Bump click from 8.3.0 to 8.3.1

Bumps [click](https://github.com/pallets/click) from 8.3.0 to 8.3.1.
- [Release notes](https://github.com/pallets/click/releases)
- [Changelog](https://github.com/pallets/click/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/click/compare/8.3.0...8.3.1)

---
updated-dependencies:
- dependency-name: click
  dependency-version: 8.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/tests.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ['3.10', '3.11', '3.12', '3.13']
+        python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
 
     steps:
       - uses: actions/checkout@v4

Makefile

@@ -1,14 +1,9 @@
 PWD = $(shell pwd)
 
-autofix:
-	ruff format .
-	ruff check --fix .
-
 check: ruff mypy
 
 ruff:
-	ruff format --check .
-	ruff check -q .
+	ruff check .
 
 mypy:
 	mypy

SECURITY.md

@@ -2,4 +2,61 @@
 
 Thank you for your interest in reporting security issues and vulnerabilities! Security research is of utmost importance and we take all reports seriously. If you discover an issue please report it to us right away!
 
-Please DO NOT file a public issue, instead send your report privately to *nex [at] nex [dot] sx*. You can also write PGP-encrypted emails to [this key](https://keybase.io/nex/pgp_keys.asc?fingerprint=05216f3b86848a303c2fe37dd166f1667359d880).
+Please DO NOT file a public issue, instead send your report privately to the MVT maintainers at Amnesty International via `security [at] amnesty [dot] tech`.
+
+You can also write PGP-encrypted emails to key `CFBF9698DCA8EB2A80F48ADEA035A030FA04ED13`. The corresponding PGP public key is lited below.
+
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGlFPwsBEADQ+d7SeHrFPYv3wPOjWs2oMpp0DPdfIyGbg+iYWOC36FegZhKY
++WeK96GqJWt8wD6kwFUVwQI795WZrjSd1q4a7wR+kj/h7xlRB6ZfVICA6O5DOOm6
+GNMvqy7ESm8g1XZDpb2u1BXmSS9X8f6rjB0e86kYsF1mB5/2USTM63jgDs0GGTkZ
+Q1z4Mq4gYyqH32b3gvXkbb68LeQmONUIM3cgmec9q8/pNc1l7fcoLWhOVADRj17Q
+plisa/EUf/SYqdtk9w7EHGggNenKNwVM235mkPcMqmE72bTpjT6XCxvZY3ByG5yi
+7L+tHJU45ZuXtt62EvX03azxThVfSmH/WbRk8lH8+CW8XMmiWZphG4ydPWqgVKCB
+2UOXm+6CQnKA+7Dt1AeK2t5ciATrv9LvwgSxk5WKc3288XFLA6eGMrTdQygYlLjJ
++42RSdK/7fCt/qk4q13oUw8ZTVcCia98uZFi704XuuYTH6NrntIB7j/0oucIS4Y9
+cTWNO5LBerez4v8VI4YHcYESPeIWGFkXhvJzo0VMg1zidBLtiPoGF2JKZGwaK7/p
+yY1xALskLp4H+5OY4eB1kf8kl4vGsEK8xA/NNzOiapVmwBXpvVvmXIQJE2k+olNf
+sAuyB8+aO1Ws7tFYt3D+olC7iaprOdK7uA4GCgmYYhq6QQPg+cxfczgHfwARAQAB
+tD1TZWN1cml0eSBMYWIgYXQgQW1uZXN0eSBJbnRlcm5hdGlvbmFsIDxzZWN1cml0
+eUBhbW5lc3R5LnRlY2g+iQJRBBMBCAA7FiEEz7+WmNyo6yqA9IreoDWgMPoE7RMF
+AmlFPwsCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQoDWgMPoE7RNr
+2w//a88uP90uSN6lgeIwKsHr1ri27QIBbzCV6hLN/gZBFR2uaiOn/xfFDbnR0Cjo
+5nMCJCT1k4nrPbMTlfmWLCD+YKELBzVqWlw4J2SOg3nznPl2JrL8QBKjwts0sF+h
+QbRWDsT54wBZnl6ZJJ79eLShNTokBbKnQ7071dMrENr5e2P2sClQXyiIc51ga4FM
+fHyhsx+GsrdiZNd2AH8912ljW1GuEi3epTO7KMZprmr37mjpZSUToiV59Yhl1Gbo
+2pixkYJqi62DG02/gTpCjq9NH3cEMxcxjh4E7yCA8ggLG6+IN6woIvPIdOsnQ+Yj
+d3H4rMNBjPSKoL+bdHILkCnp5HokcbVjNY3QAyOAF4qWhk4GtgpTshwxUmb4Tbay
+tWLJC2bzjuUBxLkGzMVFfU3B96sVS4Fi0sBaEMBtHskl2f45X8LJhSq//Lw/2L/8
+34uP/RxDSn+DPvj/yqMpekdCcmeFSTX1A19xkPcc0rVhMRde4VL338R86vzh0gMI
+1LySDAhXZyVWzrQ5s3n6N3EvCaHCn3qu7ieyFJifCSR7gZqevCEznMQRVpkMTzUt
+rk13Z6NOOb4IlTW7HFoY3omJG8Z5jV4kMIE7n6nb0qpNYQiG+YvjenQ3VrMoISyh
+lpS2De8+oOtwrxBVX3+qKWvQqzufeE3416kw2Z+5mxH7bx25Ag0EaUU/CwEQALyZ
+b+kwLN1yHObTm2yDBEn5HbCT3H1GremvPNmbAaTnfrjUngoKa8MuWWzbX5ptgmZR
+UpYY/ylOYcgGydz58vUNrPlhIZT9UhmiifPgZLEXyd0uFpr/NsbRajHMkK10iEZf
+h5bHNobiB7pGCu4Uj9e1cMiIZ4yEaYeyXYUoNHf6ISP39mJhHy6ov5yIpm9q0wzm
+tGUQPupxGXmEZlOPr3lxqXQ3Ekdv6cWDY5r/oOq71QJ/HUQ13QUuGFIbhnMbT8zd
+zaS6f/v772YKsWPc4NNUhtlf25VnQ4FuUtjCe3p6iYP4OVD8gJm0GvXyvyTuiQbL
+CSk/378JiNT7nZzYXxrWchMwvEoMIU55+/UaBc50HI5xvDQ858CX7PYGiimcdsO1
+EkQzhVxRfjlILfWrC2lgt+H5qhTn4Fah250Xe1PnLjXGHVUQnY/f3MFeiWQgf92b
+02+MfvOeC5OKttP1z5lcx6RFWCIa1E/u8Nj7YrH9hk0ZBRAnBaeAncDFY8dfX2zX
+VMoc0dV16gM7RrZ6i7D3CG3eLLkQlX0jbW9dzTuG/3f098EWB1p8vOfS/RbNCBRX
+jqGiqacL/aFF3Ci3nQ4O5tSv1XipbgrUhvXnwm9pxrLPS/45iaO59WN4RRGWLLQ7
+LHmeBxoa9avv0SdBYUL+eBxY46GXb/j5VLzHYhSnABEBAAGJAjYEGAEIACAWIQTP
+v5aY3KjrKoD0it6gNaAw+gTtEwUCaUU/CwIbDAAKCRCgNaAw+gTtEyvsEACnyFFD
+alOZTrrJTXNnUejuiExLh+qTO3T91p5bte597jpwCZnYGwkxEfffsqqhlY6ftEOf
+d5tNWE5isai4v8XCbplWomz4KBpepxcn2b+9o5dSyr1vohEFuCJziZDsta1J2DX5
+IE9U48kTgLDfdIBhuOyHNRkvXRHP2OVLCaiw4d9q+hlrraR8pehHt2BJSxh+QZoe
+n0iHvIZCBIUA45zLEGmXFpNTGeEf2dKPp3xOkAXOhAMPptE0V1itkF3R7kEW4aFO
+SZo8L3C1aWSz/gQ4/vvW5t1IJxirNMUgTMQFvqEkAwX3fm6GCxlgRSvTTRXdcrS8
+6qyFdH1nkCNsavPahN3N2RGGIlWtODEMTO1Hjy0kZtTYdW+JH9sendliCoJES+yN
+DjM125SgdAgrqlSYm/g8n9knWpxZv1QM6jU/sVz1J+l6/ixugL2i+CAL2d6uv4tT
+QmXnu7Ei4/2kHBUu3Lf59MNgmLHm6F7AhOWErszSeoJKsp+3yA1oTT/npz67sRzY
+VVyxz4NBIollna59a1lz0RhlWzNKqNB27jhylyM4ltdzHB7r4VMAVJyttozmIIOC
+35ucYxl5BHLuapaRSaYHdUId1LOccYyaOOFF/PSyCu9dKzXk7zEz2HNcIboWSkAE
+8ZDExMYM4WVpVCOj+frdsaBvzItHacRWuijtkw==
+=JAXX
+-----END PGP PUBLIC KEY BLOCK-----
+```

docs/android/adb.md

@@ -16,6 +16,12 @@ Now you can try launching MVT with:
 mvt-android check-adb --output /path/to/results
 ```
 
+!!! warning
+    The `check-adb` command is deprecated and will be removed in a future release.
+    Whenever possible, prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and then analyze those acquisitions with MVT.
+
+    Running `mvt-android check-adb` will also emit a runtime deprecation warning advising you to migrate to AndroidQF.
+
 If you have previously started an adb daemon MVT will alert you and require you to kill it with `adb kill-server` and relaunch the command.
 
 !!! warning
@@ -37,6 +43,14 @@ mvt-android check-adb --serial 192.168.1.20:5555 --output /path/to/results
 
 Where `192.168.1.20` is the correct IP address of your device.
 
+!!! warning
+    The `check-adb` workflow shown above is deprecated. If you can acquire an AndroidQF acquisition from the device (recommended), use the AndroidQF project to create that acquisition: https://github.com/mvt-project/androidqf/
+    
+    AndroidQF acquisitions provide a more stable, reproducible analysis surface and are the preferred workflow going forward.
+
 ## MVT modules requiring root privileges
 
+!!! warning
+    Deprecated: many `mvt-android check-adb` workflows are deprecated and will be removed in a future release. Whenever possible, prefer acquiring an AndroidQF acquisition using the AndroidQF project (https://github.com/mvt-project/androidqf/). 
+
 Of the currently available `mvt-android check-adb` modules a handful require root privileges to function correctly. This is because certain files, such as browser history and SMS messages databases are not accessible with user privileges through adb. These modules are to be considered OPTIONALLY available in case the device was already jailbroken. **Do NOT jailbreak your own device unless you are sure of what you are doing!** Jailbreaking your phone exposes it to considerable security risks!

pyproject.toml

@@ -17,21 +17,21 @@ classifiers = [
     "Programming Language :: Python",
 ]
 dependencies = [
-    "click==8.2.1",
+    "click==8.3.1",
     "rich==14.1.0",
     "tld==0.13.1",
-    "requests==2.32.4",
-    "simplejson==3.20.1",
+    "requests==2.32.5",
+    "simplejson==3.20.2",
     "packaging==25.0",
     "appdirs==1.4.4",
     "iOSbackup==0.9.925",
     "adb-shell[usb]==0.4.4",
     "libusb1==3.3.1",
-    "cryptography==45.0.6",
+    "cryptography==46.0.3",
     "PyYAML>=6.0.2",
     "pyahocorasick==2.2.0",
     "betterproto==1.2.5",
-    "pydantic==2.11.7",
+    "pydantic==2.12.3",
     "pydantic-settings==2.10.1",
     "NSKeyedUnArchiver==1.5.2",
     "python-dateutil==2.9.0.post0",
@@ -80,7 +80,7 @@ packages = "src"
 addopts = "-ra -q --cov=mvt --cov-report html --junitxml=pytest.xml --cov-report=term-missing:skip-covered"
 testpaths = ["tests"]
 
-[tool.ruff.lint]
+[tool.ruff]
 select = ["C90", "E", "F", "W"] # flake8 default set
 ignore = [
     "E501", # don't enforce line length violations
@@ -95,10 +95,10 @@ ignore = [
     # "E203",  # whitespace-before-punctuation
 ]
 
-[tool.ruff.lint.per-file-ignores]
+[tool.ruff.per-file-ignores]
 "__init__.py" = ["F401"] # unused-import
 
-[tool.ruff.lint.mccabe]
+[tool.ruff.mccabe]
 max-complexity = 10
 
 [tool.setuptools]

src/mvt/android/artifacts/mounts.py

@@ -0,0 +1,186 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from typing import Any
+
+from .artifact import AndroidArtifact
+
+SUSPICIOUS_MOUNT_POINTS = [
+    "/system",
+    "/vendor",
+    "/product",
+    "/system_ext",
+]
+
+SUSPICIOUS_OPTIONS = [
+    "rw",
+    "remount",
+    "noatime",
+    "nodiratime",
+]
+
+ALLOWLIST_NOATIME = [
+    "/system_dlkm",
+    "/system_ext",
+    "/product",
+    "/vendor",
+    "/vendor_dlkm",
+]
+
+
+class Mounts(AndroidArtifact):
+    """
+    This artifact parses mount information from /proc/mounts or similar mount data.
+    It can detect potentially suspicious mount configurations that may indicate
+    a rooted or compromised device.
+    """
+
+    def parse(self, entry: str) -> None:
+        """
+        Parse mount information from the provided entry.
+
+        Examples:
+        /dev/block/bootdevice/by-name/system /system ext4 ro,seclabel,relatime 0 0
+        /dev/block/dm-12 on / type ext4 (ro,seclabel,noatime)
+        """
+        self.results: list[dict[str, Any]] = []
+
+        for line in entry.splitlines():
+            line = line.strip()
+            if not line:
+                continue
+
+            device = None
+            mount_point = None
+            filesystem_type = None
+            mount_options = ""
+
+            if " on " in line and " type " in line:
+                try:
+                    # Format: device on mount_point type filesystem_type (options)
+                    device_part, rest = line.split(" on ", 1)
+                    device = device_part.strip()
+
+                    # Split by 'type' to get mount_point and filesystem info
+                    mount_part, fs_part = rest.split(" type ", 1)
+                    mount_point = mount_part.strip()
+
+                    # Parse filesystem and options
+                    if "(" in fs_part and fs_part.endswith(")"):
+                        # Format: filesystem_type (options)
+                        fs_and_opts = fs_part.strip()
+                        paren_idx = fs_and_opts.find("(")
+                        filesystem_type = fs_and_opts[:paren_idx].strip()
+                        mount_options = fs_and_opts[paren_idx + 1 : -1].strip()
+                    else:
+                        # No options in parentheses, just filesystem type
+                        filesystem_type = fs_part.strip()
+                        mount_options = ""
+
+                    # Skip if we don't have essential info
+                    if not device or not mount_point or not filesystem_type:
+                        continue
+
+                    # Parse options into list
+                    options_list = (
+                        [opt.strip() for opt in mount_options.split(",") if opt.strip()]
+                        if mount_options
+                        else []
+                    )
+
+                    # Check if it's a system partition
+                    is_system_partition = mount_point in SUSPICIOUS_MOUNT_POINTS or any(
+                        mount_point.startswith(sp) for sp in SUSPICIOUS_MOUNT_POINTS
+                    )
+
+                    # Check if it's mounted read-write
+                    is_read_write = "rw" in options_list
+
+                    mount_entry = {
+                        "device": device,
+                        "mount_point": mount_point,
+                        "filesystem_type": filesystem_type,
+                        "mount_options": mount_options,
+                        "options_list": options_list,
+                        "is_system_partition": is_system_partition,
+                        "is_read_write": is_read_write,
+                    }
+
+                    self.results.append(mount_entry)
+
+                except ValueError:
+                    # If parsing fails, skip this line
+                    continue
+            else:
+                # Skip lines that don't match expected format
+                continue
+
+    def check_indicators(self) -> None:
+        """
+        Check for suspicious mount configurations that may indicate root access
+        or other security concerns.
+        """
+        system_rw_mounts = []
+        suspicious_mounts = []
+
+        for mount in self.results:
+            mount_point = mount["mount_point"]
+            options = mount["options_list"]
+
+            # Check for system partitions mounted as read-write
+            if mount["is_system_partition"] and mount["is_read_write"]:
+                system_rw_mounts.append(mount)
+                if mount_point == "/system":
+                    self.log.warning(
+                        "Root detected /system partition is mounted as read-write (rw). "
+                    )
+                else:
+                    self.log.warning(
+                        "System partition %s is mounted as read-write (rw). This may indicate system modifications.",
+                        mount_point,
+                    )
+
+            # Check for other suspicious mount options
+            suspicious_opts = [opt for opt in options if opt in SUSPICIOUS_OPTIONS]
+            if suspicious_opts and mount["is_system_partition"]:
+                if (
+                    "noatime" in mount["mount_options"]
+                    and mount["mount_point"] in ALLOWLIST_NOATIME
+                ):
+                    continue
+                suspicious_mounts.append(mount)
+                self.log.warning(
+                    "Suspicious mount options found for %s: %s",
+                    mount_point,
+                    ", ".join(suspicious_opts),
+                )
+
+            # Log interesting mount information
+            if mount_point == "/data" or mount_point.startswith("/sdcard"):
+                self.log.info(
+                    "Data partition: %s mounted as %s with options: %s",
+                    mount_point,
+                    mount["filesystem_type"],
+                    mount["mount_options"],
+                )
+
+        self.log.info("Parsed %d mount entries", len(self.results))
+
+        # Check indicators if available
+        if not self.indicators:
+            return
+
+        for mount in self.results:
+            # Check if any mount points match indicators
+            ioc = self.indicators.check_file_path(mount.get("mount_point", ""))
+            if ioc:
+                mount["matched_indicator"] = ioc
+                self.detected.append(mount)
+
+            # Check device paths for indicators
+            ioc = self.indicators.check_file_path(mount.get("device", ""))
+            if ioc:
+                mount["matched_indicator"] = ioc
+                self.detected.append(mount)

src/mvt/android/artifacts/tombstone_crashes.py

@@ -70,7 +70,7 @@ class TombstoneCrashResult(pydantic.BaseModel):
 
 
 class TombstoneCrashArtifact(AndroidArtifact):
-    """ "
+    """
     Parser for Android tombstone crash files.
 
     This parser can parse both text and protobuf tombstone crash files.
@@ -121,9 +121,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
     def parse_protobuf(
         self, file_name: str, file_timestamp: datetime.datetime, data: bytes
     ) -> None:
-        """
-        Parse Android tombstone crash files from a protobuf object.
-        """
+        """Parse Android tombstone crash files from a protobuf object."""
         tombstone_pb = Tombstone().parse(data)
         tombstone_dict = tombstone_pb.to_dict(
             betterproto.Casing.SNAKE, include_default_values=True
@@ -144,21 +142,23 @@ class TombstoneCrashArtifact(AndroidArtifact):
     def parse(
         self, file_name: str, file_timestamp: datetime.datetime, content: bytes
     ) -> None:
-        """
-        Parse text Android tombstone crash files.
-        """
-
-        # Split the tombstone file into a dictonary
+        """Parse text Android tombstone crash files."""
         tombstone_dict = {
             "file_name": file_name,
             "file_timestamp": convert_datetime_to_iso(file_timestamp),
         }
         lines = content.decode("utf-8").splitlines()
-        for line in lines:
+        for line_num, line in enumerate(lines, 1):
             if not line.strip() or TOMBSTONE_DELIMITER in line:
                 continue
-            for key, destination_key in TOMBSTONE_TEXT_KEY_MAPPINGS.items():
-                self._parse_tombstone_line(line, key, destination_key, tombstone_dict)
+            try:
+                for key, destination_key in TOMBSTONE_TEXT_KEY_MAPPINGS.items():
+                    if self._parse_tombstone_line(
+                        line, key, destination_key, tombstone_dict
+                    ):
+                        break
+            except Exception as e:
+                raise ValueError(f"Error parsing line {line_num}: {str(e)}")
 
         # Validate the tombstone and add it to the results
         tombstone = TombstoneCrashResult.model_validate(tombstone_dict)
@@ -168,7 +168,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
         self, line: str, key: str, destination_key: str, tombstone: dict
     ) -> bool:
         if not line.startswith(f"{key}"):
-            return None
+            return False
 
         if key == "pid":
             return self._load_pid_line(line, tombstone)
@@ -200,51 +200,50 @@ class TombstoneCrashArtifact(AndroidArtifact):
         return True
 
     def _load_pid_line(self, line: str, tombstone: dict) -> bool:
-        pid_part, tid_part, name_part = [part.strip() for part in line.split(",")]
+        try:
+            parts = line.split(" >>> ") if " >>> " in line else line.split(">>>")
+            process_info = parts[0]
 
-        pid_key, pid_value = pid_part.split(":", 1)
-        if pid_key != "pid":
-            raise ValueError(f"Expected key pid, got {pid_key}")
-        pid_value = int(pid_value.strip())
+            # Parse pid, tid, name from process info
+            info_parts = [p.strip() for p in process_info.split(",")]
+            for info in info_parts:
+                key, value = info.split(":", 1)
+                key = key.strip()
+                value = value.strip()
 
-        tid_key, tid_value = tid_part.split(":", 1)
-        if tid_key != "tid":
-            raise ValueError(f"Expected key tid, got {tid_key}")
-        tid_value = int(tid_value.strip())
+                if key == "pid":
+                    tombstone["pid"] = int(value)
+                elif key == "tid":
+                    tombstone["tid"] = int(value)
+                elif key == "name":
+                    tombstone["process_name"] = value
 
-        name_key, name_value = name_part.split(":", 1)
-        if name_key != "name":
-            raise ValueError(f"Expected key name, got {name_key}")
-        name_value = name_value.strip()
-        process_name, binary_path = self._parse_process_name(name_value, tombstone)
+            # Extract binary path if it exists
+            if len(parts) > 1:
+                tombstone["binary_path"] = parts[1].strip().rstrip(" <")
 
-        tombstone["pid"] = pid_value
-        tombstone["tid"] = tid_value
-        tombstone["process_name"] = process_name
-        tombstone["binary_path"] = binary_path
-        return True
+            return True
 
-    def _parse_process_name(self, process_name_part, tombstone: dict) -> bool:
-        process_name, process_path = process_name_part.split(">>>")
-        process_name = process_name.strip()
-        binary_path = process_path.strip().split(" ")[0]
-        return process_name, binary_path
+        except Exception as e:
+            raise ValueError(f"Failed to parse PID line: {str(e)}")
 
     def _load_signal_line(self, line: str, tombstone: dict) -> bool:
-        signal, code, _ = [part.strip() for part in line.split(",", 2)]
-        signal = signal.split("signal ")[1]
-        signal_code, signal_name = signal.split(" ")
-        signal_name = signal_name.strip("()")
+        signal_part, code_part = map(str.strip, line.split(",")[:2])
 
-        code_part = code.split("code ")[1]
-        code_number, code_name = code_part.split(" ")
-        code_name = code_name.strip("()")
+        def parse_part(part: str, prefix: str) -> tuple[int, str]:
+            match = part.split(prefix)[1]
+            number = int(match.split()[0])
+            name = match.split("(")[1].split(")")[0] if "(" in match else "UNKNOWN"
+            return number, name
+
+        signal_number, signal_name = parse_part(signal_part, "signal ")
+        code_number, code_name = parse_part(code_part, "code ")
 
         tombstone["signal_info"] = {
-            "code": int(code_number),
+            "code": code_number,
             "code_name": code_name,
             "name": signal_name,
-            "number": int(signal_code),
+            "number": signal_number,
         }
         return True
 
@@ -256,7 +255,6 @@ class TombstoneCrashArtifact(AndroidArtifact):
     @staticmethod
     def _parse_timestamp_string(timestamp: str) -> str:
         timestamp_parsed = parser.parse(timestamp)
-
         # HACK: Swap the local timestamp to UTC, so keep the original time and avoid timezone conversion.
         local_timestamp = timestamp_parsed.replace(tzinfo=datetime.timezone.utc)
         return convert_datetime_to_iso(local_timestamp)

src/mvt/android/cli.py

@@ -9,28 +9,30 @@ import click
 
 from mvt.common.cmd_check_iocs import CmdCheckIOCS
 from mvt.common.help import (
-    HELP_MSG_VERSION,
-    HELP_MSG_OUTPUT,
-    HELP_MSG_SERIAL,
-    HELP_MSG_DOWNLOAD_APKS,
-    HELP_MSG_DOWNLOAD_ALL_APKS,
-    HELP_MSG_VIRUS_TOTAL,
+    HELP_MSG_ANDROID_BACKUP_PASSWORD,
     HELP_MSG_APK_OUTPUT,
     HELP_MSG_APKS_FROM_FILE,
-    HELP_MSG_VERBOSE,
     HELP_MSG_CHECK_ADB,
-    HELP_MSG_IOC,
+    HELP_MSG_CHECK_ANDROID_BACKUP,
+    HELP_MSG_CHECK_ANDROIDQF,
+    HELP_MSG_CHECK_BUGREPORT,
+    HELP_MSG_CHECK_IOCS,
+    HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK,
+    HELP_MSG_DISABLE_UPDATE_CHECK,
+    HELP_MSG_DOWNLOAD_ALL_APKS,
+    HELP_MSG_DOWNLOAD_APKS,
     HELP_MSG_FAST,
+    HELP_MSG_HASHES,
+    HELP_MSG_IOC,
     HELP_MSG_LIST_MODULES,
     HELP_MSG_MODULE,
     HELP_MSG_NONINTERACTIVE,
-    HELP_MSG_ANDROID_BACKUP_PASSWORD,
-    HELP_MSG_CHECK_BUGREPORT,
-    HELP_MSG_CHECK_ANDROID_BACKUP,
-    HELP_MSG_CHECK_ANDROIDQF,
-    HELP_MSG_HASHES,
-    HELP_MSG_CHECK_IOCS,
+    HELP_MSG_OUTPUT,
+    HELP_MSG_SERIAL,
     HELP_MSG_STIX2,
+    HELP_MSG_VERBOSE,
+    HELP_MSG_VERSION,
+    HELP_MSG_VIRUS_TOTAL,
 )
 from mvt.common.logo import logo
 from mvt.common.updates import IndicatorsUpdates
@@ -53,12 +55,37 @@ log = logging.getLogger("mvt")
 CONTEXT_SETTINGS = dict(help_option_names=["-h", "--help"])
 
 
+def _get_disable_flags(ctx):
+    """Helper function to safely get disable flags from context."""
+    if ctx.obj is None:
+        return False, False
+    return (
+        ctx.obj.get("disable_version_check", False),
+        ctx.obj.get("disable_indicator_check", False),
+    )
+
+
 # ==============================================================================
 # Main
 # ==============================================================================
 @click.group(invoke_without_command=False)
-def cli():
-    logo()
+@click.option(
+    "--disable-update-check", is_flag=True, help=HELP_MSG_DISABLE_UPDATE_CHECK
+)
+@click.option(
+    "--disable-indicator-update-check",
+    is_flag=True,
+    help=HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK,
+)
+@click.pass_context
+def cli(ctx, disable_update_check, disable_indicator_update_check):
+    ctx.ensure_object(dict)
+    ctx.obj["disable_version_check"] = disable_update_check
+    ctx.obj["disable_indicator_check"] = disable_indicator_update_check
+    logo(
+        disable_version_check=disable_update_check,
+        disable_indicator_check=disable_indicator_update_check,
+    )
 
 
 # ==============================================================================
@@ -166,12 +193,19 @@ def check_adb(
         module_name=module,
         serial=serial,
         module_options=module_options,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
         cmd.list_modules()
         return
 
+    log.warning(
+        "DEPRECATION: The 'check-adb' command is deprecated and may be removed in a future release. "
+        "Prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and analyzing that acquisition with MVT."
+    )
+
     log.info("Checking Android device over debug bridge")
 
     cmd.run()
@@ -212,6 +246,8 @@ def check_bugreport(ctx, iocs, output, list_modules, module, verbose, bugreport_
         ioc_files=iocs,
         module_name=module,
         hashes=True,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -274,6 +310,8 @@ def check_backup(
             "interactive": not non_interactive,
             "backup_password": cli_load_android_backup_password(log, backup_password),
         },
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -338,6 +376,8 @@ def check_androidqf(
             "interactive": not non_interactive,
             "backup_password": cli_load_android_backup_password(log, backup_password),
         },
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -372,7 +412,13 @@ def check_androidqf(
 @click.argument("FOLDER", type=click.Path(exists=True))
 @click.pass_context
 def check_iocs(ctx, iocs, list_modules, module, folder):
-    cmd = CmdCheckIOCS(target_path=folder, ioc_files=iocs, module_name=module)
+    cmd = CmdCheckIOCS(
+        target_path=folder,
+        ioc_files=iocs,
+        module_name=module,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
+    )
     cmd.modules = BACKUP_MODULES + ADB_MODULES + BUGREPORT_MODULES
 
     if list_modules:

src/mvt/android/cmd_check_adb.py

@@ -7,6 +7,7 @@ import logging
 from typing import Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.adb import ADB_MODULES
 
@@ -19,18 +20,28 @@ class CmdAndroidCheckADB(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
+            hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-adb"

src/mvt/android/cmd_check_androidqf.py

@@ -9,59 +9,186 @@ import zipfile
 from pathlib import Path
 from typing import List, Optional
 
+from mvt.android.cmd_check_backup import CmdAndroidCheckBackup
+from mvt.android.cmd_check_bugreport import CmdAndroidCheckBugreport
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.androidqf import ANDROIDQF_MODULES
+from .modules.androidqf.base import AndroidQFModule
 
 log = logging.getLogger(__name__)
 
 
+class NoAndroidQFTargetPath(Exception):
+    pass
+
+
+class NoAndroidQFBugReport(Exception):
+    pass
+
+
+class NoAndroidQFBackup(Exception):
+    pass
+
+
 class CmdAndroidCheckAndroidQF(Command):
     def __init__(
         self,
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-androidqf"
         self.modules = ANDROIDQF_MODULES
 
-        self.format: Optional[str] = None
-        self.archive: Optional[zipfile.ZipFile] = None
-        self.files: List[str] = []
+        self.__format: Optional[str] = None
+        self.__zip: Optional[zipfile.ZipFile] = None
+        self.__files: List[str] = []
 
     def init(self):
         if os.path.isdir(self.target_path):
-            self.format = "dir"
+            self.__format = "dir"
             parent_path = Path(self.target_path).absolute().parent.as_posix()
             target_abs_path = os.path.abspath(self.target_path)
             for root, subdirs, subfiles in os.walk(target_abs_path):
                 for fname in subfiles:
                     file_path = os.path.relpath(os.path.join(root, fname), parent_path)
-                    self.files.append(file_path)
+                    self.__files.append(file_path)
         elif os.path.isfile(self.target_path):
-            self.format = "zip"
-            self.archive = zipfile.ZipFile(self.target_path)
-            self.files = self.archive.namelist()
+            self.__format = "zip"
+            self.__zip = zipfile.ZipFile(self.target_path)
+            self.__files = self.__zip.namelist()
 
-    def module_init(self, module):
-        if self.format == "zip":
-            module.from_zip_file(self.archive, self.files)
+    def module_init(self, module: AndroidQFModule) -> None:  # type: ignore[override]
+        if self.__format == "zip" and self.__zip:
+            module.from_zip(self.__zip, self.__files)
+            return
+
+        if not self.target_path:
+            raise NoAndroidQFTargetPath
+
+        parent_path = Path(self.target_path).absolute().parent.as_posix()
+        module.from_dir(parent_path, self.__files)
+
+    def load_bugreport(self) -> zipfile.ZipFile:
+        bugreport_zip_path = None
+        for file_name in self.__files:
+            if file_name.endswith("bugreport.zip"):
+                bugreport_zip_path = file_name
+                break
         else:
+            raise NoAndroidQFBugReport
+
+        if self.__format == "zip" and self.__zip:
+            handle = self.__zip.open(bugreport_zip_path)
+            return zipfile.ZipFile(handle)
+
+        if self.__format == "dir" and self.target_path:
             parent_path = Path(self.target_path).absolute().parent.as_posix()
-            module.from_folder(parent_path, self.files)
+            bug_report_path = os.path.join(parent_path, bugreport_zip_path)
+            return zipfile.ZipFile(bug_report_path)
+
+        raise NoAndroidQFBugReport
+
+    def load_backup(self) -> bytes:
+        backup_ab_path = None
+        for file_name in self.__files:
+            if file_name.endswith("backup.ab"):
+                backup_ab_path = file_name
+                break
+        else:
+            raise NoAndroidQFBackup
+
+        if self.__format == "zip" and self.__zip:
+            backup_file_handle = self.__zip.open(backup_ab_path)
+            return backup_file_handle.read()
+
+        if self.__format == "dir" and self.target_path:
+            parent_path = Path(self.target_path).absolute().parent.as_posix()
+            backup_path = os.path.join(parent_path, backup_ab_path)
+            with open(backup_path, "rb") as backup_file:
+                backup_ab_data = backup_file.read()
+            return backup_ab_data
+
+        raise NoAndroidQFBackup
+
+    def run_bugreport_cmd(self) -> bool:
+        try:
+            bugreport = self.load_bugreport()
+        except NoAndroidQFBugReport:
+            self.log.warning(
+                "Skipping bugreport modules as no bugreport.zip found in AndroidQF data."
+            )
+            return False
+        else:
+            cmd = CmdAndroidCheckBugreport(
+                target_path=None,
+                results_path=self.results_path,
+                ioc_files=self.ioc_files,
+                iocs=self.iocs,
+                module_options=self.module_options,
+                hashes=self.hashes,
+                sub_command=True,
+            )
+            cmd.from_zip(bugreport)
+            cmd.run()
+
+            self.detected_count += cmd.detected_count
+            self.timeline.extend(cmd.timeline)
+            self.timeline_detected.extend(cmd.timeline_detected)
+
+    def run_backup_cmd(self) -> bool:
+        try:
+            backup = self.load_backup()
+        except NoAndroidQFBackup:
+            self.log.warning(
+                "Skipping backup modules as no backup.ab found in AndroidQF data."
+            )
+            return False
+        else:
+            cmd = CmdAndroidCheckBackup(
+                target_path=None,
+                results_path=self.results_path,
+                ioc_files=self.ioc_files,
+                iocs=self.iocs,
+                module_options=self.module_options,
+                hashes=self.hashes,
+                sub_command=True,
+            )
+            cmd.from_ab(backup)
+            cmd.run()
+
+            self.detected_count += cmd.detected_count
+            self.timeline.extend(cmd.timeline)
+            self.timeline_detected.extend(cmd.timeline_detected)
+
+    def finish(self) -> None:
+        """
+        Run the bugreport and backup modules if the respective files are found in the AndroidQF data.
+        """
+        self.run_bugreport_cmd()
+        self.run_backup_cmd()

src/mvt/android/cmd_check_backup.py

@@ -20,6 +20,7 @@ from mvt.android.parsers.backup import (
     parse_backup_file,
 )
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.backup import BACKUP_MODULES
 
@@ -32,20 +33,28 @@ class CmdAndroidCheckBackup(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-backup"
@@ -55,6 +64,34 @@ class CmdAndroidCheckBackup(Command):
         self.backup_archive: Optional[tarfile.TarFile] = None
         self.backup_files: List[str] = []
 
+    def from_ab(self, ab_file_bytes: bytes) -> None:
+        self.backup_type = "ab"
+        header = parse_ab_header(ab_file_bytes)
+        if not header["backup"]:
+            log.critical("Invalid backup format, file should be in .ab format")
+            sys.exit(1)
+
+        password = None
+        if header["encryption"] != "none":
+            password = prompt_or_load_android_backup_password(log, self.module_options)
+            if not password:
+                log.critical("No backup password provided.")
+                sys.exit(1)
+        try:
+            tardata = parse_backup_file(ab_file_bytes, password=password)
+        except InvalidBackupPassword:
+            log.critical("Invalid backup password")
+            sys.exit(1)
+        except AndroidBackupParsingError as exc:
+            log.critical("Impossible to parse this backup file: %s", exc)
+            log.critical("Please use Android Backup Extractor (ABE) instead")
+            sys.exit(1)
+
+        dbytes = io.BytesIO(tardata)
+        self.backup_archive = tarfile.open(fileobj=dbytes)
+        for member in self.backup_archive:
+            self.backup_files.append(member.name)
+
     def init(self) -> None:
         if not self.target_path:
             return
@@ -62,35 +99,8 @@ class CmdAndroidCheckBackup(Command):
         if os.path.isfile(self.target_path):
             self.backup_type = "ab"
             with open(self.target_path, "rb") as handle:
-                data = handle.read()
-
-            header = parse_ab_header(data)
-            if not header["backup"]:
-                log.critical("Invalid backup format, file should be in .ab format")
-                sys.exit(1)
-
-            password = None
-            if header["encryption"] != "none":
-                password = prompt_or_load_android_backup_password(
-                    log, self.module_options
-                )
-                if not password:
-                    log.critical("No backup password provided.")
-                    sys.exit(1)
-            try:
-                tardata = parse_backup_file(data, password=password)
-            except InvalidBackupPassword:
-                log.critical("Invalid backup password")
-                sys.exit(1)
-            except AndroidBackupParsingError as exc:
-                log.critical("Impossible to parse this backup file: %s", exc)
-                log.critical("Please use Android Backup Extractor (ABE) instead")
-                sys.exit(1)
-
-            dbytes = io.BytesIO(tardata)
-            self.backup_archive = tarfile.open(fileobj=dbytes)
-            for member in self.backup_archive:
-                self.backup_files.append(member.name)
+                ab_file_bytes = handle.read()
+            self.from_ab(ab_file_bytes)
 
         elif os.path.isdir(self.target_path):
             self.backup_type = "folder"
@@ -109,6 +119,6 @@ class CmdAndroidCheckBackup(Command):
 
     def module_init(self, module: BackupExtraction) -> None:  # type: ignore[override]
         if self.backup_type == "folder":
-            module.from_folder(self.target_path, self.backup_files)
+            module.from_dir(self.target_path, self.backup_files)
         else:
             module.from_ab(self.target_path, self.backup_archive, self.backup_files)

src/mvt/android/cmd_check_bugreport.py

@@ -11,6 +11,7 @@ from zipfile import ZipFile
 
 from mvt.android.modules.bugreport.base import BugReportModule
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.bugreport import BUGREPORT_MODULES
 
@@ -23,54 +24,80 @@ class CmdAndroidCheckBugreport(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-bugreport"
         self.modules = BUGREPORT_MODULES
 
-        self.bugreport_format: str = ""
-        self.bugreport_archive: Optional[ZipFile] = None
-        self.bugreport_files: List[str] = []
+        self.__format: str = ""
+        self.__zip: Optional[ZipFile] = None
+        self.__files: List[str] = []
+
+    def from_dir(self, dir_path: str) -> None:
+        """This method is used to initialize the bug report analysis from an
+        uncompressed directory.
+        """
+        self.__format = "dir"
+        self.target_path = dir_path
+        parent_path = Path(dir_path).absolute().as_posix()
+        for root, _, subfiles in os.walk(os.path.abspath(dir_path)):
+            for file_name in subfiles:
+                file_path = os.path.relpath(os.path.join(root, file_name), parent_path)
+                self.__files.append(file_path)
+
+    def from_zip(self, bugreport_zip: ZipFile) -> None:
+        """This method is used to initialize the bug report analysis from a
+        compressed archive.
+        """
+        # NOTE: This will be invoked either by the CLI directly,or by the
+        # check-androidqf command. We need this because we want to support
+        # check-androidqf to analyse compressed archives itself too.
+        # So, we'll need to extract bugreport.zip from a 'androidqf.zip', and
+        # since nothing is written on disk, we need to be able to pass this
+        # command a ZipFile instance in memory.
+
+        self.__format = "zip"
+        self.__zip = bugreport_zip
+        for file_name in self.__zip.namelist():
+            self.__files.append(file_name)
 
     def init(self) -> None:
         if not self.target_path:
             return
 
         if os.path.isfile(self.target_path):
-            self.bugreport_format = "zip"
-            self.bugreport_archive = ZipFile(self.target_path)
-            for file_name in self.bugreport_archive.namelist():
-                self.bugreport_files.append(file_name)
+            self.from_zip(ZipFile(self.target_path))
         elif os.path.isdir(self.target_path):
-            self.bugreport_format = "dir"
-            parent_path = Path(self.target_path).absolute().as_posix()
-            for root, _, subfiles in os.walk(os.path.abspath(self.target_path)):
-                for file_name in subfiles:
-                    file_path = os.path.relpath(
-                        os.path.join(root, file_name), parent_path
-                    )
-                    self.bugreport_files.append(file_path)
+            self.from_dir(self.target_path)
 
     def module_init(self, module: BugReportModule) -> None:  # type: ignore[override]
-        if self.bugreport_format == "zip":
-            module.from_zip(self.bugreport_archive, self.bugreport_files)
+        if self.__format == "zip":
+            module.from_zip(self.__zip, self.__files)
         else:
-            module.from_folder(self.target_path, self.bugreport_files)
+            module.from_dir(self.target_path, self.__files)
 
     def finish(self) -> None:
-        if self.bugreport_archive:
-            self.bugreport_archive.close()
+        if self.__zip:
+            self.__zip.close()

src/mvt/android/modules/adb/__init__.py

@@ -4,15 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 from .chrome_history import ChromeHistory
-from .dumpsys_accessibility import DumpsysAccessibility
-from .dumpsys_activities import DumpsysActivities
-from .dumpsys_appops import DumpsysAppOps
-from .dumpsys_battery_daily import DumpsysBatteryDaily
-from .dumpsys_battery_history import DumpsysBatteryHistory
-from .dumpsys_dbinfo import DumpsysDBInfo
-from .dumpsys_adbstate import DumpsysADBState
 from .dumpsys_full import DumpsysFull
-from .dumpsys_receivers import DumpsysReceivers
 from .files import Files
 from .getprop import Getprop
 from .logcat import Logcat
@@ -32,15 +24,7 @@ ADB_MODULES = [
     Getprop,
     Settings,
     SELinuxStatus,
-    DumpsysBatteryHistory,
-    DumpsysBatteryDaily,
-    DumpsysReceivers,
-    DumpsysActivities,
-    DumpsysAccessibility,
-    DumpsysDBInfo,
-    DumpsysADBState,
     DumpsysFull,
-    DumpsysAppOps,
     Packages,
     Logcat,
     RootBinaries,

src/mvt/android/modules/adb/dumpsys_accessibility.py

@@ -1,49 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysAccessibility(DumpsysAccessibilityArtifact, AndroidExtraction):
-    """This module extracts stats on accessibility."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys accessibility")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        for result in self.results:
-            self.log.info(
-                'Found installed accessibility service "%s"', result.get("service")
-            )
-
-        self.log.info(
-            "Identified a total of %d accessibility services", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_activities.py

@@ -1,45 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_package_activities import (
-    DumpsysPackageActivitiesArtifact,
-)
-
-from .base import AndroidExtraction
-
-
-class DumpsysActivities(DumpsysPackageActivitiesArtifact, AndroidExtraction):
-    """This module extracts details on receivers for risky activities."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else []
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys package")
-        self._adb_disconnect()
-        self.parse(output)
-
-        self.log.info("Extracted %d package activities", len(self.results))

src/mvt/android/modules/adb/dumpsys_adbstate.py

@@ -1,45 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_adb import DumpsysADBArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysADBState(DumpsysADBArtifact, AndroidExtraction):
-    """This module extracts ADB keystore state."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys adb", decode=False)
-        self._adb_disconnect()
-
-        self.parse(output)
-        if self.results:
-            self.log.info(
-                "Identified a total of %d trusted ADB keys",
-                len(self.results[0].get("user_keys", [])),
-            )

src/mvt/android/modules/adb/dumpsys_appops.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysAppOps(DumpsysAppopsArtifact, AndroidExtraction):
-    """This module extracts records from App-op Manager."""
-
-    slug = "dumpsys_appops"
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys appops")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted a total of %d records from app-ops manager", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_battery_daily.py

@@ -1,44 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, AndroidExtraction):
-    """This module extracts records from battery daily updates."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys batterystats --daily")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted %d records from battery daily stats", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_battery_history.py

@@ -1,42 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, AndroidExtraction):
-    """This module extracts records from battery history events."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys batterystats --history")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info("Extracted %d records from battery history", len(self.results))

src/mvt/android/modules/adb/dumpsys_dbinfo.py

@@ -1,47 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysDBInfo(DumpsysDBInfoArtifact, AndroidExtraction):
-    """This module extracts records from battery daily updates."""
-
-    slug = "dumpsys_dbinfo"
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys dbinfo")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted a total of %d records from database information",
-            len(self.results),
-        )

src/mvt/android/modules/adb/dumpsys_receivers.py

@@ -1,44 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysReceivers(DumpsysReceiversArtifact, AndroidExtraction):
-    """This module extracts details on receivers for risky activities."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else {}
-
-    def run(self) -> None:
-        self._adb_connect()
-
-        output = self._adb_command("dumpsys package")
-        self.parse(output)
-
-        self._adb_disconnect()
-        self.log.info("Extracted receivers for %d intents", len(self.results))

src/mvt/android/modules/androidqf/__init__.py

@@ -3,38 +3,22 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-from .dumpsys_accessibility import DumpsysAccessibility
-from .dumpsys_activities import DumpsysActivities
-from .dumpsys_appops import DumpsysAppops
-from .dumpsys_battery_daily import DumpsysBatteryDaily
-from .dumpsys_battery_history import DumpsysBatteryHistory
-from .dumpsys_dbinfo import DumpsysDBInfo
-from .dumpsys_packages import DumpsysPackages
-from .dumpsys_receivers import DumpsysReceivers
-from .dumpsys_adb import DumpsysADBState
-from .getprop import Getprop
-from .packages import Packages
-from .dumpsys_platform_compat import DumpsysPlatformCompat
-from .processes import Processes
-from .settings import Settings
+from .aqf_files import AQFFiles
+from .aqf_getprop import AQFGetProp
+from .aqf_packages import AQFPackages
+from .aqf_processes import AQFProcesses
+from .aqf_settings import AQFSettings
+from .mounts import Mounts
+from .root_binaries import RootBinaries
 from .sms import SMS
-from .files import Files
 
 ANDROIDQF_MODULES = [
-    DumpsysActivities,
-    DumpsysReceivers,
-    DumpsysAccessibility,
-    DumpsysAppops,
-    DumpsysDBInfo,
-    DumpsysBatteryDaily,
-    DumpsysBatteryHistory,
-    DumpsysADBState,
-    Packages,
-    DumpsysPlatformCompat,
-    Processes,
-    Getprop,
-    Settings,
+    AQFPackages,
+    AQFProcesses,
+    AQFGetProp,
+    AQFSettings,
+    AQFFiles,
     SMS,
-    DumpsysPackages,
-    Files,
+    RootBinaries,
+    Mounts,
 ]

src/mvt/android/modules/androidqf/aqf_files.py

@@ -21,8 +21,13 @@ SUSPICIOUS_PATHS = [
 ]
 
 
-class Files(AndroidQFModule):
-    """This module analyse list of files"""
+class AQFFiles(AndroidQFModule):
+    """
+    This module analyzes the files.json dump generated by AndroidQF.
+
+    The format needs to be kept in sync with the AndroidQF module code.
+    https://github.com/mvt-project/androidqf/blob/main/android-collector/cmd/find.go#L28
+    """
 
     def __init__(
         self,

src/mvt/android/modules/androidqf/aqf_getprop.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.getprop import GetProp as GetPropArtifact
 from .base import AndroidQFModule
 
 
-class Getprop(GetPropArtifact, AndroidQFModule):
+class AQFGetProp(GetPropArtifact, AndroidQFModule):
     """This module extracts data from get properties."""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_log_timestamps.py

@@ -13,10 +13,10 @@ from .base import AndroidQFModule
 from mvt.android.artifacts.file_timestamps import FileTimestampsArtifact
 
 
-class LogsFileTimestamps(FileTimestampsArtifact, AndroidQFModule):
-    """This module extracts records from battery daily updates."""
+class AQFLogTimestamps(FileTimestampsArtifact, AndroidQFModule):
+    """This module creates timeline for log files extracted by AQF."""
 
-    slug = "logfile_timestamps"
+    slug = "aqf_log_timestamps"
 
     def __init__(
         self,

src/mvt/android/modules/androidqf/aqf_packages.py

@@ -19,7 +19,7 @@ from mvt.android.utils import (
 from .base import AndroidQFModule
 
 
-class Packages(AndroidQFModule):
+class AQFPackages(AndroidQFModule):
     """This module examines the installed packages in packages.json"""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_processes.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.processes import Processes as ProcessesArtifact
 from .base import AndroidQFModule
 
 
-class Processes(ProcessesArtifact, AndroidQFModule):
+class AQFProcesses(ProcessesArtifact, AndroidQFModule):
     """This module analyse running processes"""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_settings.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.settings import Settings as SettingsArtifact
 from .base import AndroidQFModule
 
 
-class Settings(SettingsArtifact, AndroidQFModule):
+class AQFSettings(SettingsArtifact, AndroidQFModule):
     """This module analyse setting files"""
 
     def __init__(

src/mvt/android/modules/androidqf/base.py

@@ -37,11 +37,11 @@ class AndroidQFModule(MVTModule):
         self.files: List[str] = []
         self.archive: Optional[zipfile.ZipFile] = None
 
-    def from_folder(self, parent_path: str, files: List[str]):
+    def from_dir(self, parent_path: str, files: List[str]) -> None:
         self.parent_path = parent_path
         self.files = files
 
-    def from_zip_file(self, archive: zipfile.ZipFile, files: List[str]):
+    def from_zip(self, archive: zipfile.ZipFile, files: List[str]) -> None:
         self.archive = archive
         self.files = files
 

src/mvt/android/modules/androidqf/dumpsys_accessibility.py

@@ -1,51 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysAccessibility(DumpsysAccessibilityArtifact, AndroidQFModule):
-    """This module analyses dumpsys accessibility"""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
-        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE accessibility:")
-        self.parse(content)
-
-        for result in self.results:
-            self.log.info(
-                'Found installed accessibility service "%s"', result.get("service")
-            )
-
-        self.log.info(
-            "Identified a total of %d accessibility services", len(self.results)
-        )

src/mvt/android/modules/androidqf/dumpsys_activities.py

@@ -1,50 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_package_activities import (
-    DumpsysPackageActivitiesArtifact,
-)
-
-from .base import AndroidQFModule
-
-
-class DumpsysActivities(DumpsysPackageActivitiesArtifact, AndroidQFModule):
-    """This module extracts details on receivers for risky activities."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else []
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Get data and extract the dumpsys section
-        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
-        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE package:")
-        # Parse it
-        self.parse(content)
-
-        self.log.info("Extracted %d package activities", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_adb.py

@@ -1,51 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_adb import DumpsysADBArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysADBState(DumpsysADBArtifact, AndroidQFModule):
-    """This module extracts ADB keystore state."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        full_dumpsys = self._get_file_content(dumpsys_file[0])
-        content = self.extract_dumpsys_section(
-            full_dumpsys,
-            b"DUMP OF SERVICE adb:",
-            binary=True,
-        )
-        self.parse(content)
-        if self.results:
-            self.log.info(
-                "Identified a total of %d trusted ADB keys",
-                len(self.results[0].get("user_keys", [])),
-            )

src/mvt/android/modules/androidqf/dumpsys_appops.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysAppops(DumpsysAppopsArtifact, AndroidQFModule):
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Extract section
-        data = self._get_file_content(dumpsys_file[0])
-        section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE appops:"
-        )
-
-        # Parse it
-        self.parse(section)
-        self.log.info("Identified %d applications in AppOps Manager", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_battery_daily.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, AndroidQFModule):
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Extract section
-        data = self._get_file_content(dumpsys_file[0])
-        section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE batterystats:"
-        )
-
-        # Parse it
-        self.parse(section)
-        self.log.info("Extracted a total of %d battery daily stats", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_battery_history.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, AndroidQFModule):
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Extract section
-        data = self._get_file_content(dumpsys_file[0])
-        section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE batterystats:"
-        )
-
-        # Parse it
-        self.parse(section)
-        self.log.info("Extracted a total of %d battery daily stats", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_dbinfo.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysDBInfo(DumpsysDBInfoArtifact, AndroidQFModule):
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Extract dumpsys DBInfo section
-        data = self._get_file_content(dumpsys_file[0])
-        section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE dbinfo:"
-        )
-
-        # Parse it
-        self.parse(section)
-        self.log.info("Identified %d DB Info entries", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_packages.py

@@ -1,62 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Any, Dict, List, Optional
-
-from mvt.android.artifacts.dumpsys_packages import DumpsysPackagesArtifact
-from mvt.android.modules.adb.packages import (
-    DANGEROUS_PERMISSIONS,
-    DANGEROUS_PERMISSIONS_THRESHOLD,
-)
-
-from .base import AndroidQFModule
-
-
-class DumpsysPackages(DumpsysPackagesArtifact, AndroidQFModule):
-    """This module analyse dumpsys packages"""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[List[Dict[str, Any]]] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if len(dumpsys_file) != 1:
-            self.log.info("Dumpsys file not found")
-            return
-
-        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
-        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE package:")
-        self.parse(content)
-
-        for result in self.results:
-            dangerous_permissions_count = 0
-            for perm in result["permissions"]:
-                if perm["name"] in DANGEROUS_PERMISSIONS:
-                    dangerous_permissions_count += 1
-
-            if dangerous_permissions_count >= DANGEROUS_PERMISSIONS_THRESHOLD:
-                self.log.info(
-                    'Found package "%s" requested %d potentially dangerous permissions',
-                    result["package_name"],
-                    dangerous_permissions_count,
-                )
-
-        self.log.info("Extracted details on %d packages", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_platform_compat.py

@@ -1,44 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_platform_compat import DumpsysPlatformCompatArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysPlatformCompat(DumpsysPlatformCompatArtifact, AndroidQFModule):
-    """This module extracts details on uninstalled apps."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
-        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE platform_compat:")
-        self.parse(content)
-
-        self.log.info("Found %d uninstalled apps", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_receivers.py

@@ -1,49 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Any, Dict, List, Optional, Union
-
-from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysReceivers(DumpsysReceiversArtifact, AndroidQFModule):
-    """This module analyse dumpsys receivers"""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Union[List[Any], Dict[str, Any], None] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else {}
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-        data = self._get_file_content(dumpsys_file[0])
-
-        dumpsys_section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE package:"
-        )
-
-        self.parse(dumpsys_section)
-
-        self.log.info("Extracted receivers for %d intents", len(self.results))

src/mvt/android/modules/androidqf/mounts.py

@@ -0,0 +1,74 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+import json
+from typing import Optional
+
+from mvt.android.artifacts.mounts import Mounts as MountsArtifact
+
+from .base import AndroidQFModule
+
+
+class Mounts(MountsArtifact, AndroidQFModule):
+    """This module extracts and analyzes mount information from AndroidQF acquisitions."""
+
+    def __init__(
+        self,
+        file_path: Optional[str] = None,
+        target_path: Optional[str] = None,
+        results_path: Optional[str] = None,
+        module_options: Optional[dict] = None,
+        log: logging.Logger = logging.getLogger(__name__),
+        results: Optional[list] = None,
+    ) -> None:
+        super().__init__(
+            file_path=file_path,
+            target_path=target_path,
+            results_path=results_path,
+            module_options=module_options,
+            log=log,
+            results=results,
+        )
+        self.results = []
+
+    def run(self) -> None:
+        """
+        Run the mounts analysis module.
+
+        This module looks for mount information files collected by androidqf
+        and analyzes them for suspicious configurations, particularly focusing
+        on detecting root access indicators like /system mounted as read-write.
+        """
+        mount_files = self._get_files_by_pattern("*/mounts.json")
+
+        if not mount_files:
+            self.log.info("No mount information file found")
+            return
+
+        self.log.info("Found mount information file: %s", mount_files[0])
+
+        try:
+            data = self._get_file_content(mount_files[0]).decode(
+                "utf-8", errors="replace"
+            )
+        except Exception as exc:
+            self.log.error("Failed to read mount information file: %s", exc)
+            return
+
+        # Parse the mount data
+        try:
+            json_data = json.loads(data)
+
+            if isinstance(json_data, list):
+                # AndroidQF format: array of strings like
+                # "/dev/block/dm-12 on / type ext4 (ro,seclabel,noatime)"
+                mount_content = "\n".join(json_data)
+            self.parse(mount_content)
+        except Exception as exc:
+            self.log.error("Failed to parse mount information: %s", exc)
+            return
+
+        self.log.info("Extracted a total of %d mount entries", len(self.results))

src/mvt/android/modules/androidqf/root_binaries.py

@@ -0,0 +1,121 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import json
+import logging
+from typing import Optional
+
+from .base import AndroidQFModule
+
+
+class RootBinaries(AndroidQFModule):
+    """This module analyzes root_binaries.json for root binaries found by androidqf."""
+
+    def __init__(
+        self,
+        file_path: Optional[str] = None,
+        target_path: Optional[str] = None,
+        results_path: Optional[str] = None,
+        module_options: Optional[dict] = None,
+        log: logging.Logger = logging.getLogger(__name__),
+        results: Optional[list] = None,
+    ) -> None:
+        super().__init__(
+            file_path=file_path,
+            target_path=target_path,
+            results_path=results_path,
+            module_options=module_options,
+            log=log,
+            results=results,
+        )
+
+    def serialize(self, record: dict) -> dict:
+        return {
+            "timestamp": record.get("timestamp"),
+            "module": self.__class__.__name__,
+            "event": "root_binary_found",
+            "data": f"Root binary found: {record['path']} (binary: {record['binary_name']})",
+        }
+
+    def check_indicators(self) -> None:
+        """Check for indicators of device rooting."""
+        if not self.results:
+            return
+
+        # All found root binaries are considered indicators of rooting
+        for result in self.results:
+            self.log.warning(
+                'Found root binary "%s" at path "%s"',
+                result["binary_name"],
+                result["path"],
+            )
+            self.detected.append(result)
+
+        if self.detected:
+            self.log.warning(
+                "Device shows signs of rooting with %d root binaries found",
+                len(self.detected),
+            )
+
+    def run(self) -> None:
+        """Run the root binaries analysis."""
+        root_binaries_files = self._get_files_by_pattern("*/root_binaries.json")
+
+        if not root_binaries_files:
+            self.log.info("No root_binaries.json file found")
+            return
+
+        rawdata = self._get_file_content(root_binaries_files[0]).decode(
+            "utf-8", errors="ignore"
+        )
+
+        try:
+            root_binary_paths = json.loads(rawdata)
+        except json.JSONDecodeError as e:
+            self.log.error("Failed to parse root_binaries.json: %s", e)
+            return
+
+        if not isinstance(root_binary_paths, list):
+            self.log.error("Expected root_binaries.json to contain a list of paths")
+            return
+
+        # Known root binary names that might be found and their descriptions
+        # This maps the binary name to a human-readable description
+        known_root_binaries = {
+            "su": "SuperUser binary",
+            "busybox": "BusyBox utilities",
+            "supersu": "SuperSU root management",
+            "Superuser.apk": "Superuser app",
+            "KingoUser.apk": "KingRoot app",
+            "SuperSu.apk": "SuperSU app",
+            "magisk": "Magisk root framework",
+            "magiskhide": "Magisk hide utility",
+            "magiskinit": "Magisk init binary",
+            "magiskpolicy": "Magisk policy binary",
+        }
+
+        for path in root_binary_paths:
+            if not path or not isinstance(path, str):
+                continue
+
+            # Extract binary name from path
+            binary_name = path.split("/")[-1].lower()
+
+            # Check if this matches a known root binary by exact name match
+            description = "Unknown root binary"
+            for known_binary in known_root_binaries:
+                if binary_name == known_binary.lower():
+                    description = known_root_binaries[known_binary]
+                    break
+
+            result = {
+                "path": path.strip(),
+                "binary_name": binary_name,
+                "description": description,
+            }
+
+            self.results.append(result)
+
+        self.log.info("Found %d root binaries", len(self.results))

src/mvt/android/modules/androidqf/sms.py

@@ -19,7 +19,13 @@ from .base import AndroidQFModule
 
 
 class SMS(AndroidQFModule):
-    """This module analyse SMS file in backup"""
+    """
+    This module analyse SMS file in backup
+
+    XXX: We should also de-duplicate this AQF module, but first we
+    need to add tests for loading encrypted SMS backups through the backup
+    sub-module.
+    """
 
     def __init__(
         self,

src/mvt/android/modules/backup/base.py

@@ -37,10 +37,7 @@ class BackupExtraction(MVTModule):
         self.tar = None
         self.files = []
 
-    def from_folder(self, backup_path: Optional[str], files: List[str]) -> None:
-        """
-        Get all the files and list them
-        """
+    def from_dir(self, backup_path: Optional[str], files: List[str]) -> None:
         self.backup_path = backup_path
         self.files = files
 
@@ -58,14 +55,16 @@ class BackupExtraction(MVTModule):
         return fnmatch.filter(self.files, pattern)
 
     def _get_file_content(self, file_path: str) -> bytes:
-        if self.ab:
+        if self.tar:
             try:
                 member = self.tar.getmember(file_path)
             except KeyError:
                 return None
             handle = self.tar.extractfile(member)
-        else:
+        elif self.backup_path:
             handle = open(os.path.join(self.backup_path, file_path), "rb")
+        else:
+            raise ValueError("No backup path or tar file provided")
 
         data = handle.read()
         handle.close()

src/mvt/android/modules/backup/sms.py

@@ -50,13 +50,13 @@ class SMS(BackupExtraction):
     def run(self) -> None:
         sms_path = "apps/com.android.providers.telephony/d_f/*_sms_backup"
         for file in self._get_files_by_pattern(sms_path):
-            self.log.info("Processing SMS backup file at %s", file)
+            self.log.debug("Processing SMS backup file at %s", file)
             data = self._get_file_content(file)
             self.results.extend(parse_sms_file(data))
 
         mms_path = "apps/com.android.providers.telephony/d_f/*_mms_backup"
         for file in self._get_files_by_pattern(mms_path):
-            self.log.info("Processing MMS backup file at %s", file)
+            self.log.debug("Processing MMS backup file at %s", file)
             data = self._get_file_content(file)
             self.results.extend(parse_sms_file(data))
 

src/mvt/android/modules/bugreport/__init__.py

@@ -3,31 +3,31 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-from .accessibility import Accessibility
-from .activities import Activities
-from .appops import Appops
-from .battery_daily import BatteryDaily
-from .battery_history import BatteryHistory
-from .dbinfo import DBInfo
-from .getprop import Getprop
-from .packages import Packages
-from .platform_compat import PlatformCompat
-from .receivers import Receivers
-from .adb_state import DumpsysADBState
+from .dumpsys_accessibility import DumpsysAccessibility
+from .dumpsys_activities import DumpsysActivities
+from .dumpsys_appops import DumpsysAppops
+from .dumpsys_battery_daily import DumpsysBatteryDaily
+from .dumpsys_battery_history import DumpsysBatteryHistory
+from .dumpsys_dbinfo import DumpsysDBInfo
+from .dumpsys_getprop import DumpsysGetProp
+from .dumpsys_packages import DumpsysPackages
+from .dumpsys_platform_compat import DumpsysPlatformCompat
+from .dumpsys_receivers import DumpsysReceivers
+from .dumpsys_adb_state import DumpsysADBState
 from .fs_timestamps import BugReportTimestamps
 from .tombstones import Tombstones
 
 BUGREPORT_MODULES = [
-    Accessibility,
-    Activities,
-    Appops,
-    BatteryDaily,
-    BatteryHistory,
-    DBInfo,
-    Getprop,
-    Packages,
-    PlatformCompat,
-    Receivers,
+    DumpsysAccessibility,
+    DumpsysActivities,
+    DumpsysAppops,
+    DumpsysBatteryDaily,
+    DumpsysBatteryHistory,
+    DumpsysDBInfo,
+    DumpsysGetProp,
+    DumpsysPackages,
+    DumpsysPlatformCompat,
+    DumpsysReceivers,
     DumpsysADBState,
     BugReportTimestamps,
     Tombstones,

src/mvt/android/modules/bugreport/base.py

@@ -39,9 +39,7 @@ class BugReportModule(MVTModule):
         self.extract_files: List[str] = []
         self.zip_files: List[str] = []
 
-    def from_folder(
-        self, extract_path: Optional[str], extract_files: List[str]
-    ) -> None:
+    def from_dir(self, extract_path: str, extract_files: List[str]) -> None:
         self.extract_path = extract_path
         self.extract_files = extract_files
 

src/mvt/android/modules/bugreport/dumpsys_accessibility.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArti
 from .base import BugReportModule
 
 
-class Accessibility(DumpsysAccessibilityArtifact, BugReportModule):
+class DumpsysAccessibility(DumpsysAccessibilityArtifact, BugReportModule):
     """This module extracts stats on accessibility."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_activities.py

@@ -13,7 +13,7 @@ from mvt.android.artifacts.dumpsys_package_activities import (
 from .base import BugReportModule
 
 
-class Activities(DumpsysPackageActivitiesArtifact, BugReportModule):
+class DumpsysActivities(DumpsysPackageActivitiesArtifact, BugReportModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_appops.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
 from .base import BugReportModule
 
 
-class Appops(DumpsysAppopsArtifact, BugReportModule):
+class DumpsysAppops(DumpsysAppopsArtifact, BugReportModule):
     """This module extracts information on package from App-Ops Manager."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_battery_daily.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtif
 from .base import BugReportModule
 
 
-class BatteryDaily(DumpsysBatteryDailyArtifact, BugReportModule):
+class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_battery_history.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryA
 from .base import BugReportModule
 
 
-class BatteryHistory(DumpsysBatteryHistoryArtifact, BugReportModule):
+class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_dbinfo.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
 from .base import BugReportModule
 
 
-class DBInfo(DumpsysDBInfoArtifact, BugReportModule):
+class DumpsysDBInfo(DumpsysDBInfoArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     slug = "dbinfo"

src/mvt/android/modules/bugreport/dumpsys_getprop.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.getprop import GetProp as GetPropArtifact
 from .base import BugReportModule
 
 
-class Getprop(GetPropArtifact, BugReportModule):
+class DumpsysGetProp(GetPropArtifact, BugReportModule):
     """This module extracts device properties from getprop command."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_packages.py

@@ -12,7 +12,7 @@ from mvt.android.utils import DANGEROUS_PERMISSIONS, DANGEROUS_PERMISSIONS_THRES
 from .base import BugReportModule
 
 
-class Packages(DumpsysPackagesArtifact, BugReportModule):
+class DumpsysPackages(DumpsysPackagesArtifact, BugReportModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_platform_compat.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_platform_compat import DumpsysPlatformCompatA
 from mvt.android.modules.bugreport.base import BugReportModule
 
 
-class PlatformCompat(DumpsysPlatformCompatArtifact, BugReportModule):
+class DumpsysPlatformCompat(DumpsysPlatformCompatArtifact, BugReportModule):
     """This module extracts details on uninstalled apps."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_receivers.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
 from .base import BugReportModule
 
 
-class Receivers(DumpsysReceiversArtifact, BugReportModule):
+class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(
@@ -34,6 +34,20 @@ class Receivers(DumpsysReceiversArtifact, BugReportModule):
 
         self.results = results if results else {}
 
+    def check_indicators(self) -> None:
+        for result in self.results:
+            if self.indicators:
+                receiver_name = self.results[result][0]["receiver"]
+
+                # return IoC if the stix2 process name a substring of the receiver name
+                ioc = self.indicators.check_receiver_prefix(receiver_name)
+                if ioc:
+                    self.results[result][0]["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    continue
+
+
+
     def run(self) -> None:
         content = self._get_dumpstate_file()
         if not content:

src/mvt/common/cmd_check_iocs.py

@@ -22,6 +22,10 @@ class CmdCheckIOCS(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
@@ -30,7 +34,11 @@ class CmdCheckIOCS(Command):
             module_name=module_name,
             serial=serial,
             module_options=module_options,
+            hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-iocs"

src/mvt/common/command.py

@@ -27,11 +27,15 @@ class Command:
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
         log: logging.Logger = logging.getLogger(__name__),
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         self.name = ""
         self.modules = []
@@ -42,6 +46,9 @@ class Command:
         self.module_name = module_name
         self.serial = serial
         self.log = log
+        self.sub_command = sub_command
+        self.disable_version_check = disable_version_check
+        self.disable_indicator_check = disable_indicator_check
 
         # This dictionary can contain options that will be passed down from
         # the Command to all modules. This can for example be used to pass
@@ -60,8 +67,12 @@ class Command:
         # Load IOCs
         self._create_storage()
         self._setup_logging()
-        self.iocs = Indicators(log=log)
-        self.iocs.load_indicators_files(self.ioc_files)
+
+        if iocs is not None:
+            self.iocs = iocs
+        else:
+            self.iocs = Indicators(self.log)
+            self.iocs.load_indicators_files(self.ioc_files)
 
     def _create_storage(self) -> None:
         if self.results_path and not os.path.exists(self.results_path):
@@ -247,6 +258,10 @@ class Command:
         except NotImplementedError:
             pass
 
+        # We only store the timeline from the parent/main command
+        if self.sub_command:
+            return
+
         self._store_timeline()
         self._store_info()
 

src/mvt/common/help.py

@@ -15,6 +15,8 @@ HELP_MSG_HASHES = "Generate hashes of all the files analyzed"
 HELP_MSG_VERBOSE = "Verbose mode"
 HELP_MSG_CHECK_IOCS = "Compare stored JSON results to provided indicators"
 HELP_MSG_STIX2 = "Download public STIX2 indicators"
+HELP_MSG_DISABLE_UPDATE_CHECK = "Disable MVT version update check"
+HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK = "Disable indicators update check"
 
 # IOS Specific
 HELP_MSG_DECRYPT_BACKUP = "Decrypt an encrypted iTunes backup"
@@ -45,7 +47,7 @@ HELP_MSG_APKS_FROM_FILE = (
     "Instead of acquiring APKs from a phone, load an existing packages.json file for "
     "lookups (mainly for debug purposes)"
 )
-HELP_MSG_CHECK_ADB = "Check an Android device over ADB"
+HELP_MSG_CHECK_ADB = "Deprecated: Check an Android device over ADB. Prefer using the external AndroidQF project (https://github.com/mvt-project/androidqf) to acquire AndroidQF images for analysis."
 HELP_MSG_CHECK_BUGREPORT = "Check an Android Bug Report"
 HELP_MSG_CHECK_ANDROID_BACKUP = "Check an Android Backup"
 HELP_MSG_CHECK_ANDROIDQF = "Check data collected with AndroidQF"

src/mvt/common/indicators.py

@@ -768,6 +768,30 @@ class Indicators:
 
         return None
 
+
+    def check_receiver_prefix(self, receiver_name: str) -> Union[dict, None]:
+        """Check the provided receiver name against the list of indicators.
+        An IoC match is detected when a substring of the receiver matches the indicator
+        :param app_id: App ID to check against the list of indicators
+        :type app_id: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if not receiver_name:
+            return None
+
+        for ioc in self.get_iocs("app_ids"):
+            if ioc["value"].lower() in receiver_name.lower():
+                self.log.warning(
+                    'Found a known suspicious receiver with name "%s" '
+                    'matching indicators from "%s"',
+                    receiver_name,
+                    ioc["name"],
+                )
+                return ioc
+
+        return None
+
     def check_android_property_name(self, property_name: str) -> Optional[dict]:
         """Check the android property name against the list of indicators.
 

src/mvt/common/logo.py

@@ -12,74 +12,85 @@ from .updates import IndicatorsUpdates, MVTUpdates
 from .version import MVT_VERSION
 
 
-def check_updates() -> None:
+def check_updates(
+    disable_version_check: bool = False, disable_indicator_check: bool = False
+) -> None:
     log = logging.getLogger("mvt")
+
     # First we check for MVT version updates.
-    try:
-        mvt_updates = MVTUpdates()
-        latest_version = mvt_updates.check()
-    except (requests.exceptions.ConnectionError, requests.exceptions.Timeout):
-        rich_print(
-            "\t\t[bold]Note: Could not check for MVT updates.[/bold] "
-            "You may be working offline. Please update MVT regularly."
-        )
-    except Exception as e:
-        log.error("Error encountered when trying to check latest MVT version: %s", e)
-    else:
-        if latest_version:
+    if not disable_version_check:
+        try:
+            mvt_updates = MVTUpdates()
+            latest_version = mvt_updates.check()
+        except (requests.exceptions.ConnectionError, requests.exceptions.Timeout):
             rich_print(
-                f"\t\t[bold]Version {latest_version} is available! "
-                "Upgrade mvt with `pip3 install -U mvt` or with `pipx upgrade mvt`[/bold]"
+                "\t\t[bold]Note: Could not check for MVT updates.[/bold] "
+                "You may be working offline. Please update MVT regularly."
             )
-
-    # Then we check for indicators files updates.
-    ioc_updates = IndicatorsUpdates()
-
-    # Before proceeding, we check if we have downloaded an indicators index.
-    # If not, there's no point in proceeding with the updates check.
-    if ioc_updates.get_latest_update() == 0:
-        rich_print(
-            "\t\t[bold]You have not yet downloaded any indicators, check "
-            "the `download-iocs` command![/bold]"
-        )
-        return
-
-    # We only perform this check at a fixed frequency, in order to not
-    # overburden the user with too many lookups if the command is being run
-    # multiple times.
-    should_check, hours = ioc_updates.should_check()
-    if not should_check:
-        rich_print(
-            f"\t\tIndicators updates checked recently, next automatic check "
-            f"in {int(hours)} hours"
-        )
-        return
-
-    try:
-        ioc_to_update = ioc_updates.check()
-    except (requests.exceptions.ConnectionError, requests.exceptions.Timeout):
-        rich_print(
-            "\t\t[bold]Note: Could not check for indicator updates.[/bold] "
-            "You may be working offline. Please update MVT indicators regularly."
-        )
-    except Exception as e:
-        log.error("Error encountered when trying to check latest MVT indicators: %s", e)
-    else:
-        if ioc_to_update:
-            rich_print(
-                "\t\t[bold]There are updates to your indicators files! "
-                "Run the `download-iocs` command to update![/bold]"
+        except Exception as e:
+            log.error(
+                "Error encountered when trying to check latest MVT version: %s", e
             )
         else:
-            rich_print("\t\tYour indicators files seem to be up to date.")
+            if latest_version:
+                rich_print(
+                    f"\t\t[bold]Version {latest_version} is available! "
+                    "Upgrade mvt with `pip3 install -U mvt` or with `pipx upgrade mvt`[/bold]"
+                )
+
+    # Then we check for indicators files updates.
+    if not disable_indicator_check:
+        ioc_updates = IndicatorsUpdates()
+
+        # Before proceeding, we check if we have downloaded an indicators index.
+        # If not, there's no point in proceeding with the updates check.
+        if ioc_updates.get_latest_update() == 0:
+            rich_print(
+                "\t\t[bold]You have not yet downloaded any indicators, check "
+                "the `download-iocs` command![/bold]"
+            )
+            return
+
+        # We only perform this check at a fixed frequency, in order to not
+        # overburden the user with too many lookups if the command is being run
+        # multiple times.
+        should_check, hours = ioc_updates.should_check()
+        if not should_check:
+            rich_print(
+                f"\t\tIndicators updates checked recently, next automatic check "
+                f"in {int(hours)} hours"
+            )
+            return
+
+        try:
+            ioc_to_update = ioc_updates.check()
+        except (requests.exceptions.ConnectionError, requests.exceptions.Timeout):
+            rich_print(
+                "\t\t[bold]Note: Could not check for indicator updates.[/bold] "
+                "You may be working offline. Please update MVT indicators regularly."
+            )
+        except Exception as e:
+            log.error(
+                "Error encountered when trying to check latest MVT indicators: %s", e
+            )
+        else:
+            if ioc_to_update:
+                rich_print(
+                    "\t\t[bold]There are updates to your indicators files! "
+                    "Run the `download-iocs` command to update![/bold]"
+                )
+            else:
+                rich_print("\t\tYour indicators files seem to be up to date.")
 
 
-def logo() -> None:
+def logo(
+    disable_version_check: bool = False, disable_indicator_check: bool = False
+) -> None:
     rich_print("\n")
     rich_print("\t[bold]MVT[/bold] - Mobile Verification Toolkit")
     rich_print("\t\thttps://mvt.re")
     rich_print(f"\t\tVersion: {MVT_VERSION}")
 
-    check_updates()
+    check_updates(disable_version_check, disable_indicator_check)
 
     rich_print("\n")

src/mvt/common/updates.py

@@ -24,7 +24,11 @@ INDICATORS_CHECK_FREQUENCY = 12
 
 class MVTUpdates:
     def check(self) -> str:
-        res = requests.get(settings.PYPI_UPDATE_URL, timeout=15)
+        try:
+            res = requests.get(settings.PYPI_UPDATE_URL, timeout=5)
+        except requests.exceptions.RequestException as e:
+            log.error("Failed to check for updates, skipping updates: %s", e)
+            return ""
         data = res.json()
         latest_version = data.get("info", {}).get("version", "")
 
@@ -93,7 +97,12 @@ class IndicatorsUpdates:
         url = self.github_raw_url.format(
             self.index_owner, self.index_repo, self.index_branch, self.index_path
         )
-        res = requests.get(url, timeout=15)
+        try:
+            res = requests.get(url, timeout=5)
+        except requests.exceptions.RequestException as e:
+            log.error("Failed to retrieve indicators index from %s: %s", url, e)
+            return None
+
         if res.status_code != 200:
             log.error(
                 "Failed to retrieve indicators index located at %s (error %d)",
@@ -105,7 +114,12 @@ class IndicatorsUpdates:
         return yaml.safe_load(res.content)
 
     def download_remote_ioc(self, ioc_url: str) -> Optional[str]:
-        res = requests.get(ioc_url, timeout=15)
+        try:
+            res = requests.get(ioc_url, timeout=15)
+        except requests.exceptions.RequestException as e:
+            log.error("Failed to download indicators file from %s: %s", ioc_url, e)
+            return None
+
         if res.status_code != 200:
             log.error(
                 "Failed to download indicators file from %s (error %d)",
@@ -171,7 +185,12 @@ class IndicatorsUpdates:
         file_commit_url = (
             f"https://api.github.com/repos/{owner}/{repo}/commits?path={path}"
         )
-        res = requests.get(file_commit_url, timeout=15)
+        try:
+            res = requests.get(file_commit_url, timeout=5)
+        except requests.exceptions.RequestException as e:
+            log.error("Failed to get details about file %s: %s", file_commit_url, e)
+            return -1
+
         if res.status_code != 200:
             log.error(
                 "Failed to get details about file %s (error %d)",

src/mvt/common/version.py

@@ -3,4 +3,4 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-MVT_VERSION = "2.6.1"
+MVT_VERSION = "2.7.0"

src/mvt/ios/cli.py

@@ -37,6 +37,8 @@ from mvt.common.help import (
     HELP_MSG_CHECK_IOCS,
     HELP_MSG_STIX2,
     HELP_MSG_CHECK_IOS_BACKUP,
+    HELP_MSG_DISABLE_UPDATE_CHECK,
+    HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK,
 )
 from .cmd_check_backup import CmdIOSCheckBackup
 from .cmd_check_fs import CmdIOSCheckFS
@@ -53,12 +55,37 @@ MVT_IOS_BACKUP_PASSWORD = "MVT_IOS_BACKUP_PASSWORD"
 CONTEXT_SETTINGS = dict(help_option_names=["-h", "--help"])
 
 
+def _get_disable_flags(ctx):
+    """Helper function to safely get disable flags from context."""
+    if ctx.obj is None:
+        return False, False
+    return (
+        ctx.obj.get("disable_version_check", False),
+        ctx.obj.get("disable_indicator_check", False),
+    )
+
+
 # ==============================================================================
 # Main
 # ==============================================================================
 @click.group(invoke_without_command=False)
-def cli():
-    logo()
+@click.option(
+    "--disable-update-check", is_flag=True, help=HELP_MSG_DISABLE_UPDATE_CHECK
+)
+@click.option(
+    "--disable-indicator-update-check",
+    is_flag=True,
+    help=HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK,
+)
+@click.pass_context
+def cli(ctx, disable_update_check, disable_indicator_update_check):
+    ctx.ensure_object(dict)
+    ctx.obj["disable_version_check"] = disable_update_check
+    ctx.obj["disable_indicator_check"] = disable_indicator_update_check
+    logo(
+        disable_version_check=disable_update_check,
+        disable_indicator_check=disable_indicator_update_check,
+    )
 
 
 # ==============================================================================
@@ -219,6 +246,8 @@ def check_backup(
         module_name=module,
         module_options=module_options,
         hashes=hashes,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -266,6 +295,8 @@ def check_fs(ctx, iocs, output, fast, list_modules, module, hashes, verbose, dum
         module_name=module,
         module_options=module_options,
         hashes=hashes,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -300,7 +331,13 @@ def check_fs(ctx, iocs, output, fast, list_modules, module, hashes, verbose, dum
 @click.argument("FOLDER", type=click.Path(exists=True))
 @click.pass_context
 def check_iocs(ctx, iocs, list_modules, module, folder):
-    cmd = CmdCheckIOCS(target_path=folder, ioc_files=iocs, module_name=module)
+    cmd = CmdCheckIOCS(
+        target_path=folder,
+        ioc_files=iocs,
+        module_name=module,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
+    )
     cmd.modules = BACKUP_MODULES + FS_MODULES + MIXED_MODULES
 
     if list_modules:

src/mvt/ios/cmd_check_backup.py

@@ -7,6 +7,7 @@ import logging
 from typing import Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.backup import BACKUP_MODULES
 from .modules.mixed import MIXED_MODULES
@@ -20,20 +21,28 @@ class CmdIOSCheckBackup(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
         hashes: bool = False,
+        sub_command: bool = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-backup"

src/mvt/ios/cmd_check_fs.py

@@ -7,6 +7,7 @@ import logging
 from typing import Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.fs import FS_MODULES
 from .modules.mixed import MIXED_MODULES
@@ -20,20 +21,27 @@ class CmdIOSCheckFS(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
         hashes: bool = False,
+        sub_command: bool = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
-            serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-fs"

src/mvt/ios/data/ios_models.json

@@ -194,5 +194,41 @@
     {
         "identifier": "iPhone16,2",
         "description": "iPhone 15 Pro Max"
+    },
+    {
+        "identifier": "iPhone17,1",
+        "description": "iPhone 16 Pro"
+    },
+    {
+        "identifier": "iPhone17,2",
+        "description": "iPhone 16 Pro Max"
+    },
+    {
+        "identifier": "iPhone17,3",
+        "description": "iPhone 16"
+    },
+    {
+        "identifier": "iPhone17,4",
+        "description": "iPhone 16 Plus"
+    },
+    {
+        "identifier": "iPhone17,5",
+        "description": "iPhone 16e"
+    },
+    {
+        "identifier": "iPhone18,1",
+        "description": "iPhone 17 Pro"
+    },
+    {
+        "identifier": "iPhone18,2",
+        "description": "iPhone 17 Pro Max"
+    },
+    {
+        "identifier": "iPhone18,3",
+        "description": "iPhone 17"
+    },
+    {
+        "identifier": "iPhone18,4",
+        "description": "iPhone Air"
     }
 ]

src/mvt/ios/data/ios_versions.json

@@ -1156,6 +1156,14 @@
         "version": "18.7",
         "build": "22H20"
     },
+    {
+        "version": "18.7.2",
+        "build": "22H124"
+    },
+    {
+        "version": "18.7.3",
+        "build": "22H217"
+    },
     {
         "version": "26",
         "build": "23A341"
@@ -1163,5 +1171,13 @@
     {
         "version": "26.0.1",
         "build": "23A355"
+    },
+    {
+        "version": "26.1",
+        "build": "23B85"
+    },
+    {
+        "version": "26.2",
+        "build": "23C55"
     }
 ]

src/mvt/ios/modules/mixed/webkit_session_resource_log.py

@@ -127,6 +127,24 @@ class WebkitSessionResourceLog(IOSExtraction):
         browsing_stats = file_plist["browsingStatistics"]
 
         for item in browsing_stats:
+            most_recent_interaction, last_seen = None, None
+            if "mostRecentUserInteraction" in item:
+                try:
+                    most_recent_interaction = convert_datetime_to_iso(
+                        item["mostRecentUserInteraction"]
+                    )
+                except Exception:
+                    self.log.error(
+                        f'Error converting date of Safari resource"most recent interaction": {item["mostRecentUserInteraction"]}'
+                    )
+            if "lastSeen" in item:
+                try:
+                    last_seen = convert_datetime_to_iso(item["lastSeen"])
+                except Exception:
+                    self.log.error(
+                        f'Error converting date of Safari resource"last seen": {item["lastSeen"]}'
+                    )
+
             items.append(
                 {
                     "origin": item.get("PrevalentResourceOrigin", ""),
@@ -139,10 +157,8 @@ class WebkitSessionResourceLog(IOSExtraction):
                         "subresourceUnderTopFrameOrigins", ""
                     ),
                     "user_interaction": item.get("hadUserInteraction"),
-                    "most_recent_interaction": convert_datetime_to_iso(
-                        item["mostRecentUserInteraction"]
-                    ),
-                    "last_seen": convert_datetime_to_iso(item["lastSeen"]),
+                    "most_recent_interaction": most_recent_interaction,
+                    "last_seen": last_seen,
                 }
             )
 

tests/android/test_backup_module.py

@@ -22,7 +22,7 @@ class TestBackupModule:
         for root, subdirs, subfiles in os.walk(os.path.abspath(backup_path)):
             for fname in subfiles:
                 files.append(os.path.relpath(os.path.join(root, fname), backup_path))
-        mod.from_folder(backup_path, files)
+        mod.from_dir(backup_path, files)
         run_module(mod)
         assert len(mod.results) == 2
         assert len(mod.results[0]["links"]) == 1

tests/android_androidqf/test_dumpsys_adbstate.py

@@ -1,27 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_adb import DumpsysADBState
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysADBModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysADBState(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 1
-        assert len(m.detected) == 0
-
-        adb_statedump = m.results[0]
-        assert "user_keys" in adb_statedump
-        assert len(adb_statedump["user_keys"]) == 1

tests/android_androidqf/test_dumpsys_battery_daily.py

@@ -1,24 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_battery_daily import DumpsysBatteryDaily
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysBatteryDailyModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysBatteryDaily(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 3
-        assert len(m.timeline) == 3
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsys_battery_history.py

@@ -1,24 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_battery_history import DumpsysBatteryHistory
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysBatteryHistoryModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysBatteryHistory(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 6
-        assert len(m.timeline) == 0
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsys_dbinfo.py

@@ -1,24 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_dbinfo import DumpsysDBInfo
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysDBInfoModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysDBInfo(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 6
-        assert len(m.timeline) == 0
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsys_platform_compat.py

@@ -1,23 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_platform_compat import DumpsysPlatformCompat
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysPlatformCompatModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysPlatformCompat(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 2
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsysaccessbility.py

@@ -1,23 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_accessibility import DumpsysAccessibility
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysAccessibilityModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysAccessibility(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 4
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsysappops.py

@@ -1,29 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_appops import DumpsysAppops
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysAppOpsModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysAppops(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 12
-        assert len(m.timeline) == 16
-
-        detected_by_ioc = [
-            detected for detected in m.detected if detected.get("matched_indicator")
-        ]
-        assert len(m.detected) == 1
-        assert len(detected_by_ioc) == 0

tests/android_androidqf/test_dumpsyspackages.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_packages import DumpsysPackages
-from mvt.common.indicators import Indicators
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysPackagesModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysPackages(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 2
-        assert len(m.detected) == 0
-        assert len(m.timeline) == 6
-        assert (
-            m.results[0]["package_name"]
-            == "com.samsung.android.provider.filterprovider"
-        )
-
-    def test_detection_pkgname(self, indicator_file):
-        data_path = get_android_androidqf()
-        m = DumpsysPackages(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        ind = Indicators(log=logging.getLogger())
-        ind.parse_stix2(indicator_file)
-        ind.ioc_collections[0]["app_ids"].append("com.sec.android.app.DataCreate")
-        m.indicators = ind
-        run_module(m)
-        assert len(m.results) == 2
-        assert len(m.detected) == 1
-        assert len(m.timeline) == 6
-        assert m.detected[0]["package_name"] == "com.sec.android.app.DataCreate"

tests/android_androidqf/test_dumpsysreceivers.py

@@ -1,23 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_receivers import DumpsysReceivers
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysReceiversModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysReceivers(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 4
-        assert len(m.detected) == 0

tests/android_androidqf/test_files.py

@@ -6,7 +6,7 @@
 import logging
 from pathlib import Path
 
-from mvt.android.modules.androidqf.files import Files
+from mvt.android.modules.androidqf.aqf_files import AQFFiles
 from mvt.common.module import run_module
 
 from ..utils import get_android_androidqf, list_files
@@ -15,10 +15,10 @@ from ..utils import get_android_androidqf, list_files
 class TestAndroidqfFilesAnalysis:
     def test_androidqf_files(self):
         data_path = get_android_androidqf()
-        m = Files(target_path=data_path, log=logging)
+        m = AQFFiles(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 3
         assert len(m.timeline) == 6

tests/android_androidqf/test_getprop.py

@@ -7,7 +7,7 @@ import logging
 import zipfile
 from pathlib import Path
 
-from mvt.android.modules.androidqf.getprop import Getprop
+from mvt.android.modules.androidqf.aqf_getprop import AQFGetProp
 from mvt.common.indicators import Indicators
 from mvt.common.module import run_module
 
@@ -17,10 +17,10 @@ from ..utils import get_android_androidqf, get_artifact, list_files
 class TestAndroidqfGetpropAnalysis:
     def test_androidqf_getprop(self):
         data_path = get_android_androidqf()
-        m = Getprop(target_path=data_path, log=logging)
+        m = AQFGetProp(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 10
         assert m.results[0]["name"] == "dalvik.vm.appimageformat"
@@ -30,9 +30,9 @@ class TestAndroidqfGetpropAnalysis:
 
     def test_getprop_parsing_zip(self):
         fpath = get_artifact("androidqf.zip")
-        m = Getprop(target_path=fpath, log=logging)
+        m = AQFGetProp(target_path=fpath, log=logging)
         archive = zipfile.ZipFile(fpath)
-        m.from_zip_file(archive, archive.namelist())
+        m.from_zip(archive, archive.namelist())
         run_module(m)
         assert len(m.results) == 10
         assert m.results[0]["name"] == "dalvik.vm.appimageformat"
@@ -42,10 +42,10 @@ class TestAndroidqfGetpropAnalysis:
 
     def test_androidqf_getprop_detection(self, indicator_file):
         data_path = get_android_androidqf()
-        m = Getprop(target_path=data_path, log=logging)
+        m = AQFGetProp(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         ind = Indicators(log=logging.getLogger())
         ind.parse_stix2(indicator_file)
         ind.ioc_collections[0]["android_property_names"].append("dalvik.vm.heapmaxfree")

tests/android_androidqf/test_mounts.py

@@ -0,0 +1,97 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+from pathlib import Path
+
+from mvt.common.module import run_module
+
+from ..utils import get_android_androidqf, list_files
+
+
+class TestAndroidqfMountsArtifact:
+    def test_parse_mounts_token_checks(self):
+        """
+        Test the artifact-level `parse` method using tolerant token checks.
+
+        Different parser variants may place mount tokens into different dict
+        keys (for example `mount_options`, `pass_num`, `dump_freq`, etc.). To
+        avoid brittle assertions we concatenate each parsed entry's values and
+        look for expected tokens (device names, mount points, options) somewhere
+        in the combined representation.
+        """
+        from mvt.android.artifacts.mounts import Mounts as MountsArtifact
+
+        m = MountsArtifact()
+
+        mount_lines = [
+            "/dev/block/dm-12 on / type ext4 (ro,seclabel,noatime)",
+            "/dev/block/by-name/system on /system type ext4 (rw,seclabel,noatime)",
+            "/dev/block/by-name/data on /data type f2fs (rw,nosuid,nodev,noatime)",
+        ]
+        mount_content = "\n".join(mount_lines)
+
+        # Parse the mount lines (artifact-level)
+        m.parse(mount_content)
+
+        # Basic sanity: parser should return one entry per input line
+        assert len(m.results) == 3, f"Expected 3 parsed mounts, got: {m.results}"
+
+        # Concatenate each entry's values into a single string so token checks
+        # are tolerant to which dict keys were used by the parser.
+        def concat_values(entry):
+            parts = []
+            for v in entry.values():
+                try:
+                    parts.append(str(v))
+                except Exception:
+                    # Skip values that can't be stringified
+                    continue
+            return " ".join(parts)
+
+        concatenated = [concat_values(e) for e in m.results]
+
+        # Token expectations (tolerant):
+        # - Root line should include 'dm-12' and 'noatime' (and typically 'ro')
+        assert any("dm-12" in s and "noatime" in s for s in concatenated), (
+            f"No root-like tokens (dm-12 + noatime) found in parsed results: {concatenated}"
+        )
+
+        # - System line should include '/system' or 'by-name/system' and 'rw'
+        assert any(
+            (("by-name/system" in s or "/system" in s) and "rw" in s)
+            for s in concatenated
+        ), (
+            f"No system-like tokens (system + rw) found in parsed results: {concatenated}"
+        )
+
+        # - Data line should include '/data' or 'by-name/data' and 'rw'
+        assert any(
+            (("by-name/data" in s or "/data" in s) and "rw" in s) for s in concatenated
+        ), f"No data-like tokens (data + rw) found in parsed results: {concatenated}"
+
+
+class TestAndroidqfMountsModule:
+    def test_androidqf_module_no_mounts_file(self):
+        """
+        When no `mounts.json` is present in the androidqf dataset, the module
+        should not produce results nor detections.
+        """
+        from mvt.android.modules.androidqf.mounts import Mounts
+
+        data_path = get_android_androidqf()
+        m = Mounts(target_path=data_path, log=logging)
+        files = list_files(data_path)
+        parent_path = Path(data_path).absolute().parent.as_posix()
+        m.from_dir(parent_path, files)
+
+        run_module(m)
+
+        # The provided androidqf test dataset does not include mounts.json, so
+        # results should remain empty.
+        assert len(m.results) == 0, (
+            f"Expected no results when mounts.json is absent, got: {m.results}"
+        )
+        assert len(m.detected) == 0, f"Expected no detections, got: {m.detected}"

tests/android_androidqf/test_packages.py

@@ -8,7 +8,7 @@ from pathlib import Path
 
 import pytest
 
-from mvt.android.modules.androidqf.packages import Packages
+from mvt.android.modules.androidqf.aqf_packages import AQFPackages
 from mvt.common.module import run_module
 
 from ..utils import get_android_androidqf, list_files
@@ -31,8 +31,8 @@ def file_list(data_path):
 
 @pytest.fixture()
 def module(parent_data_path, file_list):
-    m = Packages(target_path=parent_data_path, log=logging)
-    m.from_folder(parent_data_path, file_list)
+    m = AQFPackages(target_path=parent_data_path, log=logging)
+    m.from_dir(parent_data_path, file_list)
     return m
 
 

tests/android_androidqf/test_processes.py

@@ -6,7 +6,7 @@
 import logging
 from pathlib import Path
 
-from mvt.android.modules.androidqf.processes import Processes
+from mvt.android.modules.androidqf.aqf_processes import AQFProcesses
 from mvt.common.module import run_module
 
 from ..utils import get_android_androidqf, list_files
@@ -15,10 +15,10 @@ from ..utils import get_android_androidqf, list_files
 class TestAndroidqfProcessesAnalysis:
     def test_androidqf_processes(self):
         data_path = get_android_androidqf()
-        m = Processes(target_path=data_path, log=logging)
+        m = AQFProcesses(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 15
         assert len(m.timeline) == 0

tests/android_androidqf/test_root_binaries.py

@@ -0,0 +1,116 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+import logging
+from pathlib import Path
+
+import pytest
+
+from mvt.android.modules.androidqf.root_binaries import RootBinaries
+from mvt.common.module import run_module
+
+from ..utils import get_android_androidqf, list_files
+
+
+@pytest.fixture()
+def data_path():
+    return get_android_androidqf()
+
+
+@pytest.fixture()
+def parent_data_path(data_path):
+    return Path(data_path).absolute().parent.as_posix()
+
+
+@pytest.fixture()
+def file_list(data_path):
+    return list_files(data_path)
+
+
+@pytest.fixture()
+def module(parent_data_path, file_list):
+    m = RootBinaries(target_path=parent_data_path, log=logging)
+    m.from_dir(parent_data_path, file_list)
+    return m
+
+
+class TestAndroidqfRootBinaries:
+    def test_root_binaries_detection(self, module):
+        run_module(module)
+
+        # Should find 4 root binaries from the test file
+        assert len(module.results) == 4
+        assert len(module.detected) == 4
+
+        # Check that all results are detected as indicators
+        binary_paths = [result["path"] for result in module.results]
+        assert "/system/bin/su" in binary_paths
+        assert "/system/xbin/busybox" in binary_paths
+        assert "/data/local/tmp/magisk" in binary_paths
+        assert "/system/bin/magiskhide" in binary_paths
+
+    def test_root_binaries_descriptions(self, module):
+        run_module(module)
+
+        # Check that binary descriptions are correctly identified
+        su_result = next((r for r in module.results if "su" in r["binary_name"]), None)
+        assert su_result is not None
+        assert "SuperUser binary" in su_result["description"]
+
+        busybox_result = next(
+            (r for r in module.results if "busybox" in r["binary_name"]), None
+        )
+        assert busybox_result is not None
+        assert "BusyBox utilities" in busybox_result["description"]
+
+        magisk_result = next(
+            (r for r in module.results if r["binary_name"] == "magisk"), None
+        )
+        assert magisk_result is not None
+        assert "Magisk root framework" in magisk_result["description"]
+
+        magiskhide_result = next(
+            (r for r in module.results if "magiskhide" in r["binary_name"]), None
+        )
+        assert magiskhide_result is not None
+        assert "Magisk hide utility" in magiskhide_result["description"]
+
+    def test_root_binaries_warnings(self, caplog, module):
+        run_module(module)
+
+        # Check that warnings are logged for each root binary found
+        assert 'Found root binary "su" at path "/system/bin/su"' in caplog.text
+        assert (
+            'Found root binary "busybox" at path "/system/xbin/busybox"' in caplog.text
+        )
+        assert (
+            'Found root binary "magisk" at path "/data/local/tmp/magisk"' in caplog.text
+        )
+        assert (
+            'Found root binary "magiskhide" at path "/system/bin/magiskhide"'
+            in caplog.text
+        )
+        assert "Device shows signs of rooting with 4 root binaries found" in caplog.text
+
+    def test_serialize_method(self, module):
+        run_module(module)
+
+        # Test that serialize method works correctly
+        if module.results:
+            serialized = module.serialize(module.results[0])
+            assert serialized["module"] == "RootBinaries"
+            assert serialized["event"] == "root_binary_found"
+            assert "Root binary found:" in serialized["data"]
+
+    def test_no_root_binaries_file(self, parent_data_path):
+        # Test behavior when no root_binaries.json file is present
+        empty_file_list = []
+        m = RootBinaries(target_path=parent_data_path, log=logging)
+        m.from_dir(parent_data_path, empty_file_list)
+
+        run_module(m)
+
+        assert len(m.results) == 0
+        assert len(m.detected) == 0

tests/android_androidqf/test_settings.py

@@ -5,7 +5,7 @@
 
 from pathlib import Path
 
-from mvt.android.modules.androidqf.settings import Settings
+from mvt.android.modules.androidqf.aqf_settings import AQFSettings
 from mvt.common.module import run_module
 
 from ..utils import get_android_androidqf, list_files
@@ -14,10 +14,10 @@ from ..utils import get_android_androidqf, list_files
 class TestSettingsModule:
     def test_parsing(self):
         data_path = get_android_androidqf()
-        m = Settings(target_path=data_path)
+        m = AQFSettings(target_path=data_path)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 1
         assert "random" in m.results.keys()

tests/android_androidqf/test_sms.py

@@ -21,7 +21,7 @@ class TestAndroidqfSMSAnalysis:
         m = SMS(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 2
         assert len(m.timeline) == 0
@@ -36,7 +36,7 @@ class TestAndroidqfSMSAnalysis:
         )
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 1
 
@@ -52,7 +52,7 @@ class TestAndroidqfSMSAnalysis:
         )
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert prompt_mock.call_count == 1
         assert len(m.results) == 1
@@ -67,7 +67,7 @@ class TestAndroidqfSMSAnalysis:
             )
             files = list_files(data_path)
             parent_path = Path(data_path).absolute().parent.as_posix()
-            m.from_folder(parent_path, files)
+            m.from_dir(parent_path, files)
             run_module(m)
         assert len(m.results) == 0
         assert "Invalid backup password" in caplog.text
@@ -82,7 +82,7 @@ class TestAndroidqfSMSAnalysis:
             )
             files = list_files(data_path)
             parent_path = Path(data_path).absolute().parent.as_posix()
-            m.from_folder(parent_path, files)
+            m.from_dir(parent_path, files)
             run_module(m)
         assert len(m.results) == 0
         assert (

tests/android_bugreport/test_bugreport.py

@@ -6,9 +6,9 @@
 import os
 from pathlib import Path
 
-from mvt.android.modules.bugreport.appops import Appops
-from mvt.android.modules.bugreport.getprop import Getprop
-from mvt.android.modules.bugreport.packages import Packages
+from mvt.android.modules.bugreport.dumpsys_appops import DumpsysAppops
+from mvt.android.modules.bugreport.dumpsys_getprop import DumpsysGetProp
+from mvt.android.modules.bugreport.dumpsys_packages import DumpsysPackages
 from mvt.android.modules.bugreport.tombstones import Tombstones
 from mvt.common.module import run_module
 
@@ -26,12 +26,12 @@ class TestBugreportAnalysis:
                 folder_files.append(
                     os.path.relpath(os.path.join(root, file_name), parent_path)
                 )
-        m.from_folder(fpath, folder_files)
+        m.from_dir(fpath, folder_files)
         run_module(m)
         return m
 
     def test_appops_module(self):
-        m = self.launch_bug_report_module(Appops)
+        m = self.launch_bug_report_module(DumpsysAppops)
         assert len(m.results) == 12
         assert len(m.timeline) == 16
 
@@ -42,7 +42,7 @@ class TestBugreportAnalysis:
         assert len(detected_by_ioc) == 0
 
     def test_packages_module(self):
-        m = self.launch_bug_report_module(Packages)
+        m = self.launch_bug_report_module(DumpsysPackages)
         assert len(m.results) == 2
         assert (
             m.results[0]["package_name"]
@@ -53,7 +53,7 @@ class TestBugreportAnalysis:
         assert len(m.results[1]["permissions"]) == 32
 
     def test_getprop_module(self):
-        m = self.launch_bug_report_module(Getprop)
+        m = self.launch_bug_report_module(DumpsysGetProp)
         assert len(m.results) == 0
 
     def test_tombstones_modules(self):

tests/artifacts/androidqf/root_binaries.json

@@ -0,0 +1,6 @@
+[
+    "/system/bin/su",
+    "/system/xbin/busybox",
+    "/data/local/tmp/magisk",
+    "/system/bin/magiskhide"
+]

tests/common/test_utils.py

@@ -62,7 +62,7 @@ class TestHashes:
     def test_hash_from_folder(self):
         path = os.path.join(get_artifact_folder(), "androidqf")
         hashes = list(generate_hashes_from_path(path, logging))
-        assert len(hashes) == 7
+        assert len(hashes) == 8
         # Sort the files to have reliable order for tests.
         hashes = sorted(hashes, key=lambda x: x["file_path"])
         assert hashes[0]["file_path"] == os.path.join(path, "backup.ab")

tests/test_check_android_androidqf.py

@@ -32,7 +32,8 @@ class TestCheckAndroidqfCommand:
         path = os.path.join(get_artifact_folder(), "androidqf_encrypted")
         result = runner.invoke(check_androidqf, [path])
 
-        assert prompt_mock.call_count == 1
+        # Called twice, once in AnroidQF SMS module and once in Backup SMS module
+        assert prompt_mock.call_count == 2
         assert result.exit_code == 0
 
     def test_check_encrypted_backup_cli(self, mocker):