From ddb89931398f1f15b76306ba3c38f626c4ec5af4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?=
 <donncha.ocearbhaill@amnesty.org>
Date: Fri, 10 Apr 2026 20:40:22 +0200
Subject: [PATCH] Fix residual self.detected usage in packages and
 dumpsys_receivers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These modules still used self.detected.append() which no longer exists
after the alertstore migration. Converted to alertstore calls:
- packages.py: ROOT_PACKAGES detection → alertstore.high()
- dumpsys_receivers.py: receiver IOC match → alertstore.critical()
---
 src/mvt/android/modules/adb/packages.py             |  8 ++++----
 .../android/modules/bugreport/dumpsys_receivers.py  | 13 +++++++++----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/mvt/android/modules/adb/packages.py b/src/mvt/android/modules/adb/packages.py
index 74e3afc..1c95b2b 100644
--- a/src/mvt/android/modules/adb/packages.py
+++ b/src/mvt/android/modules/adb/packages.py
@@ -73,11 +73,11 @@ class Packages(AndroidExtraction):
     def check_indicators(self) -> None:
         for result in self.results:
             if result["package_name"] in ROOT_PACKAGES:
-                self.log.warning(
-                    'Found an installed package related to rooting/jailbreaking: "%s"',
-                    result["package_name"],
+                self.alertstore.high(
+                    f'Found an installed package related to rooting/jailbreaking: "{result["package_name"]}"',
+                    "",
+                    result,
                 )
-                self.detected.append(result)
                 continue
 
             if result["package_name"] in SECURITY_PACKAGES and result["disabled"]:
diff --git a/src/mvt/android/modules/bugreport/dumpsys_receivers.py b/src/mvt/android/modules/bugreport/dumpsys_receivers.py
index 2b4be91..3c36591 100644
--- a/src/mvt/android/modules/bugreport/dumpsys_receivers.py
+++ b/src/mvt/android/modules/bugreport/dumpsys_receivers.py
@@ -41,10 +41,15 @@ class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule):
                 receiver_name = self.results[result][0]["receiver"]
 
                 # return IoC if the stix2 process name a substring of the receiver name
-                ioc = self.indicators.check_receiver_prefix(receiver_name)
-                if ioc:
-                    self.results[result][0]["matched_indicator"] = ioc
-                    self.detected.append(result)
+                ioc_match = self.indicators.check_receiver_prefix(receiver_name)
+                if ioc_match:
+                    self.results[result][0]["matched_indicator"] = ioc_match.ioc
+                    self.alertstore.critical(
+                        ioc_match.message,
+                        "",
+                        self.results[result][0],
+                        matched_indicator=ioc_match.ioc,
+                    )
                     continue