||
assert len(m.results) == 0
|
||||
assert len(m.detected) == 0
|
||||
assert len(m.alertstore.alerts) == 0
|
||||
|
||||
@@ -21,4 +21,4 @@ class TestSettingsModule:
|
||||
run_module(m)
|
||||
assert len(m.results) == 1
|
||||
assert "random" in m.results.keys()
|
||||
assert len(m.detected) == 0
|
||||
assert len(m.alertstore.alerts) == 0
|
||||
|
||||
@@ -25,7 +25,7 @@ class TestAndroidqfSMSAnalysis:
|
||||
run_module(m)
|
||||
assert len(m.results) == 2
|
||||
assert len(m.timeline) == 0
|
||||
assert len(m.detected) == 0
|
||||
assert len(m.alertstore.alerts) == 0
|
||||
|
||||
def test_androidqf_sms_encrypted_password_valid(self):
|
||||
data_path = os.path.join(get_artifact_folder(), "androidqf_encrypted")
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
# Mobile Verification Toolkit (MVT)
|
||||
# Copyright (c) 2021-2023 The MVT Authors.
|
||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||
# https://license.mvt.re/1.1/
|
||||
|
||||
import logging
|
||||
|
||||
from mvt.common.indicators import Indicators
|
||||
from mvt.common.module import run_module
|
||||
from mvt.ios.modules.mixed.tcc import TCC
|
||||
|
||||
from ..utils import get_ios_backup_folder
|
||||
|
||||
|
||||
class TestTCCModule:
|
||||
def test_tcc(self):
|
||||
m = TCC(target_path=get_ios_backup_folder())
|
||||
run_module(m)
|
||||
assert len(m.results) == 11
|
||||
assert len(m.timeline) == 11
|
||||
assert len(m.alertstore.alerts) == 0
|
||||
assert m.results[0]["service"] == "kTCCServiceUbiquity"
|
||||
assert m.results[0]["client"] == "com.apple.Preferences"
|
||||
assert m.results[0]["auth_value"] == "allowed"
|
||||
|
||||
def test_tcc_detection(self, indicator_file):
|
||||
m = TCC(target_path=get_ios_backup_folder())
|
||||
ind = Indicators(log=logging.getLogger())
|
||||
ind.parse_stix2(indicator_file)
|
||||
m.indicators = ind
|
||||
run_module(m)
|
||||
assert len(m.results) == 11
|
||||
assert len(m.timeline) == 11
|
||||
assert len(m.alertstore.alerts) == 1
|
||||
assert m.alertstore.alerts[0].event["service"] == "kTCCServiceLiverpool"
|
||||
assert m.alertstore.alerts[0].event["client"] == "Launch"
|
||||
Reference in New Issue
Block a user