Add new iOS versions and build numbers (#738)

* receiver names are checked if a known malicious app id is a substring

* ruff syntax fixes

---------

Co-authored-by: Viktor <vik@tor.me>
Co-authored-by: besendorf <janik@besendorf.org>

src/mvt/android/modules/bugreport/dumpsys_receivers.py

@@ -34,6 +34,20 @@ class DumpsysReceivers(DumpsysReceiversArtifact, BugReportModule):
 
         self.results = results if results else {}
 
+    def check_indicators(self) -> None:
+        for result in self.results:
+            if self.indicators:
+                receiver_name = self.results[result][0]["receiver"]
+
+                # return IoC if the stix2 process name a substring of the receiver name
+                ioc = self.indicators.check_receiver_prefix(receiver_name)
+                if ioc:
+                    self.results[result][0]["matched_indicator"] = ioc
+                    self.detected.append(result)
+                    continue
+
+
+
     def run(self) -> None:
         content = self._get_dumpstate_file()
         if not content:

src/mvt/common/indicators.py

@@ -768,6 +768,30 @@ class Indicators:
 
         return None
 
+
+    def check_receiver_prefix(self, receiver_name: str) -> Union[dict, None]:
+        """Check the provided receiver name against the list of indicators.
+        An IoC match is detected when a substring of the receiver matches the indicator
+        :param app_id: App ID to check against the list of indicators
+        :type app_id: str
+        :returns: Indicator details if matched, otherwise None
+
+        """
+        if not receiver_name:
+            return None
+
+        for ioc in self.get_iocs("app_ids"):
+            if ioc["value"].lower() in receiver_name.lower():
+                self.log.warning(
+                    'Found a known suspicious receiver with name "%s" '
+                    'matching indicators from "%s"',
+                    receiver_name,
+                    ioc["name"],
+                )
+                return ioc
+
+        return None
+
     def check_android_property_name(self, property_name: str) -> Optional[dict]:
         """Check the android property name against the list of indicators.
 

src/mvt/ios/data/ios_versions.json

@@ -631,6 +631,10 @@
         "build": "16H81",
         "version": "12.5.7"
     },
+    {
+        "version": "12.5.8",
+        "build": "16H88"
+    },
     {
         "build": "17A577",
         "version": "13.0"
@@ -899,6 +903,10 @@
         "version": "15.8.5",
         "build": "19H394"
     },
+    {
+        "version": "15.8.6",
+        "build": "19H402"
+    },
     {
         "build": "20A362",
         "version": "16.0"
@@ -1008,6 +1016,10 @@
         "version": "16.7.12",
         "build": "20H364"
     },
+    {
+        "version": "16.7.14",
+        "build": "20H370"
+    },
     {
         "version": "17.0",
         "build": "21A327"
@@ -1164,6 +1176,10 @@
         "version": "18.7.3",
         "build": "22H217"
     },
+    {
+        "version": "18.7.4",
+        "build": "22H218"
+    },
     {
         "version": "26",
         "build": "23A341"
@@ -1179,5 +1195,9 @@
     {
         "version": "26.2",
         "build": "23C55"
+    },
+    {
+        "version": "26.2.1",
+        "build": "23C71"
     }
 ]