diff --git a/docs/android/download_apks.md b/docs/android/download_apks.md index 5a7da2f..8351146 100644 --- a/docs/android/download_apks.md +++ b/docs/android/download_apks.md @@ -16,11 +16,13 @@ It might take several minutes to complete. Optionally, you can decide to enable lookups of the SHA256 hash of all the extracted APKs on [VirusTotal](https://www.virustotal.com). While these lookups do not provide any conclusive assessment on all of the extracted APKs, they might highlight any known malicious ones: ```bash -mvt-android download-apks --output /path/to/folder --virustotal +MVT_VT_API_KEY= mvt-android download-apks --output /path/to/folder --virustotal ``` +Please note that in order to use VirusTotal lookups you are required to provide your own API key through the `MVT_VT_API_KEY` environment variable. You should also note that VirusTotal enforces strict API usage. Be mindful that MVT might consume your hourly search quota. + In case you have a previous extraction of APKs you want to later check against VirusTotal, you can do so with the following arguments: ```bash -mvt-android download-apks --from-file /path/to/folder/apks.json --virustotal +MVT_VT_API_KEY= mvt-android download-apks --from-file /path/to/folder/apks.json --virustotal ``` diff --git a/docs/android/methodology.md b/docs/android/methodology.md index acfc9fb..e8062c6 100644 --- a/docs/android/methodology.md +++ b/docs/android/methodology.md @@ -8,8 +8,10 @@ However, not all is lost. Because malware attacks over Android typically take the form of malicious or backdoored apps, the very first thing you might want to do is to extract and verify all installed Android packages and triage quickly if there are any which stand out as malicious or which might be atypical. -While it is out of the scope of this documentation to dwell into details on how to analyze Android apps, MVT does allow to easily and automatically extract information about installed apps, download copies of them, and quickly lookup services such as [VirusTotal](https://www.virustotal.com) or [Koodous](https://koodous.com) which might quickly indicate known bad apps. +While it is out of the scope of this documentation to dwell into details on how to analyze Android apps, MVT does allow to easily and automatically extract information about installed apps, download copies of them, and quickly look them up on services such as [VirusTotal](https://www.virustotal.com). +!!! info "Using VirusTotal" + Please note that in order to use VirusTotal lookups you are required to provide your own API key through the `MVT_VT_API_KEY` environment variable. You should also note that VirusTotal enforces strict API usage. Be mindful that MVT might consume your hourly search quota. ## Check the device over Android Debug Bridge diff --git a/docs/iocs.md b/docs/iocs.md index 7e459b3..9dae134 100644 --- a/docs/iocs.md +++ b/docs/iocs.md @@ -41,6 +41,6 @@ export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2" - [Predator from Cytrox](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-12-16_cytrox/cytrox.stix2)) - [This repository](https://github.com/Te-k/stalkerware-indicators) contains IOCs for Android stalkerware including [a STIX MVT-compatible file](https://raw.githubusercontent.com/Te-k/stalkerware-indicators/master/generated/stalkerware.stix2). -You can automaticallly download the latest public indicator files with the command `mvt-ios download-iocs` or `mvt-android download-iocs`. These commands download the list of indicators listed [here](https://github.com/mvt-project/mvt/blob/main/public_indicators.json) and store them in the [appdir](https://pypi.org/project/appdirs/) folder. They are then loaded automatically by mvt. +You can automaticallly download the latest public indicator files with the command `mvt-ios download-iocs` or `mvt-android download-iocs`. These commands download the list of indicators listed [here](https://github.com/mvt-project/mvt/blob/main/public_indicators.json) and store them in the [appdir](https://pypi.org/project/appdirs/) folder. They are then loaded automatically by MVT. Please [open an issue](https://github.com/mvt-project/mvt/issues/) to suggest new sources of STIX-formatted IOCs. diff --git a/docs/ios/records.md b/docs/ios/records.md index db0238c..94ef015 100644 --- a/docs/ios/records.md +++ b/docs/ios/records.md @@ -18,7 +18,7 @@ If indicators are provided through the command-line, processes and domains are c ### `backup_info.json` -!!! info "Availabiliy" +!!! info "Availability" Backup: :material-check: Full filesystem dump: :material-close: diff --git a/mkdocs.yml b/mkdocs.yml index cf60e4a..81d2465 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,7 +1,7 @@ site_name: Mobile Verification Toolkit repo_url: https://github.com/mvt-project/mvt edit_uri: edit/main/docs/ -copyright: Copyright © 2021 MVT Project Developers +copyright: Copyright © 2021-2022 MVT Project Developers site_description: Mobile Verification Toolkit Documentation markdown_extensions: - attr_list