From 0c4eb0bb348fb09a45a528a77d229412ac21a4e7 Mon Sep 17 00:00:00 2001
From: Nex <nex@nex.sx>
Date: Thu, 26 Aug 2021 14:08:39 +0200
Subject: [PATCH] Added discovery of Android packages with potentially abusive
 receivers

---
 mvt/android/modules/adb/dumpsys_packages.py | 58 ++++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

diff --git a/mvt/android/modules/adb/dumpsys_packages.py b/mvt/android/modules/adb/dumpsys_packages.py
index 3e87769..6525dc8 100644
--- a/mvt/android/modules/adb/dumpsys_packages.py
+++ b/mvt/android/modules/adb/dumpsys_packages.py
@@ -10,8 +10,12 @@ from .base import AndroidExtraction
 
 log = logging.getLogger(__name__)
 
+EVENT_NEW_OUTGOING_SMS = "android.provider.Telephony.NEW_OUTGOING_SMS"
+EVENT_SMS_RECEIVED = "android.provider.Telephony.SMS_RECEIVED"
+EVENT_PHONE_STATE = "android.intent.action.PHONE_STATE"
+
 class DumpsysPackages(AndroidExtraction):
-    """This module extracts stats on installed packages."""
+    """This module extracts details on installed packages."""
 
     def __init__(self, file_path=None, base_folder=None, output_folder=None,
                  serial=None, fast_mode=False, log=None, results=[]):
@@ -19,10 +23,62 @@ class DumpsysPackages(AndroidExtraction):
                          output_folder=output_folder, fast_mode=fast_mode,
                          log=log, results=results)
 
+
+    def _find_suspicious_packages(self, output):
+        """Parse dumpsys packages output to find packages with active receivers
+        that could be abusive.
+        """
+        activity = None
+        for line in output.split("\n"):
+            # Find activity block markers.
+            if line.strip().startswith(EVENT_NEW_OUTGOING_SMS):
+                activity = EVENT_NEW_OUTGOING_SMS
+                continue
+            elif line.strip().startswith(EVENT_SMS_RECEIVED):
+                activity = EVENT_SMS_RECEIVED
+                continue
+            elif line.strip().startswith(EVENT_PHONE_STATE):
+                activity = EVENT_PHONE_STATE
+                continue
+
+            # If we are not in an activity block yet, skip.
+            if not activity:
+                continue
+
+            # If we are in a block but the line does not start with 8 spaces
+            # it means the block ended a new one started, so we reset and
+            # continue.
+            if not line.startswith(" " * 8):
+                activity = None
+                continue
+
+            # If we got this far, we are processing receivers for the
+            # activities we are interested in.
+            receiver = line.strip().split(" ")[1]
+            if receiver.split("/")[0] == "com.google.android.gms":
+                continue
+
+            if activity == EVENT_NEW_OUTGOING_SMS:
+                self.log.warning("Found a receiver to intercept outgoing SMS messages: \"%s\"",
+                    receiver)
+            elif activity == EVENT_SMS_RECEIVED:
+                self.log.warning("Found a receiver to intercept incoming SMS messages: \"%s\"",
+                    receiver)
+            elif activity == EVENT_PHONE_STATE:
+                self.log.warning("Found a receiver monitoring telephony state: \"%s\"",
+                    receiver)
+
+            self.detected.append({
+                "activity": activity,
+                "receiver": receiver,
+            })
+
     def run(self):
         self._adb_connect()
 
         output = self._adb_command("dumpsys package")
+        self._find_suspicious_packages(output)
+
         if self.output_folder:
             packages_path = os.path.join(self.output_folder,
                                          "dumpsys_packages.txt")