From f78332aa71a7d5f810fbf4c74144317580ae30b0 Mon Sep 17 00:00:00 2001
From: Nex <nex@nex.sx>
Date: Thu, 26 Aug 2021 14:51:56 +0200
Subject: [PATCH] Split receivers into a new package

---
 mvt/android/modules/adb/__init__.py          |  4 +-
 mvt/android/modules/adb/dumpsys_packages.py  | 54 ------------
 mvt/android/modules/adb/dumpsys_receivers.py | 87 ++++++++++++++++++++
 3 files changed, 90 insertions(+), 55 deletions(-)
 create mode 100644 mvt/android/modules/adb/dumpsys_receivers.py

diff --git a/mvt/android/modules/adb/__init__.py b/mvt/android/modules/adb/__init__.py
index e64fbc3..968ec14 100644
--- a/mvt/android/modules/adb/__init__.py
+++ b/mvt/android/modules/adb/__init__.py
@@ -12,7 +12,9 @@ from .processes import Processes
 from .rootbinaries import RootBinaries
 from .sms import SMS
 from .whatsapp import Whatsapp
+from .dumpsys_receivers import DumpsysReceivers
 
 ADB_MODULES = [ChromeHistory, SMS, Whatsapp, Processes,
                DumpsysBatterystats, DumpsysProcstats,
-               DumpsysPackages, Packages, RootBinaries]
+               DumpsysPackages, DumpsysReceivers,
+               Packages, RootBinaries]
diff --git a/mvt/android/modules/adb/dumpsys_packages.py b/mvt/android/modules/adb/dumpsys_packages.py
index 6525dc8..8bd366a 100644
--- a/mvt/android/modules/adb/dumpsys_packages.py
+++ b/mvt/android/modules/adb/dumpsys_packages.py
@@ -10,9 +10,6 @@ from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
-EVENT_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
-EVENT_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
-EVENT_PHONE_STATE = "android.intent.action.PHONE_STATE"
 
 class DumpsysPackages(AndroidExtraction):
     """This module extracts details on installed packages."""
@@ -23,61 +20,10 @@ class DumpsysPackages(AndroidExtraction):
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
 
-
-    def _find_suspicious_packages(self, output):
-        """Parse dumpsys packages output to find packages with active receivers
-        that could be abusive.
-        """
-        activity = None
-        for line in output.split("\n"):
-            # Find activity block markers.
-            if line.strip().startswith(EVENT_NEW_OUTGOING_SMS):
-                activity = EVENT_NEW_OUTGOING_SMS
-                continue
-            elif line.strip().startswith(EVENT_SMS_RECEIVED):
-                activity = EVENT_SMS_RECEIVED
-                continue
-            elif line.strip().startswith(EVENT_PHONE_STATE):
-                activity = EVENT_PHONE_STATE
-                continue
-
-            # If we are not in an activity block yet, skip.
-            if not activity:
-                continue
-
-            # If we are in a block but the line does not start with 8 spaces
-            # it means the block ended a new one started, so we reset and
-            # continue.
-            if not line.startswith(" " * 8):
-                activity = None
-                continue
-
-            # If we got this far, we are processing receivers for the
-            # activities we are interested in.
-            receiver = line.strip().split(" ")[1]
-            if receiver.split("/")[0] == "com.google.android.gms":
-                continue
-
-            if activity == EVENT_NEW_OUTGOING_SMS:
-                self.log.warning("Found a receiver to intercept outgoing SMS messages: \"%s\"",
-                    receiver)
-            elif activity == EVENT_SMS_RECEIVED:
-                self.log.warning("Found a receiver to intercept incoming SMS messages: \"%s\"",
-                    receiver)
-            elif activity == EVENT_PHONE_STATE:
-                self.log.warning("Found a receiver monitoring telephony state: \"%s\"",
-                    receiver)
-
-            self.detected.append({
-                "activity": activity,
-                "receiver": receiver,
-            })
-
     def run(self):
         self._adb_connect()
 
         output = self._adb_command("dumpsys package")
-        self._find_suspicious_packages(output)
 
         if self.output_folder:
             packages_path = os.path.join(self.output_folder,
diff --git a/mvt/android/modules/adb/dumpsys_receivers.py b/mvt/android/modules/adb/dumpsys_receivers.py
new file mode 100644
index 0000000..8597a54
--- /dev/null
+++ b/mvt/android/modules/adb/dumpsys_receivers.py
@@ -0,0 +1,87 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021 The MVT Project Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+import os
+
+from .base import AndroidExtraction
+
+log = logging.getLogger(__name__)
+
+ACTION_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
+ACTION_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
+ACTION_DATA_SMS_RECEIVED = "android.intent.action.DATA_SMS_RECEIVED"
+ACTION_PHONE_STATE = "android.intent.action.PHONE_STATE"
+
+class DumpsysReceivers(AndroidExtraction):
+    """This module extracts details on receivers for risky activities."""
+
+    def __init__(self, file_path=None, base_folder=None, output_folder=None,
+                 serial=None, fast_mode=False, log=None, results=[]):
+        super().__init__(file_path=file_path, base_folder=base_folder,
+                         output_folder=output_folder, fast_mode=fast_mode,
+                         log=log, results=results)
+
+    def run(self):
+        self._adb_connect()
+
+        output = self._adb_command("dumpsys package")
+        if not output:
+            return
+
+        activity = None
+        for line in output.split("\n"):
+            # Find activity block markers.
+            if line.strip().startswith(ACTION_NEW_OUTGOING_SMS):
+                activity = ACTION_NEW_OUTGOING_SMS
+                continue
+            elif line.strip().startswith(ACTION_SMS_RECEIVED):
+                activity = ACTION_SMS_RECEIVED
+                continue
+            elif line.strip().startswith(ACTION_PHONE_STATE):
+                activity = ACTION_PHONE_STATE
+                continue
+            elif line.strip().startswith(ACTION_DATA_SMS_RECEIVED):
+                activity = ACTION_DATA_SMS_RECEIVED
+                continue
+
+            # If we are not in an activity block yet, skip.
+            if not activity:
+                continue
+
+            # If we are in a block but the line does not start with 8 spaces
+            # it means the block ended a new one started, so we reset and
+            # continue.
+            if not line.startswith(" " * 8):
+                activity = None
+                continue
+
+            # If we got this far, we are processing receivers for the
+            # activities we are interested in.
+            receiver = line.strip().split(" ")[1]
+            package_name = receiver.split("/")[0]
+            if package_name == "com.google.android.gms":
+                continue
+
+            if activity == ACTION_NEW_OUTGOING_SMS:
+                self.log.info("Found a receiver to intercept outgoing SMS messages: \"%s\"",
+                    receiver)
+            elif activity == ACTION_SMS_RECEIVED:
+                self.log.info("Found a receiver to intercept incoming SMS messages: \"%s\"",
+                    receiver)
+            elif activity == ACTION_DATA_SMS_RECEIVED:
+                self.log.info("Found a receiver to intercept incoming data SMS message: \"%s\"",
+                    receiver)
+            elif activity == ACTION_PHONE_STATE:
+                self.log.info("Found a receiver monitoring telephony state: \"%s\"",
+                    receiver)
+
+            self.results.append({
+                "activity": activity,
+                "package_name": package_name,
+                "receiver": receiver,
+            })
+
+        self._adb_disconnect()