2022-02-02 14:47:55 +00:00
|
|
|
# Mobile Verification Toolkit (MVT)
|
2022-05-08 12:53:50 +00:00
|
|
|
# Copyright (c) 2021-2022 Claudio Guarnieri.
|
2022-02-02 14:47:55 +00:00
|
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
|
|
# https://license.mvt.re/1.1/
|
|
|
|
|
|
|
|
import logging
|
|
|
|
import re
|
2022-08-16 11:39:55 +00:00
|
|
|
from typing import Optional, Union
|
2022-02-02 14:47:55 +00:00
|
|
|
|
2022-07-05 16:10:48 +00:00
|
|
|
from mvt.android.modules.adb.packages import (DANGEROUS_PERMISSIONS,
|
|
|
|
DANGEROUS_PERMISSIONS_THRESHOLD,
|
|
|
|
ROOT_PACKAGES)
|
|
|
|
|
2022-02-02 14:47:55 +00:00
|
|
|
from .base import BugReportModule
|
|
|
|
|
|
|
|
|
|
|
|
class Packages(BugReportModule):
|
|
|
|
"""This module extracts details on receivers for risky activities."""
|
|
|
|
|
2022-08-16 11:39:55 +00:00
|
|
|
def __init__(
|
|
|
|
self,
|
|
|
|
file_path: Optional[str] = "",
|
|
|
|
target_path: Optional[str] = "",
|
|
|
|
results_path: Optional[str] = "",
|
|
|
|
fast_mode: Optional[bool] = False,
|
|
|
|
log: logging.Logger = logging.getLogger(__name__),
|
|
|
|
results: Optional[list] = []
|
|
|
|
) -> None:
|
2022-06-15 15:41:19 +00:00
|
|
|
super().__init__(file_path=file_path, target_path=target_path,
|
|
|
|
results_path=results_path, fast_mode=fast_mode,
|
2022-02-02 14:47:55 +00:00
|
|
|
log=log, results=results)
|
|
|
|
|
2022-08-12 14:29:43 +00:00
|
|
|
def serialize(self, record: dict) -> Union[dict, list]:
|
2022-02-02 14:47:55 +00:00
|
|
|
records = []
|
|
|
|
|
|
|
|
timestamps = [
|
2022-08-13 16:24:11 +00:00
|
|
|
{
|
|
|
|
"event": "package_install",
|
|
|
|
"timestamp": record["timestamp"]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"event": "package_first_install",
|
|
|
|
"timestamp": record["first_install_time"]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"event": "package_last_update",
|
|
|
|
"timestamp": record["last_update_time"]
|
|
|
|
},
|
2022-02-02 14:47:55 +00:00
|
|
|
]
|
|
|
|
|
2022-08-12 14:20:16 +00:00
|
|
|
for timestamp in timestamps:
|
2022-02-02 14:47:55 +00:00
|
|
|
records.append({
|
2022-08-12 14:20:16 +00:00
|
|
|
"timestamp": timestamp["timestamp"],
|
2022-02-02 14:47:55 +00:00
|
|
|
"module": self.__class__.__name__,
|
2022-08-12 14:20:16 +00:00
|
|
|
"event": timestamp["event"],
|
2022-02-02 14:47:55 +00:00
|
|
|
"data": f"Install or update of package {record['package_name']}",
|
|
|
|
})
|
|
|
|
|
|
|
|
return records
|
|
|
|
|
2022-06-17 20:30:46 +00:00
|
|
|
def check_indicators(self) -> None:
|
2022-02-02 14:47:55 +00:00
|
|
|
for result in self.results:
|
2022-07-05 16:10:48 +00:00
|
|
|
if result["package_name"] in ROOT_PACKAGES:
|
2022-08-12 17:14:05 +00:00
|
|
|
self.log.warning("Found an installed package related to "
|
|
|
|
"rooting/jailbreaking: \"%s\"",
|
2022-07-05 16:10:48 +00:00
|
|
|
result["package_name"])
|
|
|
|
self.detected.append(result)
|
|
|
|
continue
|
|
|
|
|
|
|
|
if not self.indicators:
|
|
|
|
continue
|
|
|
|
|
|
|
|
ioc = self.indicators.check_app_id(result.get("package_name"))
|
2022-02-02 14:47:55 +00:00
|
|
|
if ioc:
|
|
|
|
result["matched_indicator"] = ioc
|
|
|
|
self.detected.append(result)
|
|
|
|
continue
|
|
|
|
|
|
|
|
@staticmethod
|
2022-06-22 14:53:29 +00:00
|
|
|
def parse_package_for_details(output: str) -> dict:
|
2022-03-16 09:20:53 +00:00
|
|
|
details = {
|
|
|
|
"uid": "",
|
|
|
|
"version_name": "",
|
|
|
|
"version_code": "",
|
|
|
|
"timestamp": "",
|
|
|
|
"first_install_time": "",
|
|
|
|
"last_update_time": "",
|
|
|
|
"requested_permissions": [],
|
|
|
|
}
|
|
|
|
|
|
|
|
in_install_permissions = False
|
|
|
|
in_runtime_permissions = False
|
|
|
|
for line in output.splitlines():
|
|
|
|
if in_install_permissions:
|
|
|
|
if line.startswith(" " * 4) and not line.startswith(" " * 6):
|
|
|
|
in_install_permissions = False
|
|
|
|
continue
|
|
|
|
|
|
|
|
permission = line.strip().split(":")[0]
|
|
|
|
if permission not in details["requested_permissions"]:
|
|
|
|
details["requested_permissions"].append(permission)
|
|
|
|
|
|
|
|
if in_runtime_permissions:
|
|
|
|
if not line.startswith(" " * 8):
|
|
|
|
in_runtime_permissions = False
|
|
|
|
continue
|
|
|
|
|
|
|
|
permission = line.strip().split(":")[0]
|
|
|
|
if permission not in details["requested_permissions"]:
|
|
|
|
details["requested_permissions"].append(permission)
|
|
|
|
|
|
|
|
if line.strip().startswith("userId="):
|
|
|
|
details["uid"] = line.split("=")[1].strip()
|
|
|
|
elif line.strip().startswith("versionName="):
|
|
|
|
details["version_name"] = line.split("=")[1].strip()
|
|
|
|
elif line.strip().startswith("versionCode="):
|
|
|
|
details["version_code"] = line.split("=", 1)[1].strip()
|
|
|
|
elif line.strip().startswith("timeStamp="):
|
|
|
|
details["timestamp"] = line.split("=")[1].strip()
|
|
|
|
elif line.strip().startswith("firstInstallTime="):
|
|
|
|
details["first_install_time"] = line.split("=")[1].strip()
|
|
|
|
elif line.strip().startswith("lastUpdateTime="):
|
|
|
|
details["last_update_time"] = line.split("=")[1].strip()
|
|
|
|
elif line.strip() == "install permissions:":
|
|
|
|
in_install_permissions = True
|
|
|
|
elif line.strip() == "runtime permissions:":
|
|
|
|
in_runtime_permissions = True
|
|
|
|
|
|
|
|
return details
|
|
|
|
|
2022-06-22 14:53:29 +00:00
|
|
|
def parse_packages_list(self, output: str) -> list:
|
2022-02-02 14:47:55 +00:00
|
|
|
pkg_rxp = re.compile(r" Package \[(.+?)\].*")
|
|
|
|
|
|
|
|
results = []
|
|
|
|
package_name = None
|
|
|
|
package = {}
|
|
|
|
lines = []
|
2022-02-02 18:00:20 +00:00
|
|
|
for line in output.splitlines():
|
2022-02-02 14:47:55 +00:00
|
|
|
if line.startswith(" Package ["):
|
|
|
|
if len(lines) > 0:
|
2022-03-16 09:20:53 +00:00
|
|
|
details = self.parse_package_for_details("\n".join(lines))
|
2022-02-02 14:47:55 +00:00
|
|
|
package.update(details)
|
|
|
|
results.append(package)
|
2022-03-16 09:20:53 +00:00
|
|
|
lines = []
|
2022-02-02 14:47:55 +00:00
|
|
|
package = {}
|
|
|
|
|
|
|
|
matches = pkg_rxp.findall(line)
|
|
|
|
if not matches:
|
|
|
|
continue
|
|
|
|
|
|
|
|
package_name = matches[0]
|
|
|
|
package["package_name"] = package_name
|
|
|
|
continue
|
|
|
|
|
|
|
|
if not package_name:
|
|
|
|
continue
|
|
|
|
|
|
|
|
lines.append(line)
|
|
|
|
|
|
|
|
return results
|
|
|
|
|
2022-06-17 20:30:46 +00:00
|
|
|
def run(self) -> None:
|
2022-02-04 12:34:40 +00:00
|
|
|
content = self._get_dumpstate_file()
|
2022-02-02 14:47:55 +00:00
|
|
|
if not content:
|
2022-08-16 11:39:55 +00:00
|
|
|
self.log.error("Unable to find dumpstate file. "
|
|
|
|
"Did you provide a valid bug report archive?")
|
2022-02-02 14:47:55 +00:00
|
|
|
return
|
|
|
|
|
|
|
|
in_package = False
|
|
|
|
in_packages_list = False
|
|
|
|
lines = []
|
2022-02-03 18:40:36 +00:00
|
|
|
for line in content.decode(errors="ignore").splitlines():
|
2022-02-02 14:47:55 +00:00
|
|
|
if line.strip() == "DUMP OF SERVICE package:":
|
|
|
|
in_package = True
|
|
|
|
continue
|
|
|
|
|
|
|
|
if not in_package:
|
|
|
|
continue
|
|
|
|
|
|
|
|
if line.strip() == "Packages:":
|
|
|
|
in_packages_list = True
|
|
|
|
continue
|
|
|
|
|
|
|
|
if not in_packages_list:
|
|
|
|
continue
|
|
|
|
|
|
|
|
if line.strip() == "":
|
|
|
|
break
|
|
|
|
|
|
|
|
lines.append(line)
|
|
|
|
|
|
|
|
self.results = self.parse_packages_list("\n".join(lines))
|
2022-02-03 18:55:18 +00:00
|
|
|
|
2022-07-05 16:10:48 +00:00
|
|
|
for result in self.results:
|
|
|
|
dangerous_permissions_count = 0
|
|
|
|
for perm in result["requested_permissions"]:
|
|
|
|
if perm in DANGEROUS_PERMISSIONS:
|
|
|
|
dangerous_permissions_count += 1
|
|
|
|
|
|
|
|
if dangerous_permissions_count >= DANGEROUS_PERMISSIONS_THRESHOLD:
|
2022-08-16 11:39:55 +00:00
|
|
|
self.log.info("Found package \"%s\" requested %d potentially dangerous permissions",
|
|
|
|
result["package_name"],
|
2022-08-13 15:52:56 +00:00
|
|
|
dangerous_permissions_count)
|
2022-07-05 16:10:48 +00:00
|
|
|
|
2022-02-03 18:55:18 +00:00
|
|
|
self.log.info("Extracted details on %d packages", len(self.results))
|