diff --git a/src/mvt/android/modules/adb/packages.py b/src/mvt/android/modules/adb/packages.py index 74e3afc..1c95b2b 100644 --- a/src/mvt/android/modules/adb/packages.py +++ b/src/mvt/android/modules/adb/packages.py @@ -73,11 +73,11 @@ class Packages(AndroidExtraction): def check_indicators(self) -> None: for result in self.results: if result["package_name"] in ROOT_PACKAGES: - self.log.warning( - 'Found an installed package related to rooting/jailbreaking: "%s"', - result["package_name"], + self.alertstore.high( + f'Found an installed package related to rooting/jailbreaking: "{result["package_name"]}"', + "", + result, ) - self.detected.append(result) continue if result["package_name"] in SECURITY_PACKAGES and result["disabled"]: diff --git a/src/mvt/android/modules/bugreport/dumpsys_receivers.py b/src/mvt/android/modules/bugreport/dumpsys_receivers.py index 2b4be91..3c36591 100644 --- a/src/mvt/android/modules/bugreport/dumpsys_receivers.py +++ b/src/mvt/android/modules/bugreport/dumpsys_receivers.py @@ -41,10 +41,15 @@ class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule): receiver_name = self.results[result][0]["receiver"] # return IoC if the stix2 process name a substring of the receiver name - ioc = self.indicators.check_receiver_prefix(receiver_name) - if ioc: - self.results[result][0]["matched_indicator"] = ioc - self.detected.append(result) + ioc_match = self.indicators.check_receiver_prefix(receiver_name) + if ioc_match: + self.results[result][0]["matched_indicator"] = ioc_match.ioc + self.alertstore.critical( + ioc_match.message, + "", + self.results[result][0], + matched_indicator=ioc_match.ioc, + ) continue