2021-08-26 12:51:56 +00:00
|
|
|
# Mobile Verification Toolkit (MVT)
|
|
|
|
# Copyright (c) 2021 The MVT Project Authors.
|
|
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
|
|
# https://license.mvt.re/1.1/
|
|
|
|
|
|
|
|
import logging
|
|
|
|
|
|
|
|
from .base import AndroidExtraction
|
|
|
|
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
2022-01-28 16:21:28 +00:00
|
|
|
INTENT_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
|
|
|
|
INTENT_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
|
|
|
|
INTENT_DATA_SMS_RECEIVED = "android.intent.action.DATA_SMS_RECEIVED"
|
|
|
|
INTENT_PHONE_STATE = "android.intent.action.PHONE_STATE"
|
|
|
|
INTENT_NEW_OUTGOING_CALL = "android.intent.action.NEW_OUTGOING_CALL"
|
2021-08-26 12:51:56 +00:00
|
|
|
|
2021-11-19 14:27:51 +00:00
|
|
|
|
2021-08-26 12:51:56 +00:00
|
|
|
class DumpsysReceivers(AndroidExtraction):
|
|
|
|
"""This module extracts details on receivers for risky activities."""
|
|
|
|
|
|
|
|
def __init__(self, file_path=None, base_folder=None, output_folder=None,
|
|
|
|
serial=None, fast_mode=False, log=None, results=[]):
|
|
|
|
super().__init__(file_path=file_path, base_folder=base_folder,
|
|
|
|
output_folder=output_folder, fast_mode=fast_mode,
|
|
|
|
log=log, results=results)
|
|
|
|
|
2022-01-27 17:23:19 +00:00
|
|
|
def check_indicators(self):
|
|
|
|
for result in self.results:
|
2022-01-28 16:21:28 +00:00
|
|
|
if result["activity"] == INTENT_NEW_OUTGOING_SMS:
|
2022-01-27 17:23:19 +00:00
|
|
|
self.log.info("Found a receiver to intercept outgoing SMS messages: \"%s\"",
|
|
|
|
result["receiver"])
|
2022-01-28 16:21:28 +00:00
|
|
|
elif result["activity"] == INTENT_SMS_RECEIVED:
|
2022-01-27 17:23:19 +00:00
|
|
|
self.log.info("Found a receiver to intercept incoming SMS messages: \"%s\"",
|
|
|
|
result["receiver"])
|
2022-01-28 16:21:28 +00:00
|
|
|
elif result["activity"] == INTENT_DATA_SMS_RECEIVED:
|
2022-01-27 17:23:19 +00:00
|
|
|
self.log.info("Found a receiver to intercept incoming data SMS message: \"%s\"",
|
|
|
|
result["receiver"])
|
2022-01-28 16:21:28 +00:00
|
|
|
elif result["activity"] == INTENT_PHONE_STATE:
|
|
|
|
self.log.info("Found a receiver monitoring telephony state/incoming calls: \"%s\"",
|
|
|
|
result["receiver"])
|
|
|
|
elif result["activity"] == INTENT_NEW_OUTGOING_CALL:
|
|
|
|
self.log.info("Found a receiver monitoring outgoing calls: \"%s\"",
|
2022-01-27 17:23:19 +00:00
|
|
|
result["receiver"])
|
|
|
|
|
2022-01-29 00:06:32 +00:00
|
|
|
def parse_dumpsys_package(self, data):
|
2022-01-29 00:13:29 +00:00
|
|
|
"""Parse output of dumpsys package.
|
|
|
|
|
2022-01-29 00:13:52 +00:00
|
|
|
:param data: Output of dumpsys package command.
|
2022-01-29 00:13:29 +00:00
|
|
|
:type data: str
|
|
|
|
|
2022-01-29 00:06:32 +00:00
|
|
|
"""
|
2021-08-26 12:51:56 +00:00
|
|
|
activity = None
|
2022-01-29 00:06:32 +00:00
|
|
|
for line in data:
|
2021-08-26 12:51:56 +00:00
|
|
|
# Find activity block markers.
|
2022-01-28 16:21:28 +00:00
|
|
|
if line.strip().startswith(INTENT_NEW_OUTGOING_SMS):
|
|
|
|
activity = INTENT_NEW_OUTGOING_SMS
|
|
|
|
continue
|
|
|
|
elif line.strip().startswith(INTENT_SMS_RECEIVED):
|
|
|
|
activity = INTENT_SMS_RECEIVED
|
2021-08-26 12:51:56 +00:00
|
|
|
continue
|
2022-01-28 16:21:28 +00:00
|
|
|
elif line.strip().startswith(INTENT_PHONE_STATE):
|
|
|
|
activity = INTENT_PHONE_STATE
|
2021-08-26 12:51:56 +00:00
|
|
|
continue
|
2022-01-28 16:21:28 +00:00
|
|
|
elif line.strip().startswith(INTENT_DATA_SMS_RECEIVED):
|
|
|
|
activity = INTENT_DATA_SMS_RECEIVED
|
2021-08-26 12:51:56 +00:00
|
|
|
continue
|
2022-01-28 16:21:28 +00:00
|
|
|
elif line.strip().startswith(INTENT_NEW_OUTGOING_CALL):
|
|
|
|
activity = INTENT_NEW_OUTGOING_CALL
|
2021-08-26 12:51:56 +00:00
|
|
|
continue
|
|
|
|
|
|
|
|
# If we are not in an activity block yet, skip.
|
|
|
|
if not activity:
|
|
|
|
continue
|
|
|
|
|
|
|
|
# If we are in a block but the line does not start with 8 spaces
|
|
|
|
# it means the block ended a new one started, so we reset and
|
|
|
|
# continue.
|
|
|
|
if not line.startswith(" " * 8):
|
|
|
|
activity = None
|
|
|
|
continue
|
|
|
|
|
|
|
|
# If we got this far, we are processing receivers for the
|
|
|
|
# activities we are interested in.
|
|
|
|
receiver = line.strip().split(" ")[1]
|
|
|
|
package_name = receiver.split("/")[0]
|
|
|
|
if package_name == "com.google.android.gms":
|
|
|
|
continue
|
|
|
|
|
|
|
|
self.results.append({
|
|
|
|
"activity": activity,
|
|
|
|
"package_name": package_name,
|
|
|
|
"receiver": receiver,
|
|
|
|
})
|
|
|
|
|
2022-01-29 00:06:32 +00:00
|
|
|
def run(self):
|
|
|
|
self._adb_connect()
|
|
|
|
|
|
|
|
output = self._adb_command("dumpsys package")
|
|
|
|
if not output:
|
|
|
|
return
|
2022-01-29 00:13:29 +00:00
|
|
|
|
2022-01-29 00:06:32 +00:00
|
|
|
self.parse_dumpsys_package(output.split("\n"))
|
2022-01-29 00:13:29 +00:00
|
|
|
|
2021-08-26 12:51:56 +00:00
|
|
|
self._adb_disconnect()
|