From ef2bb93dc4b295874b2e6f7117574feaecdfae9c Mon Sep 17 00:00:00 2001 From: tek Date: Tue, 21 Sep 2021 19:43:02 +0200 Subject: [PATCH 1/2] Adds indicator check for android package name and file hash --- mvt/android/modules/adb/base.py | 6 +++--- mvt/android/modules/adb/chrome_history.py | 8 ++++++++ mvt/android/modules/adb/packages.py | 23 ++++++++++++++++------- mvt/common/indicators.py | 8 ++++++++ 4 files changed, 35 insertions(+), 10 deletions(-) diff --git a/mvt/android/modules/adb/base.py b/mvt/android/modules/adb/base.py index 407a3b8..70ac660 100644 --- a/mvt/android/modules/adb/base.py +++ b/mvt/android/modules/adb/base.py @@ -132,7 +132,7 @@ class AndroidExtraction(MVTModule): """ return self._adb_command(f"su -c {command}") - + def _adb_check_file_exists(self, file): """Verify that a file exists. @@ -166,7 +166,7 @@ class AndroidExtraction(MVTModule): self._adb_download_root(remote_path, local_path, progress_callback) else: raise Exception(f"Unable to download file {remote_path}: {e}") - + def _adb_download_root(self, remote_path, local_path, progress_callback=None): try: # Check if we have root, if not raise an Exception. @@ -191,7 +191,7 @@ class AndroidExtraction(MVTModule): # Delete the copy on /sdcard/. self._adb_command(f"rm -rf {new_remote_path}") - + except AdbCommandFailureException as e: raise Exception(f"Unable to download file {remote_path}: {e}") diff --git a/mvt/android/modules/adb/chrome_history.py b/mvt/android/modules/adb/chrome_history.py index 8da486d..1aac934 100644 --- a/mvt/android/modules/adb/chrome_history.py +++ b/mvt/android/modules/adb/chrome_history.py @@ -33,6 +33,14 @@ class ChromeHistory(AndroidExtraction): "data": f"{record['id']} - {record['url']} (visit ID: {record['visit_id']}, redirect source: {record['redirect_source']})" } + def check_indicators(self): + if not self.indicators: + return + + for result in self.results: + if self.indicators.check_domain(result["url"]): + self.detected.append(result) + def _parse_db(self, db_path): """Parse a Chrome History database file. diff --git a/mvt/android/modules/adb/packages.py b/mvt/android/modules/adb/packages.py index 49a1516..343d997 100644 --- a/mvt/android/modules/adb/packages.py +++ b/mvt/android/modules/adb/packages.py @@ -44,16 +44,25 @@ class Packages(AndroidExtraction): root_packages_path = os.path.join("..", "..", "data", "root_packages.txt") root_packages_string = pkg_resources.resource_string(__name__, root_packages_path) root_packages = root_packages_string.decode("utf-8").split("\n") + root_packages = [rp.strip() for rp in root_packages] - for root_package in root_packages: - root_package = root_package.strip() - if not root_package: - continue - if root_package in self.results: + for result in self.results: + if result["package_name"] in root_packages: self.log.warning("Found an installed package related to rooting/jailbreaking: \"%s\"", - root_package) - self.detected.append(root_package) + result["package_name"]) + self.detected.append(result) + if result["package_name"] in self.indicators.ioc_app_ids: + self.log.warning("Found a malicious package name: \"%s\"", + result["package_name"]) + self.detected.append(result) + for f in result["files"]: + if f["sha256"] in self.indicators.ioc_files_sha256: + self.log.warning("Found a malicious app: \"%s\" %s", + result["package_name"], + f["sha256"]) + self.detected.append(result) + def _get_files_for_package(self, package_name): output = self._adb_command(f"pm path {package_name}") diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py index 93f42a5..1310f11 100644 --- a/mvt/common/indicators.py +++ b/mvt/common/indicators.py @@ -23,6 +23,8 @@ class Indicators: self.ioc_processes = [] self.ioc_emails = [] self.ioc_files = [] + self.ioc_files_sha256 = [] + self.ioc_app_ids = [] self.ioc_count = 0 def _add_indicator(self, ioc, iocs_list): @@ -66,6 +68,12 @@ class Indicators: elif key == "file:name": self._add_indicator(ioc=value, iocs_list=self.ioc_files) + elif key == "app:id": + self._add_indicator(ioc=value, + iocs_list=self.ioc_app_ids) + elif key == "file:hashes.sha256": + self._add_indicator(ioc=value, + iocs_list=self.ioc_files_sha256) def check_domain(self, url) -> bool: """Check if a given URL matches any of the provided domain indicators. From 60a17381a253c1eb75c2c711c4a3c098da4f1f6d Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 21 Sep 2021 22:27:35 +0200 Subject: [PATCH 2/2] Standardized code --- mvt/android/modules/adb/packages.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/mvt/android/modules/adb/packages.py b/mvt/android/modules/adb/packages.py index 343d997..30e0821 100644 --- a/mvt/android/modules/adb/packages.py +++ b/mvt/android/modules/adb/packages.py @@ -54,16 +54,15 @@ class Packages(AndroidExtraction): self.detected.append(result) if result["package_name"] in self.indicators.ioc_app_ids: self.log.warning("Found a malicious package name: \"%s\"", - result["package_name"]) + result["package_name"]) self.detected.append(result) - for f in result["files"]: - if f["sha256"] in self.indicators.ioc_files_sha256: - self.log.warning("Found a malicious app: \"%s\" %s", - result["package_name"], - f["sha256"]) + for file in result["files"]: + if file["sha256"] in self.indicators.ioc_files_sha256: + self.log.warning("Found a malicious APK: \"%s\" %s", + result["package_name"], + file["sha256"]) self.detected.append(result) - def _get_files_for_package(self, package_name): output = self._adb_command(f"pm path {package_name}") output = output.strip().replace("package:", "")