Bump version to v1.4.1

docs/iocs.md

@@ -38,6 +38,7 @@ export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
 
 - The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
     - [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware)) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2))
-- [This repository](https://github.com/Te-k/stalkerware-indicators) contains IOCs for Android stalkerware including [a STIX MVT-compatible file](https://github.com/Te-k/stalkerware-indicators/blob/master/stalkerware.stix2).
+    - [Predator from Cytrox](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-12-16_cytrox/cytrox.stix2))
+- [This repository](https://github.com/Te-k/stalkerware-indicators) contains IOCs for Android stalkerware including [a STIX MVT-compatible file](https://raw.githubusercontent.com/Te-k/stalkerware-indicators/master/stalkerware.stix2).
 
 Please [open an issue](https://github.com/mvt-project/mvt/issues/) to suggest new sources of STIX-formatted IOCs.

mvt/android/cli.py

@@ -148,7 +148,7 @@ def check_adb(ctx, iocs, output, fast, list_modules, module, serial):
         if serial:
             m.serial = serial
 
-        if iocs:
+        if indicators.ioc_count > 0:
             indicators.log = m.log
             m.indicators = indicators
 
@@ -207,7 +207,7 @@ def check_backup(ctx, iocs, output, backup_path, serial):
         if serial:
             m.serial = serial
 
-        if len(indicators.ioc_count) > 0:
+        if indicators.ioc_count > 0:
             indicators.log = m.log
             m.indicators = indicators
 

mvt/common/version.py

@@ -6,7 +6,7 @@
 import requests
 from packaging import version
 
-MVT_VERSION = "1.3.1"
+MVT_VERSION = "1.4.1"
 
 
 def check_for_updates():

mvt/ios/modules/backup/configuration_profiles.py

@@ -4,6 +4,7 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
+import os
 import plistlib
 from base64 import b64encode
 from mvt.common.utils import convert_timestamp_to_iso
@@ -25,11 +26,14 @@ class ConfigurationProfiles(IOSExtraction):
     def serialize(self, record):
         if not record["install_date"]:
             return
+
+        payload_name = record['plist'].get('PayloadDisplayName')
+        payload_description = record['plist'].get('PayloadDescription')
         return {
             "timestamp": record["install_date"],
             "module": self.__class__.__name__,
             "event": "configuration_profile_install",
-            "data": f"{record['plist']['PayloadType']} installed: {record['plist']['PayloadUUID']} - {record['plist']['PayloadDisplayName']}: {record['plist']['PayloadDescription']}"
+            "data": f"{record['plist']['PayloadType']} installed: {record['plist']['PayloadUUID']} - {payload_name}: {payload_description}"
         }
 
     def check_indicators(self):
@@ -54,6 +58,11 @@ class ConfigurationProfiles(IOSExtraction):
 
     def run(self):
         for conf_file in self._get_backup_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
+            conf_rel_path = conf_file["relative_path"]
+            # Filter out all configuration files that are not configuration profiles.
+            if not conf_rel_path or not os.path.basename(conf_rel_path).startswith("profile-"):
+                continue
+
             conf_file_path = self._get_backup_file_from_id(conf_file["file_id"])
             if not conf_file_path:
                 continue

mvt/ios/modules/mixed/shortcuts.py

@@ -55,6 +55,7 @@ class Shortcuts(IOSExtraction):
         self.log.info("Found Shortcuts database at path: %s", self.file_path)
 
         conn = sqlite3.connect(self.file_path)
+        conn.text_factory = bytes
         cur = conn.cursor()
         cur.execute("""
               SELECT