Bumps version

Improves documentation
Fixes a bug in the calendar plugin
2026-02-21 04:42:51 +00:00 · 2023-04-13 17:59:05 +02:00 · 2023-04-13 16:11:55 +02:00 · 2023-04-13 13:21:33 +02:00 · 2023-04-13 09:26:52 +02:00
6 changed files with 32 additions and 3 deletions
--- a/docs/iocs.md
+++ b/docs/iocs.md
@@ -39,7 +39,9 @@ export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
 - The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
    - [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware)) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2))
    - [Predator from Cytrox](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-12-16_cytrox/cytrox.stix2))
+    - [An Android Spyware Campaign Linked to a Mercenary Company](https://github.com/AmnestyTech/investigations/tree/master/2023-03-29_android_campaign) ([STIX2](https://github.com/AmnestyTech/investigations/blob/master/2023-03-29_android_campaign/malware.stix2))
 - [This repository](https://github.com/Te-k/stalkerware-indicators) contains IOCs for Android stalkerware including [a STIX MVT-compatible file](https://raw.githubusercontent.com/Te-k/stalkerware-indicators/master/generated/stalkerware.stix2).
+- We are also maintaining [a list of IOCs](https://github.com/mvt-project/mvt-indicators) in STIX format from public spyware campaigns.

 You can automaticallly download the latest public indicator files with the command `mvt-ios download-iocs` or `mvt-android download-iocs`. These commands download the list of indicators listed [here](https://github.com/mvt-project/mvt/blob/main/public_indicators.json) and store them in the [appdir](https://pypi.org/project/appdirs/) folder. They are then loaded automatically by MVT.

--- a/docs/ios/records.md
+++ b/docs/ios/records.md
@@ -16,6 +16,18 @@ If indicators are provided through the command-line, processes and domains are c

 ---

+### `applications.json`
+
+!!! info "Availability"
+    Backup: :material-check:
+    Full filesystem dump: :material-check:
+
+This JSON file is created by mvt-ios' `Applications` module. The module extracts the list of applications installed on the device from the `Info.plist` file in backup, or from the `iTunesMetadata.plist` files in a file system dump. These records contains detailed information on the source and installation of the app.
+
+If indicators are provided through the command-line, processes and application ids are checked against the app name of each application. It also flags any applications not installed from the AppStore. Any matches are stored in *applications_detected.json*.
+
+---
+
 ### `backup_info.json`

 !!! info "Availability"
@@ -38,6 +50,18 @@ If indicators are provided through the command-line, they are checked against th

 ---

+### `calendar.json`
+
+!!! info "Availability"
+    Backup: :material-check:
+    Full filesystem dump: :material-check:
+
+This JSON file is created by mvt-ios' `Calendar` module. This module extracts all CalendarItems from the `Calendar.sqlitedb` database. This database contains all calendar entries from the different calendars installed on the phone.
+
+If indicators are provided through the command-line, email addresses are checked against the inviter's email of the different events. Any matches are stored in *calendar_detected.json*.
+
+---
+
 ### `calls.json`

 !!! info "Availability"
--- a/mvt/common/module.py
+++ b/mvt/common/module.py
@@ -198,6 +198,9 @@ def run_module(module: MVTModule) -> None:
            module.to_timeline()
        except NotImplementedError:
            pass
+        except Exception as exc:
+            module.log.exception("Error when serializing data from module %s: %s",
+                                 module.__class__.__name__, exc)

        module.save_to_json()

--- a/mvt/common/version.py
+++ b/mvt/common/version.py
@@ -3,4 +3,4 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/

-MVT_VERSION = "2.2.4"
+MVT_VERSION = "2.2.5"
--- a/mvt/ios/modules/mixed/calendar.py
+++ b/mvt/ios/modules/mixed/calendar.py
@@ -59,7 +59,7 @@ class Calendar(IOSExtraction):

    def check_indicators(self) -> None:
        for result in self.results:
-            if result["participant_email"]:
+            if result["participant_email"] and self.indicators:
                ioc = self.indicators.check_email(result["participant_email"])
                if ioc:
                    result["matched_indicator"] = ioc
--- a/mvt/ios/modules/mixed/whatsapp.py
+++ b/mvt/ios/modules/mixed/whatsapp.py
@@ -38,7 +38,7 @@ class Whatsapp(IOSExtraction):
    def serialize(self, record: dict) -> Union[dict, list]:
        text = record.get("ZTEXT", "").replace("\n", "\\n")
        links_text = ""
-        if record["links"]:
+        if record.get("links"):
            links_text = " - Embedded links: " + ", ".join(record["links"])

        return {
Author	SHA1	Message	Date
tek	15477cc187	Bumps version	2023-04-13 17:59:05 +02:00
tek	551b95b38b	Improves documentation	2023-04-13 16:11:55 +02:00
tek	d767abb912	Fixes a bug in the calendar plugin	2023-04-13 13:21:33 +02:00
tek	8a507b0a0b	Fixes a bug in WhatsApp iOS module	2023-04-13 09:26:52 +02:00