From 52a204cab6c80fb1f27e99d34387b5813ba9c853 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 1 Feb 2022 15:33:19 +0100 Subject: [PATCH] Obtaining permissions for installed packages --- mvt/android/modules/adb/packages.py | 103 ++++++++++++++++++++++------ 1 file changed, 83 insertions(+), 20 deletions(-) diff --git a/mvt/android/modules/adb/packages.py b/mvt/android/modules/adb/packages.py index cc1f457..c1cc8d2 100644 --- a/mvt/android/modules/adb/packages.py +++ b/mvt/android/modules/adb/packages.py @@ -15,6 +15,29 @@ from .base import AndroidExtraction log = logging.getLogger(__name__) +DANGEROUS_PERMISSIONS_THRESHOLD = 10 +DANGEROUS_PERMISSIONS = [ + "android.permission.ACCESS_COARSE_LOCATION", + "android.permission.ACCESS_FINE_LOCATION", + "android.permission.AUTHENTICATE_ACCOUNTS", + "android.permission.CAMERA", + "android.permission.DISABLE_KEYGUARD", + "android.permission.PROCESS_OUTGOING_CALLS", + "android.permission.READ_CALENDAR", + "android.permission.READ_CALL_LOG", + "android.permission.READ_CONTACTS", + "android.permission.READ_PHONE_STATE", + "android.permission.READ_SMS", + "android.permission.RECEIVE_MMS", + "android.permission.RECEIVE_SMS", + "android.permission.RECEIVE_WAP_PUSH", + "android.permission.RECORD_AUDIO", + "android.permission.SEND_SMS", + "android.permission.SYSTEM_ALERT_WINDOW", + "android.permission.USE_CREDENTIALS", + "android.permission.USE_SIP", + "com.android.browser.permission.READ_HISTORY_BOOKMARKS", +] class Packages(AndroidExtraction): """This module extracts the list of installed packages.""" @@ -69,6 +92,45 @@ class Packages(AndroidExtraction): result["matched_indicator"] = ioc self.detected.append(result) + def _get_package_details(self, package_name): + details = { + "uid": "", + "version_name": "", + "version_code": "", + "timestamp": "", + "first_install_time": "", + "last_update_time": "", + "requested_permissions": [], + } + + in_permissions = False + for line in self._adb_command(f"dumpsys package {package_name}").split("\n"): + if in_permissions: + if line.startswith(" " * 4) and not line.startswith(" " * 6): + in_permissions = False + continue + + permission = line.strip().split(":")[0] + details["requested_permissions"].append(permission) + + if line.strip().startswith("userId="): + details["uid"] = line.split("=")[1].strip() + elif line.strip().startswith("versionName="): + details["version_name"] = line.split("=")[1].strip() + elif line.strip().startswith("versionCode="): + details["version_code"] = line.split("=", 1)[1].strip() + elif line.strip().startswith("timeStamp="): + details["timestamp"] = line.split("=")[1].strip() + elif line.strip().startswith("firstInstallTime="): + details["first_install_time"] = line.split("=")[1].strip() + elif line.strip().startswith("lastUpdateTime="): + details["last_update_time"] = line.split("=")[1].strip() + elif line.strip() == "requested permissions:": + in_permissions = True + continue + + return details + def _get_files_for_package(self, package_name): output = self._adb_command(f"pm path {package_name}") output = output.strip().replace("package:", "") @@ -97,9 +159,7 @@ class Packages(AndroidExtraction): def run(self): self._adb_connect() - packages = self._adb_command("pm list packages -U -u -i -f") - if packages.strip() == "Error: Unknown option: -U": - packages = self._adb_command("pm list packages -u -i -f") + packages = self._adb_command("pm list packages -u -i -f") for line in packages.split("\n"): line = line.strip() @@ -117,31 +177,21 @@ class Packages(AndroidExtraction): if installer == "null": installer = None - try: - uid = fields[2].split(":")[1].strip() - except IndexError: - uid = None - - dumpsys = self._adb_command(f"dumpsys package {package_name} | grep -A2 timeStamp").split("\n") - timestamp = dumpsys[0].split("=")[1].strip() - first_install = dumpsys[1].split("=")[1].strip() - last_update = dumpsys[2].split("=")[1].strip() - package_files = self._get_files_for_package(package_name) - - self.results.append({ + new_package = { "package_name": package_name, "file_name": file_name, "installer": installer, - "timestamp": timestamp, - "first_install_time": first_install, - "last_update_time": last_update, - "uid": uid, "disabled": False, "system": False, "third_party": False, "files": package_files, - }) + } + + package_details = self._get_package_details(package_name) + new_package.update(package_details) + + self.results.append(new_package) cmds = [ {"field": "disabled", "arg": "-d"}, @@ -160,6 +210,19 @@ class Packages(AndroidExtraction): if result["package_name"] == package_name: self.results[i][cmd["field"]] = True + for result in self.results: + if not result["third_party"]: + continue + + dangerous_permissions_count = 0 + for perm in result["requested_permissions"]: + if perm in DANGEROUS_PERMISSIONS: + dangerous_permissions_count += 1 + + if dangerous_permissions_count >= DANGEROUS_PERMISSIONS_THRESHOLD: + self.log.info("Third-party package \"%s\" requested %d potentially dangerous permissions", + result["package_name"], dangerous_permissions_count) + packages_to_lookup = [] for result in self.results: if result["system"]: