Add new iOS versions and build numbers

* receiver names are checked if a known malicious app id is a substring

* ruff syntax fixes

---------

Co-authored-by: Viktor <vik@tor.me>
Co-authored-by: besendorf <janik@besendorf.org>

.github/workflows/tests.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ['3.10', '3.11', '3.12', '3.13']
+        python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
 
     steps:
       - uses: actions/checkout@v4

Makefile

@@ -1,14 +1,9 @@
 PWD = $(shell pwd)
 
-autofix:
-	ruff format .
-	ruff check --fix .
-
 check: ruff mypy
 
 ruff:
-	ruff format --check .
-	ruff check -q .
+	ruff check .
 
 mypy:
 	mypy

SECURITY.md

@@ -2,4 +2,61 @@
 
 Thank you for your interest in reporting security issues and vulnerabilities! Security research is of utmost importance and we take all reports seriously. If you discover an issue please report it to us right away!
 
-Please DO NOT file a public issue, instead send your report privately to *nex [at] nex [dot] sx*. You can also write PGP-encrypted emails to [this key](https://keybase.io/nex/pgp_keys.asc?fingerprint=05216f3b86848a303c2fe37dd166f1667359d880).
+Please DO NOT file a public issue, instead send your report privately to the MVT maintainers at Amnesty International via `security [at] amnesty [dot] tech`.
+
+You can also write PGP-encrypted emails to key `CFBF9698DCA8EB2A80F48ADEA035A030FA04ED13`. The corresponding PGP public key is lited below.
+
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGlFPwsBEADQ+d7SeHrFPYv3wPOjWs2oMpp0DPdfIyGbg+iYWOC36FegZhKY
++WeK96GqJWt8wD6kwFUVwQI795WZrjSd1q4a7wR+kj/h7xlRB6ZfVICA6O5DOOm6
+GNMvqy7ESm8g1XZDpb2u1BXmSS9X8f6rjB0e86kYsF1mB5/2USTM63jgDs0GGTkZ
+Q1z4Mq4gYyqH32b3gvXkbb68LeQmONUIM3cgmec9q8/pNc1l7fcoLWhOVADRj17Q
+plisa/EUf/SYqdtk9w7EHGggNenKNwVM235mkPcMqmE72bTpjT6XCxvZY3ByG5yi
+7L+tHJU45ZuXtt62EvX03azxThVfSmH/WbRk8lH8+CW8XMmiWZphG4ydPWqgVKCB
+2UOXm+6CQnKA+7Dt1AeK2t5ciATrv9LvwgSxk5WKc3288XFLA6eGMrTdQygYlLjJ
++42RSdK/7fCt/qk4q13oUw8ZTVcCia98uZFi704XuuYTH6NrntIB7j/0oucIS4Y9
+cTWNO5LBerez4v8VI4YHcYESPeIWGFkXhvJzo0VMg1zidBLtiPoGF2JKZGwaK7/p
+yY1xALskLp4H+5OY4eB1kf8kl4vGsEK8xA/NNzOiapVmwBXpvVvmXIQJE2k+olNf
+sAuyB8+aO1Ws7tFYt3D+olC7iaprOdK7uA4GCgmYYhq6QQPg+cxfczgHfwARAQAB
+tD1TZWN1cml0eSBMYWIgYXQgQW1uZXN0eSBJbnRlcm5hdGlvbmFsIDxzZWN1cml0
+eUBhbW5lc3R5LnRlY2g+iQJRBBMBCAA7FiEEz7+WmNyo6yqA9IreoDWgMPoE7RMF
+AmlFPwsCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQoDWgMPoE7RNr
+2w//a88uP90uSN6lgeIwKsHr1ri27QIBbzCV6hLN/gZBFR2uaiOn/xfFDbnR0Cjo
+5nMCJCT1k4nrPbMTlfmWLCD+YKELBzVqWlw4J2SOg3nznPl2JrL8QBKjwts0sF+h
+QbRWDsT54wBZnl6ZJJ79eLShNTokBbKnQ7071dMrENr5e2P2sClQXyiIc51ga4FM
+fHyhsx+GsrdiZNd2AH8912ljW1GuEi3epTO7KMZprmr37mjpZSUToiV59Yhl1Gbo
+2pixkYJqi62DG02/gTpCjq9NH3cEMxcxjh4E7yCA8ggLG6+IN6woIvPIdOsnQ+Yj
+d3H4rMNBjPSKoL+bdHILkCnp5HokcbVjNY3QAyOAF4qWhk4GtgpTshwxUmb4Tbay
+tWLJC2bzjuUBxLkGzMVFfU3B96sVS4Fi0sBaEMBtHskl2f45X8LJhSq//Lw/2L/8
+34uP/RxDSn+DPvj/yqMpekdCcmeFSTX1A19xkPcc0rVhMRde4VL338R86vzh0gMI
+1LySDAhXZyVWzrQ5s3n6N3EvCaHCn3qu7ieyFJifCSR7gZqevCEznMQRVpkMTzUt
+rk13Z6NOOb4IlTW7HFoY3omJG8Z5jV4kMIE7n6nb0qpNYQiG+YvjenQ3VrMoISyh
+lpS2De8+oOtwrxBVX3+qKWvQqzufeE3416kw2Z+5mxH7bx25Ag0EaUU/CwEQALyZ
+b+kwLN1yHObTm2yDBEn5HbCT3H1GremvPNmbAaTnfrjUngoKa8MuWWzbX5ptgmZR
+UpYY/ylOYcgGydz58vUNrPlhIZT9UhmiifPgZLEXyd0uFpr/NsbRajHMkK10iEZf
+h5bHNobiB7pGCu4Uj9e1cMiIZ4yEaYeyXYUoNHf6ISP39mJhHy6ov5yIpm9q0wzm
+tGUQPupxGXmEZlOPr3lxqXQ3Ekdv6cWDY5r/oOq71QJ/HUQ13QUuGFIbhnMbT8zd
+zaS6f/v772YKsWPc4NNUhtlf25VnQ4FuUtjCe3p6iYP4OVD8gJm0GvXyvyTuiQbL
+CSk/378JiNT7nZzYXxrWchMwvEoMIU55+/UaBc50HI5xvDQ858CX7PYGiimcdsO1
+EkQzhVxRfjlILfWrC2lgt+H5qhTn4Fah250Xe1PnLjXGHVUQnY/f3MFeiWQgf92b
+02+MfvOeC5OKttP1z5lcx6RFWCIa1E/u8Nj7YrH9hk0ZBRAnBaeAncDFY8dfX2zX
+VMoc0dV16gM7RrZ6i7D3CG3eLLkQlX0jbW9dzTuG/3f098EWB1p8vOfS/RbNCBRX
+jqGiqacL/aFF3Ci3nQ4O5tSv1XipbgrUhvXnwm9pxrLPS/45iaO59WN4RRGWLLQ7
+LHmeBxoa9avv0SdBYUL+eBxY46GXb/j5VLzHYhSnABEBAAGJAjYEGAEIACAWIQTP
+v5aY3KjrKoD0it6gNaAw+gTtEwUCaUU/CwIbDAAKCRCgNaAw+gTtEyvsEACnyFFD
+alOZTrrJTXNnUejuiExLh+qTO3T91p5bte597jpwCZnYGwkxEfffsqqhlY6ftEOf
+d5tNWE5isai4v8XCbplWomz4KBpepxcn2b+9o5dSyr1vohEFuCJziZDsta1J2DX5
+IE9U48kTgLDfdIBhuOyHNRkvXRHP2OVLCaiw4d9q+hlrraR8pehHt2BJSxh+QZoe
+n0iHvIZCBIUA45zLEGmXFpNTGeEf2dKPp3xOkAXOhAMPptE0V1itkF3R7kEW4aFO
+SZo8L3C1aWSz/gQ4/vvW5t1IJxirNMUgTMQFvqEkAwX3fm6GCxlgRSvTTRXdcrS8
+6qyFdH1nkCNsavPahN3N2RGGIlWtODEMTO1Hjy0kZtTYdW+JH9sendliCoJES+yN
+DjM125SgdAgrqlSYm/g8n9knWpxZv1QM6jU/sVz1J+l6/ixugL2i+CAL2d6uv4tT
+QmXnu7Ei4/2kHBUu3Lf59MNgmLHm6F7AhOWErszSeoJKsp+3yA1oTT/npz67sRzY
+VVyxz4NBIollna59a1lz0RhlWzNKqNB27jhylyM4ltdzHB7r4VMAVJyttozmIIOC
+35ucYxl5BHLuapaRSaYHdUId1LOccYyaOOFF/PSyCu9dKzXk7zEz2HNcIboWSkAE
+8ZDExMYM4WVpVCOj+frdsaBvzItHacRWuijtkw==
+=JAXX
+-----END PGP PUBLIC KEY BLOCK-----
+```

docs/android/adb.md

@@ -16,6 +16,12 @@ Now you can try launching MVT with:
 mvt-android check-adb --output /path/to/results
 ```
 
+!!! warning
+    The `check-adb` command is deprecated and will be removed in a future release.
+    Whenever possible, prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and then analyze those acquisitions with MVT.
+
+    Running `mvt-android check-adb` will also emit a runtime deprecation warning advising you to migrate to AndroidQF.
+
 If you have previously started an adb daemon MVT will alert you and require you to kill it with `adb kill-server` and relaunch the command.
 
 !!! warning
@@ -37,6 +43,14 @@ mvt-android check-adb --serial 192.168.1.20:5555 --output /path/to/results
 
 Where `192.168.1.20` is the correct IP address of your device.
 
+!!! warning
+    The `check-adb` workflow shown above is deprecated. If you can acquire an AndroidQF acquisition from the device (recommended), use the AndroidQF project to create that acquisition: https://github.com/mvt-project/androidqf/
+    
+    AndroidQF acquisitions provide a more stable, reproducible analysis surface and are the preferred workflow going forward.
+
 ## MVT modules requiring root privileges
 
+!!! warning
+    Deprecated: many `mvt-android check-adb` workflows are deprecated and will be removed in a future release. Whenever possible, prefer acquiring an AndroidQF acquisition using the AndroidQF project (https://github.com/mvt-project/androidqf/). 
+
 Of the currently available `mvt-android check-adb` modules a handful require root privileges to function correctly. This is because certain files, such as browser history and SMS messages databases are not accessible with user privileges through adb. These modules are to be considered OPTIONALLY available in case the device was already jailbroken. **Do NOT jailbreak your own device unless you are sure of what you are doing!** Jailbreaking your phone exposes it to considerable security risks!

pyproject.toml

@@ -17,21 +17,21 @@ classifiers = [
     "Programming Language :: Python",
 ]
 dependencies = [
-    "click==8.2.1",
+    "click==8.3.0",
     "rich==14.1.0",
     "tld==0.13.1",
-    "requests==2.32.4",
-    "simplejson==3.20.1",
+    "requests==2.32.5",
+    "simplejson==3.20.2",
     "packaging==25.0",
     "appdirs==1.4.4",
     "iOSbackup==0.9.925",
     "adb-shell[usb]==0.4.4",
     "libusb1==3.3.1",
-    "cryptography==45.0.6",
+    "cryptography==46.0.3",
     "PyYAML>=6.0.2",
     "pyahocorasick==2.2.0",
     "betterproto==1.2.5",
-    "pydantic==2.11.7",
+    "pydantic==2.12.3",
     "pydantic-settings==2.10.1",
     "NSKeyedUnArchiver==1.5.2",
     "python-dateutil==2.9.0.post0",
@@ -80,7 +80,7 @@ packages = "src"
 addopts = "-ra -q --cov=mvt --cov-report html --junitxml=pytest.xml --cov-report=term-missing:skip-covered"
 testpaths = ["tests"]
 
-[tool.ruff.lint]
+[tool.ruff]
 select = ["C90", "E", "F", "W"] # flake8 default set
 ignore = [
     "E501", # don't enforce line length violations
@@ -95,10 +95,10 @@ ignore = [
     # "E203",  # whitespace-before-punctuation
 ]
 
-[tool.ruff.lint.per-file-ignores]
+[tool.ruff.per-file-ignores]
 "__init__.py" = ["F401"] # unused-import
 
-[tool.ruff.lint.mccabe]
+[tool.ruff.mccabe]
 max-complexity = 10
 
 [tool.setuptools]

src/mvt/android/cli.py

@@ -9,30 +9,30 @@ import click
 
 from mvt.common.cmd_check_iocs import CmdCheckIOCS
 from mvt.common.help import (
-    HELP_MSG_VERSION,
-    HELP_MSG_OUTPUT,
-    HELP_MSG_SERIAL,
-    HELP_MSG_DOWNLOAD_APKS,
-    HELP_MSG_DOWNLOAD_ALL_APKS,
-    HELP_MSG_VIRUS_TOTAL,
+    HELP_MSG_ANDROID_BACKUP_PASSWORD,
     HELP_MSG_APK_OUTPUT,
     HELP_MSG_APKS_FROM_FILE,
-    HELP_MSG_VERBOSE,
     HELP_MSG_CHECK_ADB,
-    HELP_MSG_IOC,
+    HELP_MSG_CHECK_ANDROID_BACKUP,
+    HELP_MSG_CHECK_ANDROIDQF,
+    HELP_MSG_CHECK_BUGREPORT,
+    HELP_MSG_CHECK_IOCS,
+    HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK,
+    HELP_MSG_DISABLE_UPDATE_CHECK,
+    HELP_MSG_DOWNLOAD_ALL_APKS,
+    HELP_MSG_DOWNLOAD_APKS,
     HELP_MSG_FAST,
+    HELP_MSG_HASHES,
+    HELP_MSG_IOC,
     HELP_MSG_LIST_MODULES,
     HELP_MSG_MODULE,
     HELP_MSG_NONINTERACTIVE,
-    HELP_MSG_ANDROID_BACKUP_PASSWORD,
-    HELP_MSG_CHECK_BUGREPORT,
-    HELP_MSG_CHECK_ANDROID_BACKUP,
-    HELP_MSG_CHECK_ANDROIDQF,
-    HELP_MSG_HASHES,
-    HELP_MSG_CHECK_IOCS,
+    HELP_MSG_OUTPUT,
+    HELP_MSG_SERIAL,
     HELP_MSG_STIX2,
-    HELP_MSG_DISABLE_UPDATE_CHECK,
-    HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK,
+    HELP_MSG_VERBOSE,
+    HELP_MSG_VERSION,
+    HELP_MSG_VIRUS_TOTAL,
 )
 from mvt.common.logo import logo
 from mvt.common.updates import IndicatorsUpdates
@@ -201,6 +201,11 @@ def check_adb(
         cmd.list_modules()
         return
 
+    log.warning(
+        "DEPRECATION: The 'check-adb' command is deprecated and may be removed in a future release. "
+        "Prefer acquiring device data using the AndroidQF project (https://github.com/mvt-project/androidqf/) and analyzing that acquisition with MVT."
+    )
+
     log.info("Checking Android device over debug bridge")
 
     cmd.run()

src/mvt/android/cmd_check_adb.py

@@ -7,6 +7,7 @@ import logging
 from typing import Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.adb import ADB_MODULES
 
@@ -19,9 +20,12 @@ class CmdAndroidCheckADB(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
         disable_version_check: bool = False,
         disable_indicator_check: bool = False,
     ) -> None:
@@ -29,9 +33,12 @@ class CmdAndroidCheckADB(Command):
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
+            hashes=hashes,
+            sub_command=sub_command,
             log=log,
             disable_version_check=disable_version_check,
             disable_indicator_check=disable_indicator_check,

src/mvt/android/cmd_check_androidqf.py

@@ -9,23 +9,41 @@ import zipfile
 from pathlib import Path
 from typing import List, Optional
 
+from mvt.android.cmd_check_backup import CmdAndroidCheckBackup
+from mvt.android.cmd_check_bugreport import CmdAndroidCheckBugreport
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.androidqf import ANDROIDQF_MODULES
+from .modules.androidqf.base import AndroidQFModule
 
 log = logging.getLogger(__name__)
 
 
+class NoAndroidQFTargetPath(Exception):
+    pass
+
+
+class NoAndroidQFBugReport(Exception):
+    pass
+
+
+class NoAndroidQFBackup(Exception):
+    pass
+
+
 class CmdAndroidCheckAndroidQF(Command):
     def __init__(
         self,
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
         disable_version_check: bool = False,
         disable_indicator_check: bool = False,
     ) -> None:
@@ -33,10 +51,12 @@ class CmdAndroidCheckAndroidQF(Command):
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
             disable_version_check=disable_version_check,
             disable_indicator_check=disable_indicator_check,
@@ -45,27 +65,130 @@ class CmdAndroidCheckAndroidQF(Command):
         self.name = "check-androidqf"
         self.modules = ANDROIDQF_MODULES
 
-        self.format: Optional[str] = None
-        self.archive: Optional[zipfile.ZipFile] = None
-        self.files: List[str] = []
+        self.__format: Optional[str] = None
+        self.__zip: Optional[zipfile.ZipFile] = None
+        self.__files: List[str] = []
 
     def init(self):
         if os.path.isdir(self.target_path):
-            self.format = "dir"
+            self.__format = "dir"
             parent_path = Path(self.target_path).absolute().parent.as_posix()
             target_abs_path = os.path.abspath(self.target_path)
             for root, subdirs, subfiles in os.walk(target_abs_path):
                 for fname in subfiles:
                     file_path = os.path.relpath(os.path.join(root, fname), parent_path)
-                    self.files.append(file_path)
+                    self.__files.append(file_path)
         elif os.path.isfile(self.target_path):
-            self.format = "zip"
-            self.archive = zipfile.ZipFile(self.target_path)
-            self.files = self.archive.namelist()
+            self.__format = "zip"
+            self.__zip = zipfile.ZipFile(self.target_path)
+            self.__files = self.__zip.namelist()
 
-    def module_init(self, module):
-        if self.format == "zip":
-            module.from_zip_file(self.archive, self.files)
+    def module_init(self, module: AndroidQFModule) -> None:  # type: ignore[override]
+        if self.__format == "zip" and self.__zip:
+            module.from_zip(self.__zip, self.__files)
+            return
+
+        if not self.target_path:
+            raise NoAndroidQFTargetPath
+
+        parent_path = Path(self.target_path).absolute().parent.as_posix()
+        module.from_dir(parent_path, self.__files)
+
+    def load_bugreport(self) -> zipfile.ZipFile:
+        bugreport_zip_path = None
+        for file_name in self.__files:
+            if file_name.endswith("bugreport.zip"):
+                bugreport_zip_path = file_name
+                break
         else:
+            raise NoAndroidQFBugReport
+
+        if self.__format == "zip" and self.__zip:
+            handle = self.__zip.open(bugreport_zip_path)
+            return zipfile.ZipFile(handle)
+
+        if self.__format == "dir" and self.target_path:
             parent_path = Path(self.target_path).absolute().parent.as_posix()
-            module.from_folder(parent_path, self.files)
+            bug_report_path = os.path.join(parent_path, bugreport_zip_path)
+            return zipfile.ZipFile(bug_report_path)
+
+        raise NoAndroidQFBugReport
+
+    def load_backup(self) -> bytes:
+        backup_ab_path = None
+        for file_name in self.__files:
+            if file_name.endswith("backup.ab"):
+                backup_ab_path = file_name
+                break
+        else:
+            raise NoAndroidQFBackup
+
+        if self.__format == "zip" and self.__zip:
+            backup_file_handle = self.__zip.open(backup_ab_path)
+            return backup_file_handle.read()
+
+        if self.__format == "dir" and self.target_path:
+            parent_path = Path(self.target_path).absolute().parent.as_posix()
+            backup_path = os.path.join(parent_path, backup_ab_path)
+            with open(backup_path, "rb") as backup_file:
+                backup_ab_data = backup_file.read()
+            return backup_ab_data
+
+        raise NoAndroidQFBackup
+
+    def run_bugreport_cmd(self) -> bool:
+        try:
+            bugreport = self.load_bugreport()
+        except NoAndroidQFBugReport:
+            self.log.warning(
+                "Skipping bugreport modules as no bugreport.zip found in AndroidQF data."
+            )
+            return False
+        else:
+            cmd = CmdAndroidCheckBugreport(
+                target_path=None,
+                results_path=self.results_path,
+                ioc_files=self.ioc_files,
+                iocs=self.iocs,
+                module_options=self.module_options,
+                hashes=self.hashes,
+                sub_command=True,
+            )
+            cmd.from_zip(bugreport)
+            cmd.run()
+
+            self.detected_count += cmd.detected_count
+            self.timeline.extend(cmd.timeline)
+            self.timeline_detected.extend(cmd.timeline_detected)
+
+    def run_backup_cmd(self) -> bool:
+        try:
+            backup = self.load_backup()
+        except NoAndroidQFBackup:
+            self.log.warning(
+                "Skipping backup modules as no backup.ab found in AndroidQF data."
+            )
+            return False
+        else:
+            cmd = CmdAndroidCheckBackup(
+                target_path=None,
+                results_path=self.results_path,
+                ioc_files=self.ioc_files,
+                iocs=self.iocs,
+                module_options=self.module_options,
+                hashes=self.hashes,
+                sub_command=True,
+            )
+            cmd.from_ab(backup)
+            cmd.run()
+
+            self.detected_count += cmd.detected_count
+            self.timeline.extend(cmd.timeline)
+            self.timeline_detected.extend(cmd.timeline_detected)
+
+    def finish(self) -> None:
+        """
+        Run the bugreport and backup modules if the respective files are found in the AndroidQF data.
+        """
+        self.run_bugreport_cmd()
+        self.run_backup_cmd()

src/mvt/android/cmd_check_backup.py

@@ -20,6 +20,7 @@ from mvt.android.parsers.backup import (
     parse_backup_file,
 )
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.backup import BACKUP_MODULES
 
@@ -32,10 +33,12 @@ class CmdAndroidCheckBackup(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
         disable_version_check: bool = False,
         disable_indicator_check: bool = False,
     ) -> None:
@@ -43,10 +46,12 @@ class CmdAndroidCheckBackup(Command):
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
             disable_version_check=disable_version_check,
             disable_indicator_check=disable_indicator_check,
@@ -59,6 +64,34 @@ class CmdAndroidCheckBackup(Command):
         self.backup_archive: Optional[tarfile.TarFile] = None
         self.backup_files: List[str] = []
 
+    def from_ab(self, ab_file_bytes: bytes) -> None:
+        self.backup_type = "ab"
+        header = parse_ab_header(ab_file_bytes)
+        if not header["backup"]:
+            log.critical("Invalid backup format, file should be in .ab format")
+            sys.exit(1)
+
+        password = None
+        if header["encryption"] != "none":
+            password = prompt_or_load_android_backup_password(log, self.module_options)
+            if not password:
+                log.critical("No backup password provided.")
+                sys.exit(1)
+        try:
+            tardata = parse_backup_file(ab_file_bytes, password=password)
+        except InvalidBackupPassword:
+            log.critical("Invalid backup password")
+            sys.exit(1)
+        except AndroidBackupParsingError as exc:
+            log.critical("Impossible to parse this backup file: %s", exc)
+            log.critical("Please use Android Backup Extractor (ABE) instead")
+            sys.exit(1)
+
+        dbytes = io.BytesIO(tardata)
+        self.backup_archive = tarfile.open(fileobj=dbytes)
+        for member in self.backup_archive:
+            self.backup_files.append(member.name)
+
     def init(self) -> None:
         if not self.target_path:
             return
@@ -66,35 +99,8 @@ class CmdAndroidCheckBackup(Command):
         if os.path.isfile(self.target_path):
             self.backup_type = "ab"
             with open(self.target_path, "rb") as handle:
-                data = handle.read()
-
-            header = parse_ab_header(data)
-            if not header["backup"]:
-                log.critical("Invalid backup format, file should be in .ab format")
-                sys.exit(1)
-
-            password = None
-            if header["encryption"] != "none":
-                password = prompt_or_load_android_backup_password(
-                    log, self.module_options
-                )
-                if not password:
-                    log.critical("No backup password provided.")
-                    sys.exit(1)
-            try:
-                tardata = parse_backup_file(data, password=password)
-            except InvalidBackupPassword:
-                log.critical("Invalid backup password")
-                sys.exit(1)
-            except AndroidBackupParsingError as exc:
-                log.critical("Impossible to parse this backup file: %s", exc)
-                log.critical("Please use Android Backup Extractor (ABE) instead")
-                sys.exit(1)
-
-            dbytes = io.BytesIO(tardata)
-            self.backup_archive = tarfile.open(fileobj=dbytes)
-            for member in self.backup_archive:
-                self.backup_files.append(member.name)
+                ab_file_bytes = handle.read()
+            self.from_ab(ab_file_bytes)
 
         elif os.path.isdir(self.target_path):
             self.backup_type = "folder"
@@ -113,6 +119,6 @@ class CmdAndroidCheckBackup(Command):
 
     def module_init(self, module: BackupExtraction) -> None:  # type: ignore[override]
         if self.backup_type == "folder":
-            module.from_folder(self.target_path, self.backup_files)
+            module.from_dir(self.target_path, self.backup_files)
         else:
             module.from_ab(self.target_path, self.backup_archive, self.backup_files)

src/mvt/android/cmd_check_bugreport.py

@@ -11,6 +11,7 @@ from zipfile import ZipFile
 
 from mvt.android.modules.bugreport.base import BugReportModule
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.bugreport import BUGREPORT_MODULES
 
@@ -23,10 +24,12 @@ class CmdAndroidCheckBugreport(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
         disable_version_check: bool = False,
         disable_indicator_check: bool = False,
     ) -> None:
@@ -34,10 +37,12 @@ class CmdAndroidCheckBugreport(Command):
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
             disable_version_check=disable_version_check,
             disable_indicator_check=disable_indicator_check,
@@ -46,35 +51,53 @@ class CmdAndroidCheckBugreport(Command):
         self.name = "check-bugreport"
         self.modules = BUGREPORT_MODULES
 
-        self.bugreport_format: str = ""
-        self.bugreport_archive: Optional[ZipFile] = None
-        self.bugreport_files: List[str] = []
+        self.__format: str = ""
+        self.__zip: Optional[ZipFile] = None
+        self.__files: List[str] = []
+
+    def from_dir(self, dir_path: str) -> None:
+        """This method is used to initialize the bug report analysis from an
+        uncompressed directory.
+        """
+        self.__format = "dir"
+        self.target_path = dir_path
+        parent_path = Path(dir_path).absolute().as_posix()
+        for root, _, subfiles in os.walk(os.path.abspath(dir_path)):
+            for file_name in subfiles:
+                file_path = os.path.relpath(os.path.join(root, file_name), parent_path)
+                self.__files.append(file_path)
+
+    def from_zip(self, bugreport_zip: ZipFile) -> None:
+        """This method is used to initialize the bug report analysis from a
+        compressed archive.
+        """
+        # NOTE: This will be invoked either by the CLI directly,or by the
+        # check-androidqf command. We need this because we want to support
+        # check-androidqf to analyse compressed archives itself too.
+        # So, we'll need to extract bugreport.zip from a 'androidqf.zip', and
+        # since nothing is written on disk, we need to be able to pass this
+        # command a ZipFile instance in memory.
+
+        self.__format = "zip"
+        self.__zip = bugreport_zip
+        for file_name in self.__zip.namelist():
+            self.__files.append(file_name)
 
     def init(self) -> None:
         if not self.target_path:
             return
 
         if os.path.isfile(self.target_path):
-            self.bugreport_format = "zip"
-            self.bugreport_archive = ZipFile(self.target_path)
-            for file_name in self.bugreport_archive.namelist():
-                self.bugreport_files.append(file_name)
+            self.from_zip(ZipFile(self.target_path))
         elif os.path.isdir(self.target_path):
-            self.bugreport_format = "dir"
-            parent_path = Path(self.target_path).absolute().as_posix()
-            for root, _, subfiles in os.walk(os.path.abspath(self.target_path)):
-                for file_name in subfiles:
-                    file_path = os.path.relpath(
-                        os.path.join(root, file_name), parent_path
-                    )
-                    self.bugreport_files.append(file_path)
+            self.from_dir(self.target_path)
 
     def module_init(self, module: BugReportModule) -> None:  # type: ignore[override]
-        if self.bugreport_format == "zip":
-            module.from_zip(self.bugreport_archive, self.bugreport_files)
+        if self.__format == "zip":
+            module.from_zip(self.__zip, self.__files)
         else:
-            module.from_folder(self.target_path, self.bugreport_files)
+            module.from_dir(self.target_path, self.__files)
 
     def finish(self) -> None:
-        if self.bugreport_archive:
-            self.bugreport_archive.close()
+        if self.__zip:
+            self.__zip.close()

src/mvt/android/modules/adb/__init__.py

@@ -4,15 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 from .chrome_history import ChromeHistory
-from .dumpsys_accessibility import DumpsysAccessibility
-from .dumpsys_activities import DumpsysActivities
-from .dumpsys_appops import DumpsysAppOps
-from .dumpsys_battery_daily import DumpsysBatteryDaily
-from .dumpsys_battery_history import DumpsysBatteryHistory
-from .dumpsys_dbinfo import DumpsysDBInfo
-from .dumpsys_adbstate import DumpsysADBState
 from .dumpsys_full import DumpsysFull
-from .dumpsys_receivers import DumpsysReceivers
 from .files import Files
 from .getprop import Getprop
 from .logcat import Logcat
@@ -32,15 +24,7 @@ ADB_MODULES = [
     Getprop,
     Settings,
     SELinuxStatus,
-    DumpsysBatteryHistory,
-    DumpsysBatteryDaily,
-    DumpsysReceivers,
-    DumpsysActivities,
-    DumpsysAccessibility,
-    DumpsysDBInfo,
-    DumpsysADBState,
     DumpsysFull,
-    DumpsysAppOps,
     Packages,
     Logcat,
     RootBinaries,

src/mvt/android/modules/adb/dumpsys_accessibility.py

@@ -1,49 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysAccessibility(DumpsysAccessibilityArtifact, AndroidExtraction):
-    """This module extracts stats on accessibility."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys accessibility")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        for result in self.results:
-            self.log.info(
-                'Found installed accessibility service "%s"', result.get("service")
-            )
-
-        self.log.info(
-            "Identified a total of %d accessibility services", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_activities.py

@@ -1,45 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_package_activities import (
-    DumpsysPackageActivitiesArtifact,
-)
-
-from .base import AndroidExtraction
-
-
-class DumpsysActivities(DumpsysPackageActivitiesArtifact, AndroidExtraction):
-    """This module extracts details on receivers for risky activities."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else []
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys package")
-        self._adb_disconnect()
-        self.parse(output)
-
-        self.log.info("Extracted %d package activities", len(self.results))

src/mvt/android/modules/adb/dumpsys_adbstate.py

@@ -1,45 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_adb import DumpsysADBArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysADBState(DumpsysADBArtifact, AndroidExtraction):
-    """This module extracts ADB keystore state."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys adb", decode=False)
-        self._adb_disconnect()
-
-        self.parse(output)
-        if self.results:
-            self.log.info(
-                "Identified a total of %d trusted ADB keys",
-                len(self.results[0].get("user_keys", [])),
-            )

src/mvt/android/modules/adb/dumpsys_appops.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysAppOps(DumpsysAppopsArtifact, AndroidExtraction):
-    """This module extracts records from App-op Manager."""
-
-    slug = "dumpsys_appops"
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys appops")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted a total of %d records from app-ops manager", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_battery_daily.py

@@ -1,44 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, AndroidExtraction):
-    """This module extracts records from battery daily updates."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys batterystats --daily")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted %d records from battery daily stats", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_battery_history.py

@@ -1,42 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, AndroidExtraction):
-    """This module extracts records from battery history events."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys batterystats --history")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info("Extracted %d records from battery history", len(self.results))

src/mvt/android/modules/adb/dumpsys_dbinfo.py

@@ -1,47 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysDBInfo(DumpsysDBInfoArtifact, AndroidExtraction):
-    """This module extracts records from battery daily updates."""
-
-    slug = "dumpsys_dbinfo"
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys dbinfo")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted a total of %d records from database information",
-            len(self.results),
-        )

src/mvt/android/modules/adb/dumpsys_receivers.py

@@ -1,44 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysReceivers(DumpsysReceiversArtifact, AndroidExtraction):
-    """This module extracts details on receivers for risky activities."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else {}
-
-    def run(self) -> None:
-        self._adb_connect()
-
-        output = self._adb_command("dumpsys package")
-        self.parse(output)
-
-        self._adb_disconnect()
-        self.log.info("Extracted receivers for %d intents", len(self.results))

src/mvt/android/modules/androidqf/__init__.py

@@ -3,42 +3,22 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-from .dumpsys_accessibility import DumpsysAccessibility
-from .dumpsys_activities import DumpsysActivities
-from .dumpsys_appops import DumpsysAppops
-from .dumpsys_battery_daily import DumpsysBatteryDaily
-from .dumpsys_battery_history import DumpsysBatteryHistory
-from .dumpsys_dbinfo import DumpsysDBInfo
-from .dumpsys_packages import DumpsysPackages
-from .dumpsys_receivers import DumpsysReceivers
-from .dumpsys_adb import DumpsysADBState
-from .getprop import Getprop
-from .packages import Packages
-from .dumpsys_platform_compat import DumpsysPlatformCompat
-from .processes import Processes
-from .settings import Settings
-from .sms import SMS
-from .files import Files
-from .root_binaries import RootBinaries
+from .aqf_files import AQFFiles
+from .aqf_getprop import AQFGetProp
+from .aqf_packages import AQFPackages
+from .aqf_processes import AQFProcesses
+from .aqf_settings import AQFSettings
 from .mounts import Mounts
+from .root_binaries import RootBinaries
+from .sms import SMS
 
 ANDROIDQF_MODULES = [
-    DumpsysActivities,
-    DumpsysReceivers,
-    DumpsysAccessibility,
-    DumpsysAppops,
-    DumpsysDBInfo,
-    DumpsysBatteryDaily,
-    DumpsysBatteryHistory,
-    DumpsysADBState,
-    Packages,
-    DumpsysPlatformCompat,
-    Processes,
-    Getprop,
-    Settings,
+    AQFPackages,
+    AQFProcesses,
+    AQFGetProp,
+    AQFSettings,
+    AQFFiles,
     SMS,
-    DumpsysPackages,
-    Files,
     RootBinaries,
     Mounts,
 ]

src/mvt/android/modules/androidqf/aqf_files.py

@@ -21,8 +21,13 @@ SUSPICIOUS_PATHS = [
 ]
 
 
-class Files(AndroidQFModule):
-    """This module analyse list of files"""
+class AQFFiles(AndroidQFModule):
+    """
+    This module analyzes the files.json dump generated by AndroidQF.
+
+    The format needs to be kept in sync with the AndroidQF module code.
+    https://github.com/mvt-project/androidqf/blob/main/android-collector/cmd/find.go#L28
+    """
 
     def __init__(
         self,

src/mvt/android/modules/androidqf/aqf_getprop.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.getprop import GetProp as GetPropArtifact
 from .base import AndroidQFModule
 
 
-class Getprop(GetPropArtifact, AndroidQFModule):
+class AQFGetProp(GetPropArtifact, AndroidQFModule):
     """This module extracts data from get properties."""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_log_timestamps.py

@@ -13,10 +13,10 @@ from .base import AndroidQFModule
 from mvt.android.artifacts.file_timestamps import FileTimestampsArtifact
 
 
-class LogsFileTimestamps(FileTimestampsArtifact, AndroidQFModule):
-    """This module extracts records from battery daily updates."""
+class AQFLogTimestamps(FileTimestampsArtifact, AndroidQFModule):
+    """This module creates timeline for log files extracted by AQF."""
 
-    slug = "logfile_timestamps"
+    slug = "aqf_log_timestamps"
 
     def __init__(
         self,

src/mvt/android/modules/androidqf/aqf_packages.py

@@ -19,7 +19,7 @@ from mvt.android.utils import (
 from .base import AndroidQFModule
 
 
-class Packages(AndroidQFModule):
+class AQFPackages(AndroidQFModule):
     """This module examines the installed packages in packages.json"""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_processes.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.processes import Processes as ProcessesArtifact
 from .base import AndroidQFModule
 
 
-class Processes(ProcessesArtifact, AndroidQFModule):
+class AQFProcesses(ProcessesArtifact, AndroidQFModule):
     """This module analyse running processes"""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_settings.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.settings import Settings as SettingsArtifact
 from .base import AndroidQFModule
 
 
-class Settings(SettingsArtifact, AndroidQFModule):
+class AQFSettings(SettingsArtifact, AndroidQFModule):
     """This module analyse setting files"""
 
     def __init__(

src/mvt/android/modules/androidqf/base.py

@@ -37,11 +37,11 @@ class AndroidQFModule(MVTModule):
         self.files: List[str] = []
         self.archive: Optional[zipfile.ZipFile] = None
 
-    def from_folder(self, parent_path: str, files: List[str]):
+    def from_dir(self, parent_path: str, files: List[str]) -> None:
         self.parent_path = parent_path
         self.files = files
 
-    def from_zip_file(self, archive: zipfile.ZipFile, files: List[str]):
+    def from_zip(self, archive: zipfile.ZipFile, files: List[str]) -> None:
         self.archive = archive
         self.files = files
 

src/mvt/android/modules/androidqf/dumpsys_accessibility.py

@@ -1,51 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysAccessibility(DumpsysAccessibilityArtifact, AndroidQFModule):
-    """This module analyses dumpsys accessibility"""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
-        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE accessibility:")
-        self.parse(content)
-
-        for result in self.results:
-            self.log.info(
-                'Found installed accessibility service "%s"', result.get("service")
-            )
-
-        self.log.info(
-            "Identified a total of %d accessibility services", len(self.results)
-        )

src/mvt/android/modules/androidqf/dumpsys_activities.py

@@ -1,50 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_package_activities import (
-    DumpsysPackageActivitiesArtifact,
-)
-
-from .base import AndroidQFModule
-
-
-class DumpsysActivities(DumpsysPackageActivitiesArtifact, AndroidQFModule):
-    """This module extracts details on receivers for risky activities."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else []
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Get data and extract the dumpsys section
-        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
-        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE package:")
-        # Parse it
-        self.parse(content)
-
-        self.log.info("Extracted %d package activities", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_adb.py

@@ -1,51 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_adb import DumpsysADBArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysADBState(DumpsysADBArtifact, AndroidQFModule):
-    """This module extracts ADB keystore state."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        full_dumpsys = self._get_file_content(dumpsys_file[0])
-        content = self.extract_dumpsys_section(
-            full_dumpsys,
-            b"DUMP OF SERVICE adb:",
-            binary=True,
-        )
-        self.parse(content)
-        if self.results:
-            self.log.info(
-                "Identified a total of %d trusted ADB keys",
-                len(self.results[0].get("user_keys", [])),
-            )

src/mvt/android/modules/androidqf/dumpsys_appops.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysAppops(DumpsysAppopsArtifact, AndroidQFModule):
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Extract section
-        data = self._get_file_content(dumpsys_file[0])
-        section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE appops:"
-        )
-
-        # Parse it
-        self.parse(section)
-        self.log.info("Identified %d applications in AppOps Manager", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_battery_daily.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, AndroidQFModule):
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Extract section
-        data = self._get_file_content(dumpsys_file[0])
-        section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE batterystats:"
-        )
-
-        # Parse it
-        self.parse(section)
-        self.log.info("Extracted a total of %d battery daily stats", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_battery_history.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, AndroidQFModule):
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Extract section
-        data = self._get_file_content(dumpsys_file[0])
-        section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE batterystats:"
-        )
-
-        # Parse it
-        self.parse(section)
-        self.log.info("Extracted a total of %d battery daily stats", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_dbinfo.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysDBInfo(DumpsysDBInfoArtifact, AndroidQFModule):
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        # Extract dumpsys DBInfo section
-        data = self._get_file_content(dumpsys_file[0])
-        section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE dbinfo:"
-        )
-
-        # Parse it
-        self.parse(section)
-        self.log.info("Identified %d DB Info entries", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_packages.py

@@ -1,62 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Any, Dict, List, Optional
-
-from mvt.android.artifacts.dumpsys_packages import DumpsysPackagesArtifact
-from mvt.android.modules.adb.packages import (
-    DANGEROUS_PERMISSIONS,
-    DANGEROUS_PERMISSIONS_THRESHOLD,
-)
-
-from .base import AndroidQFModule
-
-
-class DumpsysPackages(DumpsysPackagesArtifact, AndroidQFModule):
-    """This module analyse dumpsys packages"""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[List[Dict[str, Any]]] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if len(dumpsys_file) != 1:
-            self.log.info("Dumpsys file not found")
-            return
-
-        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
-        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE package:")
-        self.parse(content)
-
-        for result in self.results:
-            dangerous_permissions_count = 0
-            for perm in result["permissions"]:
-                if perm["name"] in DANGEROUS_PERMISSIONS:
-                    dangerous_permissions_count += 1
-
-            if dangerous_permissions_count >= DANGEROUS_PERMISSIONS_THRESHOLD:
-                self.log.info(
-                    'Found package "%s" requested %d potentially dangerous permissions',
-                    result["package_name"],
-                    dangerous_permissions_count,
-                )
-
-        self.log.info("Extracted details on %d packages", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_platform_compat.py

@@ -1,44 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_platform_compat import DumpsysPlatformCompatArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysPlatformCompat(DumpsysPlatformCompatArtifact, AndroidQFModule):
-    """This module extracts details on uninstalled apps."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-
-        data = self._get_file_content(dumpsys_file[0]).decode("utf-8", errors="replace")
-        content = self.extract_dumpsys_section(data, "DUMP OF SERVICE platform_compat:")
-        self.parse(content)
-
-        self.log.info("Found %d uninstalled apps", len(self.results))

src/mvt/android/modules/androidqf/dumpsys_receivers.py

@@ -1,49 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Any, Dict, List, Optional, Union
-
-from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
-
-from .base import AndroidQFModule
-
-
-class DumpsysReceivers(DumpsysReceiversArtifact, AndroidQFModule):
-    """This module analyse dumpsys receivers"""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Union[List[Any], Dict[str, Any], None] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else {}
-
-    def run(self) -> None:
-        dumpsys_file = self._get_files_by_pattern("*/dumpsys.txt")
-        if not dumpsys_file:
-            return
-        data = self._get_file_content(dumpsys_file[0])
-
-        dumpsys_section = self.extract_dumpsys_section(
-            data.decode("utf-8", errors="replace"), "DUMP OF SERVICE package:"
-        )
-
-        self.parse(dumpsys_section)
-
-        self.log.info("Extracted receivers for %d intents", len(self.results))

src/mvt/android/modules/androidqf/sms.py

@@ -19,7 +19,13 @@ from .base import AndroidQFModule
 
 
 class SMS(AndroidQFModule):
-    """This module analyse SMS file in backup"""
+    """
+    This module analyse SMS file in backup
+
+    XXX: We should also de-duplicate this AQF module, but first we
+    need to add tests for loading encrypted SMS backups through the backup
+    sub-module.
+    """
 
     def __init__(
         self,

src/mvt/android/modules/backup/base.py

@@ -37,10 +37,7 @@ class BackupExtraction(MVTModule):
         self.tar = None
         self.files = []
 
-    def from_folder(self, backup_path: Optional[str], files: List[str]) -> None:
-        """
-        Get all the files and list them
-        """
+    def from_dir(self, backup_path: Optional[str], files: List[str]) -> None:
         self.backup_path = backup_path
         self.files = files
 
@@ -58,14 +55,16 @@ class BackupExtraction(MVTModule):
         return fnmatch.filter(self.files, pattern)
 
     def _get_file_content(self, file_path: str) -> bytes:
-        if self.ab:
+        if self.tar:
             try:
                 member = self.tar.getmember(file_path)
             except KeyError:
                 return None
             handle = self.tar.extractfile(member)
-        else:
+        elif self.backup_path:
             handle = open(os.path.join(self.backup_path, file_path), "rb")
+        else:
+            raise ValueError("No backup path or tar file provided")
 
         data = handle.read()
         handle.close()

src/mvt/android/modules/backup/sms.py

@@ -50,13 +50,13 @@ class SMS(BackupExtraction):
     def run(self) -> None:
         sms_path = "apps/com.android.providers.telephony/d_f/*_sms_backup"
         for file in self._get_files_by_pattern(sms_path):
-            self.log.info("Processing SMS backup file at %s", file)
+            self.log.debug("Processing SMS backup file at %s", file)
             data = self._get_file_content(file)
             self.results.extend(parse_sms_file(data))
 
         mms_path = "apps/com.android.providers.telephony/d_f/*_mms_backup"
         for file in self._get_files_by_pattern(mms_path):
-            self.log.info("Processing MMS backup file at %s", file)
+            self.log.debug("Processing MMS backup file at %s", file)
             data = self._get_file_content(file)
             self.results.extend(parse_sms_file(data))
 

src/mvt/android/modules/bugreport/__init__.py

@@ -3,31 +3,31 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-from .accessibility import Accessibility
-from .activities import Activities
-from .appops import Appops
-from .battery_daily import BatteryDaily
-from .battery_history import BatteryHistory
-from .dbinfo import DBInfo
-from .getprop import Getprop
-from .packages import Packages
-from .platform_compat import PlatformCompat
-from .receivers import Receivers
-from .adb_state import DumpsysADBState
+from .dumpsys_accessibility import DumpsysAccessibility
+from .dumpsys_activities import DumpsysActivities
+from .dumpsys_appops import DumpsysAppops
+from .dumpsys_battery_daily import DumpsysBatteryDaily
+from .dumpsys_battery_history import DumpsysBatteryHistory
+from .dumpsys_dbinfo import DumpsysDBInfo
+from .dumpsys_getprop import DumpsysGetProp
+from .dumpsys_packages import DumpsysPackages
+from .dumpsys_platform_compat import DumpsysPlatformCompat
+from .dumpsys_receivers import DumpsysReceivers
+from .dumpsys_adb_state import DumpsysADBState
 from .fs_timestamps import BugReportTimestamps
 from .tombstones import Tombstones
 
 BUGREPORT_MODULES = [
-    Accessibility,
-    Activities,
-    Appops,
-    BatteryDaily,
-    BatteryHistory,
-    DBInfo,
-    Getprop,
-    Packages,
-    PlatformCompat,
-    Receivers,
+    DumpsysAccessibility,
+    DumpsysActivities,
+    DumpsysAppops,
+    DumpsysBatteryDaily,
+    DumpsysBatteryHistory,
+    DumpsysDBInfo,
+    DumpsysGetProp,
+    DumpsysPackages,
+    DumpsysPlatformCompat,
+    DumpsysReceivers,
     DumpsysADBState,
     BugReportTimestamps,
     Tombstones,

src/mvt/android/modules/bugreport/base.py

@@ -39,9 +39,7 @@ class BugReportModule(MVTModule):
         self.extract_files: List[str] = []
         self.zip_files: List[str] = []
 
-    def from_folder(
-        self, extract_path: Optional[str], extract_files: List[str]
-    ) -> None:
+    def from_dir(self, extract_path: str, extract_files: List[str]) -> None:
         self.extract_path = extract_path
         self.extract_files = extract_files
 

src/mvt/android/modules/bugreport/dumpsys_accessibility.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArti
 from .base import BugReportModule
 
 
-class Accessibility(DumpsysAccessibilityArtifact, BugReportModule):
+class DumpsysAccessibility(DumpsysAccessibilityArtifact, BugReportModule):
     """This module extracts stats on accessibility."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_activities.py

@@ -13,7 +13,7 @@ from mvt.android.artifacts.dumpsys_package_activities import (
 from .base import BugReportModule
 
 
-class Activities(DumpsysPackageActivitiesArtifact, BugReportModule):
+class DumpsysActivities(DumpsysPackageActivitiesArtifact, BugReportModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_appops.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
 from .base import BugReportModule
 
 
-class Appops(DumpsysAppopsArtifact, BugReportModule):
+class DumpsysAppops(DumpsysAppopsArtifact, BugReportModule):
     """This module extracts information on package from App-Ops Manager."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_battery_daily.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtif
 from .base import BugReportModule
 
 
-class BatteryDaily(DumpsysBatteryDailyArtifact, BugReportModule):
+class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_battery_history.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryA
 from .base import BugReportModule
 
 
-class BatteryHistory(DumpsysBatteryHistoryArtifact, BugReportModule):
+class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_dbinfo.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
 from .base import BugReportModule
 
 
-class DBInfo(DumpsysDBInfoArtifact, BugReportModule):
+class DumpsysDBInfo(DumpsysDBInfoArtifact, BugReportModule):
     """This module extracts records from battery daily updates."""
 
     slug = "dbinfo"

src/mvt/android/modules/bugreport/dumpsys_getprop.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.getprop import GetProp as GetPropArtifact
 from .base import BugReportModule
 
 
-class Getprop(GetPropArtifact, BugReportModule):
+class DumpsysGetProp(GetPropArtifact, BugReportModule):
     """This module extracts device properties from getprop command."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_packages.py

@@ -12,7 +12,7 @@ from mvt.android.utils import DANGEROUS_PERMISSIONS, DANGEROUS_PERMISSIONS_THRES
 from .base import BugReportModule
 
 
-class Packages(DumpsysPackagesArtifact, BugReportModule):
+class DumpsysPackages(DumpsysPackagesArtifact, BugReportModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_platform_compat.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_platform_compat import DumpsysPlatformCompatA
 from mvt.android.modules.bugreport.base import BugReportModule
 
 
-class PlatformCompat(DumpsysPlatformCompatArtifact, BugReportModule):
+class DumpsysPlatformCompat(DumpsysPlatformCompatArtifact, BugReportModule):
     """This module extracts details on uninstalled apps."""
 
     def __init__(

src/mvt/android/modules/bugreport/dumpsys_receivers.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
 from .base import BugReportModule
 
 
-class Receivers(DumpsysReceiversArtifact, BugReportModule):
+class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule):
     """This module extracts details on receivers for risky activities."""
 
     def __init__(
@@ -34,6 +34,20 @@ class Receivers(DumpsysReceiversArtifact, BugReportModule):
 
         self.results = results if results else {}
 
+    def check_indicators(self) -> None:
+        for result in self.results:
+            if self.indicators:
+                receiver_name = self.results[result][0]["receiver"]
+
+                # return IoC if the stix2 process name a substring of the receiver name
+                ioc = self.indicators.check_receiver_prefix(receiver_name)
+                if ioc:
+                    self.results[result][0]["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    continue
+
+
+
     def run(self) -> None:
         content = self._get_dumpstate_file()
         if not content:

src/mvt/common/cmd_check_iocs.py

@@ -22,6 +22,8 @@ class CmdCheckIOCS(Command):
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
         disable_version_check: bool = False,
         disable_indicator_check: bool = False,
     ) -> None:
@@ -32,6 +34,8 @@ class CmdCheckIOCS(Command):
             module_name=module_name,
             serial=serial,
             module_options=module_options,
+            hashes=hashes,
+            sub_command=sub_command,
             log=log,
             disable_version_check=disable_version_check,
             disable_indicator_check=disable_indicator_check,

src/mvt/common/command.py

@@ -27,10 +27,12 @@ class Command:
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
         log: logging.Logger = logging.getLogger(__name__),
         disable_version_check: bool = False,
         disable_indicator_check: bool = False,
@@ -44,6 +46,7 @@ class Command:
         self.module_name = module_name
         self.serial = serial
         self.log = log
+        self.sub_command = sub_command
         self.disable_version_check = disable_version_check
         self.disable_indicator_check = disable_indicator_check
 
@@ -64,8 +67,12 @@ class Command:
         # Load IOCs
         self._create_storage()
         self._setup_logging()
-        self.iocs = Indicators(log=log)
-        self.iocs.load_indicators_files(self.ioc_files)
+
+        if iocs is not None:
+            self.iocs = iocs
+        else:
+            self.iocs = Indicators(self.log)
+            self.iocs.load_indicators_files(self.ioc_files)
 
     def _create_storage(self) -> None:
         if self.results_path and not os.path.exists(self.results_path):
@@ -251,6 +258,10 @@ class Command:
         except NotImplementedError:
             pass
 
+        # We only store the timeline from the parent/main command
+        if self.sub_command:
+            return
+
         self._store_timeline()
         self._store_info()
 

src/mvt/common/help.py

@@ -47,7 +47,7 @@ HELP_MSG_APKS_FROM_FILE = (
     "Instead of acquiring APKs from a phone, load an existing packages.json file for "
     "lookups (mainly for debug purposes)"
 )
-HELP_MSG_CHECK_ADB = "Check an Android device over ADB"
+HELP_MSG_CHECK_ADB = "Deprecated: Check an Android device over ADB. Prefer using the external AndroidQF project (https://github.com/mvt-project/androidqf) to acquire AndroidQF images for analysis."
 HELP_MSG_CHECK_BUGREPORT = "Check an Android Bug Report"
 HELP_MSG_CHECK_ANDROID_BACKUP = "Check an Android Backup"
 HELP_MSG_CHECK_ANDROIDQF = "Check data collected with AndroidQF"

src/mvt/common/indicators.py

@@ -768,6 +768,30 @@ class Indicators:
 
         return None
 
+
+    def check_receiver_prefix(self, receiver_name: str) -> Union[dict, None]:
+        """Check the provided receiver name against the list of indicators.
+        An IoC match is detected when a substring of the receiver matches the indicator
+        :param app_id: App ID to check against the list of indicators
+        :type app_id: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if not receiver_name:
+            return None
+
+        for ioc in self.get_iocs("app_ids"):
+            if ioc["value"].lower() in receiver_name.lower():
+                self.log.warning(
+                    'Found a known suspicious receiver with name "%s" '
+                    'matching indicators from "%s"',
+                    receiver_name,
+                    ioc["name"],
+                )
+                return ioc
+
+        return None
+
     def check_android_property_name(self, property_name: str) -> Optional[dict]:
         """Check the android property name against the list of indicators.
 

src/mvt/common/version.py

@@ -3,4 +3,4 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-MVT_VERSION = "2.6.1"
+MVT_VERSION = "2.7.0"

src/mvt/ios/cmd_check_backup.py

@@ -7,6 +7,7 @@ import logging
 from typing import Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.backup import BACKUP_MODULES
 from .modules.mixed import MIXED_MODULES
@@ -20,10 +21,12 @@ class CmdIOSCheckBackup(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
         hashes: bool = False,
+        sub_command: bool = False,
         disable_version_check: bool = False,
         disable_indicator_check: bool = False,
     ) -> None:
@@ -31,10 +34,12 @@ class CmdIOSCheckBackup(Command):
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
             disable_version_check=disable_version_check,
             disable_indicator_check=disable_indicator_check,

src/mvt/ios/cmd_check_fs.py

@@ -7,6 +7,7 @@ import logging
 from typing import Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.fs import FS_MODULES
 from .modules.mixed import MIXED_MODULES
@@ -20,10 +21,12 @@ class CmdIOSCheckFS(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
         hashes: bool = False,
+        sub_command: bool = False,
         disable_version_check: bool = False,
         disable_indicator_check: bool = False,
     ) -> None:
@@ -31,9 +34,11 @@ class CmdIOSCheckFS(Command):
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
             disable_version_check=disable_version_check,
             disable_indicator_check=disable_indicator_check,

src/mvt/ios/data/ios_models.json

@@ -194,5 +194,41 @@
     {
         "identifier": "iPhone16,2",
         "description": "iPhone 15 Pro Max"
+    },
+    {
+        "identifier": "iPhone17,1",
+        "description": "iPhone 16 Pro"
+    },
+    {
+        "identifier": "iPhone17,2",
+        "description": "iPhone 16 Pro Max"
+    },
+    {
+        "identifier": "iPhone17,3",
+        "description": "iPhone 16"
+    },
+    {
+        "identifier": "iPhone17,4",
+        "description": "iPhone 16 Plus"
+    },
+    {
+        "identifier": "iPhone17,5",
+        "description": "iPhone 16e"
+    },
+    {
+        "identifier": "iPhone18,1",
+        "description": "iPhone 17 Pro"
+    },
+    {
+        "identifier": "iPhone18,2",
+        "description": "iPhone 17 Pro Max"
+    },
+    {
+        "identifier": "iPhone18,3",
+        "description": "iPhone 17"
+    },
+    {
+        "identifier": "iPhone18,4",
+        "description": "iPhone Air"
     }
 ]

src/mvt/ios/data/ios_versions.json

@@ -631,6 +631,10 @@
         "build": "16H81",
         "version": "12.5.7"
     },
+    {
+        "version": "12.5.8",
+        "build": "16H88"
+    },
     {
         "build": "17A577",
         "version": "13.0"
@@ -899,6 +903,10 @@
         "version": "15.8.5",
         "build": "19H394"
     },
+    {
+        "version": "15.8.6",
+        "build": "19H402"
+    },
     {
         "build": "20A362",
         "version": "16.0"
@@ -1008,6 +1016,10 @@
         "version": "16.7.12",
         "build": "20H364"
     },
+    {
+        "version": "16.7.14",
+        "build": "20H370"
+    },
     {
         "version": "17.0",
         "build": "21A327"
@@ -1156,6 +1168,22 @@
         "version": "18.7",
         "build": "22H20"
     },
+    {
+        "version": "18.7.2",
+        "build": "22H124"
+    },
+    {
+        "version": "18.7.3",
+        "build": "22H217"
+    },
+    {
+        "version": "18.7.4",
+        "build": "22H218"
+    },
+    {
+        "version": "18.7.5",
+        "build": "22H311"
+    },
     {
         "version": "26",
         "build": "23A341"
@@ -1163,5 +1191,21 @@
     {
         "version": "26.0.1",
         "build": "23A355"
+    },
+    {
+        "version": "26.1",
+        "build": "23B85"
+    },
+    {
+        "version": "26.2",
+        "build": "23C55"
+    },
+    {
+        "version": "26.2.1",
+        "build": "23C71"
+    },
+    {
+        "version": "26.3",
+        "build": "23D127"
     }
 ]

src/mvt/ios/modules/mixed/webkit_session_resource_log.py

@@ -127,6 +127,24 @@ class WebkitSessionResourceLog(IOSExtraction):
         browsing_stats = file_plist["browsingStatistics"]
 
         for item in browsing_stats:
+            most_recent_interaction, last_seen = None, None
+            if "mostRecentUserInteraction" in item:
+                try:
+                    most_recent_interaction = convert_datetime_to_iso(
+                        item["mostRecentUserInteraction"]
+                    )
+                except Exception:
+                    self.log.error(
+                        f'Error converting date of Safari resource"most recent interaction": {item["mostRecentUserInteraction"]}'
+                    )
+            if "lastSeen" in item:
+                try:
+                    last_seen = convert_datetime_to_iso(item["lastSeen"])
+                except Exception:
+                    self.log.error(
+                        f'Error converting date of Safari resource"last seen": {item["lastSeen"]}'
+                    )
+
             items.append(
                 {
                     "origin": item.get("PrevalentResourceOrigin", ""),
@@ -139,10 +157,8 @@ class WebkitSessionResourceLog(IOSExtraction):
                         "subresourceUnderTopFrameOrigins", ""
                     ),
                     "user_interaction": item.get("hadUserInteraction"),
-                    "most_recent_interaction": convert_datetime_to_iso(
-                        item["mostRecentUserInteraction"]
-                    ),
-                    "last_seen": convert_datetime_to_iso(item["lastSeen"]),
+                    "most_recent_interaction": most_recent_interaction,
+                    "last_seen": last_seen,
                 }
             )
 

tests/android/test_backup_module.py

@@ -22,7 +22,7 @@ class TestBackupModule:
         for root, subdirs, subfiles in os.walk(os.path.abspath(backup_path)):
             for fname in subfiles:
                 files.append(os.path.relpath(os.path.join(root, fname), backup_path))
-        mod.from_folder(backup_path, files)
+        mod.from_dir(backup_path, files)
         run_module(mod)
         assert len(mod.results) == 2
         assert len(mod.results[0]["links"]) == 1

tests/android_androidqf/test_dumpsys_adbstate.py

@@ -1,27 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_adb import DumpsysADBState
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysADBModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysADBState(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 1
-        assert len(m.detected) == 0
-
-        adb_statedump = m.results[0]
-        assert "user_keys" in adb_statedump
-        assert len(adb_statedump["user_keys"]) == 1

tests/android_androidqf/test_dumpsys_battery_daily.py

@@ -1,24 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_battery_daily import DumpsysBatteryDaily
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysBatteryDailyModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysBatteryDaily(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 3
-        assert len(m.timeline) == 3
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsys_battery_history.py

@@ -1,24 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_battery_history import DumpsysBatteryHistory
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysBatteryHistoryModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysBatteryHistory(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 6
-        assert len(m.timeline) == 0
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsys_dbinfo.py

@@ -1,24 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_dbinfo import DumpsysDBInfo
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysDBInfoModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysDBInfo(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 6
-        assert len(m.timeline) == 0
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsys_platform_compat.py

@@ -1,23 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_platform_compat import DumpsysPlatformCompat
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysPlatformCompatModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysPlatformCompat(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 2
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsysaccessbility.py

@@ -1,23 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_accessibility import DumpsysAccessibility
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysAccessibilityModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysAccessibility(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 4
-        assert len(m.detected) == 0

tests/android_androidqf/test_dumpsysappops.py

@@ -1,29 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_appops import DumpsysAppops
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysAppOpsModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysAppops(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 12
-        assert len(m.timeline) == 16
-
-        detected_by_ioc = [
-            detected for detected in m.detected if detected.get("matched_indicator")
-        ]
-        assert len(m.detected) == 1
-        assert len(detected_by_ioc) == 0

tests/android_androidqf/test_dumpsyspackages.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_packages import DumpsysPackages
-from mvt.common.indicators import Indicators
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysPackagesModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysPackages(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 2
-        assert len(m.detected) == 0
-        assert len(m.timeline) == 6
-        assert (
-            m.results[0]["package_name"]
-            == "com.samsung.android.provider.filterprovider"
-        )
-
-    def test_detection_pkgname(self, indicator_file):
-        data_path = get_android_androidqf()
-        m = DumpsysPackages(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        ind = Indicators(log=logging.getLogger())
-        ind.parse_stix2(indicator_file)
-        ind.ioc_collections[0]["app_ids"].append("com.sec.android.app.DataCreate")
-        m.indicators = ind
-        run_module(m)
-        assert len(m.results) == 2
-        assert len(m.detected) == 1
-        assert len(m.timeline) == 6
-        assert m.detected[0]["package_name"] == "com.sec.android.app.DataCreate"

tests/android_androidqf/test_dumpsysreceivers.py

@@ -1,23 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-from pathlib import Path
-
-from mvt.android.modules.androidqf.dumpsys_receivers import DumpsysReceivers
-from mvt.common.module import run_module
-
-from ..utils import get_android_androidqf, list_files
-
-
-class TestDumpsysReceiversModule:
-    def test_parsing(self):
-        data_path = get_android_androidqf()
-        m = DumpsysReceivers(target_path=data_path)
-        files = list_files(data_path)
-        parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
-        run_module(m)
-        assert len(m.results) == 4
-        assert len(m.detected) == 0

tests/android_androidqf/test_files.py

@@ -6,7 +6,7 @@
 import logging
 from pathlib import Path
 
-from mvt.android.modules.androidqf.files import Files
+from mvt.android.modules.androidqf.aqf_files import AQFFiles
 from mvt.common.module import run_module
 
 from ..utils import get_android_androidqf, list_files
@@ -15,10 +15,10 @@ from ..utils import get_android_androidqf, list_files
 class TestAndroidqfFilesAnalysis:
     def test_androidqf_files(self):
         data_path = get_android_androidqf()
-        m = Files(target_path=data_path, log=logging)
+        m = AQFFiles(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 3
         assert len(m.timeline) == 6

tests/android_androidqf/test_getprop.py

@@ -7,7 +7,7 @@ import logging
 import zipfile
 from pathlib import Path
 
-from mvt.android.modules.androidqf.getprop import Getprop
+from mvt.android.modules.androidqf.aqf_getprop import AQFGetProp
 from mvt.common.indicators import Indicators
 from mvt.common.module import run_module
 
@@ -17,10 +17,10 @@ from ..utils import get_android_androidqf, get_artifact, list_files
 class TestAndroidqfGetpropAnalysis:
     def test_androidqf_getprop(self):
         data_path = get_android_androidqf()
-        m = Getprop(target_path=data_path, log=logging)
+        m = AQFGetProp(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 10
         assert m.results[0]["name"] == "dalvik.vm.appimageformat"
@@ -30,9 +30,9 @@ class TestAndroidqfGetpropAnalysis:
 
     def test_getprop_parsing_zip(self):
         fpath = get_artifact("androidqf.zip")
-        m = Getprop(target_path=fpath, log=logging)
+        m = AQFGetProp(target_path=fpath, log=logging)
         archive = zipfile.ZipFile(fpath)
-        m.from_zip_file(archive, archive.namelist())
+        m.from_zip(archive, archive.namelist())
         run_module(m)
         assert len(m.results) == 10
         assert m.results[0]["name"] == "dalvik.vm.appimageformat"
@@ -42,10 +42,10 @@ class TestAndroidqfGetpropAnalysis:
 
     def test_androidqf_getprop_detection(self, indicator_file):
         data_path = get_android_androidqf()
-        m = Getprop(target_path=data_path, log=logging)
+        m = AQFGetProp(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         ind = Indicators(log=logging.getLogger())
         ind.parse_stix2(indicator_file)
         ind.ioc_collections[0]["android_property_names"].append("dalvik.vm.heapmaxfree")

tests/android_androidqf/test_mounts.py

@@ -85,7 +85,7 @@ class TestAndroidqfMountsModule:
         m = Mounts(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
 
         run_module(m)
 

tests/android_androidqf/test_packages.py

@@ -8,7 +8,7 @@ from pathlib import Path
 
 import pytest
 
-from mvt.android.modules.androidqf.packages import Packages
+from mvt.android.modules.androidqf.aqf_packages import AQFPackages
 from mvt.common.module import run_module
 
 from ..utils import get_android_androidqf, list_files
@@ -31,8 +31,8 @@ def file_list(data_path):
 
 @pytest.fixture()
 def module(parent_data_path, file_list):
-    m = Packages(target_path=parent_data_path, log=logging)
-    m.from_folder(parent_data_path, file_list)
+    m = AQFPackages(target_path=parent_data_path, log=logging)
+    m.from_dir(parent_data_path, file_list)
     return m
 
 

tests/android_androidqf/test_processes.py

@@ -6,7 +6,7 @@
 import logging
 from pathlib import Path
 
-from mvt.android.modules.androidqf.processes import Processes
+from mvt.android.modules.androidqf.aqf_processes import AQFProcesses
 from mvt.common.module import run_module
 
 from ..utils import get_android_androidqf, list_files
@@ -15,10 +15,10 @@ from ..utils import get_android_androidqf, list_files
 class TestAndroidqfProcessesAnalysis:
     def test_androidqf_processes(self):
         data_path = get_android_androidqf()
-        m = Processes(target_path=data_path, log=logging)
+        m = AQFProcesses(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 15
         assert len(m.timeline) == 0

tests/android_androidqf/test_root_binaries.py

@@ -32,7 +32,7 @@ def file_list(data_path):
 @pytest.fixture()
 def module(parent_data_path, file_list):
     m = RootBinaries(target_path=parent_data_path, log=logging)
-    m.from_folder(parent_data_path, file_list)
+    m.from_dir(parent_data_path, file_list)
     return m
 
 
@@ -108,7 +108,7 @@ class TestAndroidqfRootBinaries:
         # Test behavior when no root_binaries.json file is present
         empty_file_list = []
         m = RootBinaries(target_path=parent_data_path, log=logging)
-        m.from_folder(parent_data_path, empty_file_list)
+        m.from_dir(parent_data_path, empty_file_list)
 
         run_module(m)
 

tests/android_androidqf/test_settings.py

@@ -5,7 +5,7 @@
 
 from pathlib import Path
 
-from mvt.android.modules.androidqf.settings import Settings
+from mvt.android.modules.androidqf.aqf_settings import AQFSettings
 from mvt.common.module import run_module
 
 from ..utils import get_android_androidqf, list_files
@@ -14,10 +14,10 @@ from ..utils import get_android_androidqf, list_files
 class TestSettingsModule:
     def test_parsing(self):
         data_path = get_android_androidqf()
-        m = Settings(target_path=data_path)
+        m = AQFSettings(target_path=data_path)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 1
         assert "random" in m.results.keys()

tests/android_androidqf/test_sms.py

@@ -21,7 +21,7 @@ class TestAndroidqfSMSAnalysis:
         m = SMS(target_path=data_path, log=logging)
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 2
         assert len(m.timeline) == 0
@@ -36,7 +36,7 @@ class TestAndroidqfSMSAnalysis:
         )
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert len(m.results) == 1
 
@@ -52,7 +52,7 @@ class TestAndroidqfSMSAnalysis:
         )
         files = list_files(data_path)
         parent_path = Path(data_path).absolute().parent.as_posix()
-        m.from_folder(parent_path, files)
+        m.from_dir(parent_path, files)
         run_module(m)
         assert prompt_mock.call_count == 1
         assert len(m.results) == 1
@@ -67,7 +67,7 @@ class TestAndroidqfSMSAnalysis:
             )
             files = list_files(data_path)
             parent_path = Path(data_path).absolute().parent.as_posix()
-            m.from_folder(parent_path, files)
+            m.from_dir(parent_path, files)
             run_module(m)
         assert len(m.results) == 0
         assert "Invalid backup password" in caplog.text
@@ -82,7 +82,7 @@ class TestAndroidqfSMSAnalysis:
             )
             files = list_files(data_path)
             parent_path = Path(data_path).absolute().parent.as_posix()
-            m.from_folder(parent_path, files)
+            m.from_dir(parent_path, files)
             run_module(m)
         assert len(m.results) == 0
         assert (

tests/android_bugreport/test_bugreport.py

@@ -6,9 +6,9 @@
 import os
 from pathlib import Path
 
-from mvt.android.modules.bugreport.appops import Appops
-from mvt.android.modules.bugreport.getprop import Getprop
-from mvt.android.modules.bugreport.packages import Packages
+from mvt.android.modules.bugreport.dumpsys_appops import DumpsysAppops
+from mvt.android.modules.bugreport.dumpsys_getprop import DumpsysGetProp
+from mvt.android.modules.bugreport.dumpsys_packages import DumpsysPackages
 from mvt.android.modules.bugreport.tombstones import Tombstones
 from mvt.common.module import run_module
 
@@ -26,12 +26,12 @@ class TestBugreportAnalysis:
                 folder_files.append(
                     os.path.relpath(os.path.join(root, file_name), parent_path)
                 )
-        m.from_folder(fpath, folder_files)
+        m.from_dir(fpath, folder_files)
         run_module(m)
         return m
 
     def test_appops_module(self):
-        m = self.launch_bug_report_module(Appops)
+        m = self.launch_bug_report_module(DumpsysAppops)
         assert len(m.results) == 12
         assert len(m.timeline) == 16
 
@@ -42,7 +42,7 @@ class TestBugreportAnalysis:
         assert len(detected_by_ioc) == 0
 
     def test_packages_module(self):
-        m = self.launch_bug_report_module(Packages)
+        m = self.launch_bug_report_module(DumpsysPackages)
         assert len(m.results) == 2
         assert (
             m.results[0]["package_name"]
@@ -53,7 +53,7 @@ class TestBugreportAnalysis:
         assert len(m.results[1]["permissions"]) == 32
 
     def test_getprop_module(self):
-        m = self.launch_bug_report_module(Getprop)
+        m = self.launch_bug_report_module(DumpsysGetProp)
         assert len(m.results) == 0
 
     def test_tombstones_modules(self):

tests/test_check_android_androidqf.py

@@ -32,7 +32,8 @@ class TestCheckAndroidqfCommand:
         path = os.path.join(get_artifact_folder(), "androidqf_encrypted")
         result = runner.invoke(check_androidqf, [path])
 
-        assert prompt_mock.call_count == 1
+        # Called twice, once in AnroidQF SMS module and once in Backup SMS module
+        assert prompt_mock.call_count == 2
         assert result.exit_code == 0
 
     def test_check_encrypted_backup_cli(self, mocker):