Add new iOS versions and build numbers (#714)

Co-authored-by: DonnchaC <DonnchaC@users.noreply.github.com>

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/tests.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ['3.8', '3.9', '3.10']  # , '3.11']
+        python-version: ['3.10', '3.11', '3.12', '3.13']
 
     steps:
       - uses: actions/checkout@v4

Dockerfile

@@ -103,7 +103,7 @@ RUN git clone https://github.com/libimobiledevice/usbmuxd && cd usbmuxd \
 
 
 # Create main image
-FROM ubuntu:22.04 as main
+FROM ubuntu:24.04 as main
 
 LABEL org.opencontainers.image.url="https://mvt.re"
 LABEL org.opencontainers.image.documentation="https://docs.mvt.re"
@@ -135,8 +135,7 @@ COPY --from=build-usbmuxd /build /
 COPY . mvt/
 RUN apt-get update \
    && apt-get install -y git python3-pip \
-   && PIP_NO_CACHE_DIR=1 pip3 install --upgrade pip \
+   && PIP_NO_CACHE_DIR=1 pip3 install --break-system-packages ./mvt \
-   && PIP_NO_CACHE_DIR=1 pip3 install ./mvt \
    && apt-get remove -y python3-pip git && apt-get autoremove -y \
    && rm -rf /var/lib/apt/lists/* \
    && rm -rf mvt

Makefile

@@ -23,7 +23,7 @@ install:
 	python3 -m pip install --upgrade -e .
 
 test-requirements:
-	python3 -m pip install --upgrade -r test-requirements.txt
+	python3 -m pip install --upgrade --group dev
 
 generate-proto-parsers:
 	# Generate python parsers for protobuf files

docs/requirements.txt

@@ -1,5 +1,5 @@
 mkdocs==1.6.1
-mkdocs-autorefs==1.2.0
+mkdocs-autorefs==1.4.3
-mkdocs-material==9.5.42
+mkdocs-material==9.6.20
 mkdocs-material-extensions==1.3.1
-mkdocstrings==0.23.0
+mkdocstrings==0.30.1

pyproject.toml

@@ -1,13 +1,11 @@
 [project]
 name = "mvt"
 dynamic = ["version"]
-authors = [
+authors = [{ name = "Claudio Guarnieri", email = "nex@nex.sx" }]
-    {name = "Claudio Guarnieri", email = "nex@nex.sx"}
-]
 maintainers = [
-    {name = "Etienne Maynier", email = "tek@randhome.io"},
+    { name = "Etienne Maynier", email = "tek@randhome.io" },
-    {name = "Donncha Ó Cearbhaill", email = "donncha.ocearbhaill@amnesty.org"},
+    { name = "Donncha Ó Cearbhaill", email = "donncha.ocearbhaill@amnesty.org" },
-    {name = "Rory Flynn", email = "rory.flynn@amnesty.org"}
+    { name = "Rory Flynn", email = "rory.flynn@amnesty.org" },
 ]
 description = "Mobile Verification Toolkit"
 readme = "README.md"
@@ -16,48 +14,61 @@ classifiers = [
     "Development Status :: 5 - Production/Stable",
     "Intended Audience :: Information Technology",
     "Operating System :: OS Independent",
-    "Programming Language :: Python"
+    "Programming Language :: Python",
 ]
 dependencies = [
-    "click >=8.1.3",
+    "click==8.2.1",
-    "rich >=12.6.0",
+    "rich==14.1.0",
-    "tld >=0.12.6",
+    "tld==0.13.1",
-    "requests >=2.28.1",
+    "requests==2.32.4",
-    "simplejson >=3.17.6",
+    "simplejson==3.20.1",
-    "packaging >=21.3",
+    "packaging==25.0",
-    "appdirs >=1.4.4",
+    "appdirs==1.4.4",
-    "iOSbackup >=0.9.923",
+    "iOSbackup==0.9.925",
-    "adb-shell[usb] >=0.4.3",
+    "adb-shell[usb]==0.4.4",
-    "libusb1 >=3.0.0",
+    "libusb1==3.3.1",
-    "cryptography >=42.0.5",
+    "cryptography==45.0.6",
-    "pyyaml >=6.0",
+    "PyYAML>=6.0.2",
-    "pyahocorasick >= 2.0.0",
+    "pyahocorasick==2.2.0",
-    "betterproto >=1.2.0",
+    "betterproto==1.2.5",
-    "pydantic >= 2.10.0",
+    "pydantic==2.11.7",
-    "pydantic-settings >= 2.7.0",
+    "pydantic-settings==2.10.1",
-    'backports.zoneinfo; python_version < "3.9"',
+    "NSKeyedUnArchiver==1.5.2",
+    "python-dateutil==2.9.0.post0",
+    "tzdata==2025.2",
 ]
-requires-python = ">= 3.8"
+requires-python = ">= 3.10"
 
 [project.urls]
 homepage = "https://docs.mvt.re/en/latest/"
 repository = "https://github.com/mvt-project/mvt"
 
 [project.scripts]
-    mvt-ios = "mvt.ios:cli"
+mvt-ios = "mvt.ios:cli"
-    mvt-android = "mvt.android:cli"
+mvt-android = "mvt.android:cli"
+
+[dependency-groups]
+dev = [
+    "requests>=2.31.0",
+    "pytest>=7.4.3",
+    "pytest-cov>=4.1.0",
+    "pytest-github-actions-annotate-failures>=0.2.0",
+    "pytest-mock>=3.14.0",
+    "stix2>=3.0.1",
+    "ruff>=0.1.6",
+    "mypy>=1.7.1",
+    "betterproto[compiler]",
+]
 
 [build-system]
 requires = ["setuptools>=61.0"]
 build-backend = "setuptools.build_meta"
 
 [tool.coverage.run]
-omit = [
+omit = ["tests/*"]
-    "tests/*",
-]
 
 [tool.coverage.html]
-directory= "htmlcov"
+directory = "htmlcov"
 
 [tool.mypy]
 install_types = true
@@ -67,9 +78,7 @@ packages = "src"
 
 [tool.pytest.ini_options]
 addopts = "-ra -q --cov=mvt --cov-report html --junitxml=pytest.xml --cov-report=term-missing:skip-covered"
-testpaths = [
+testpaths = ["tests"]
-    "tests"
-]
 
 [tool.ruff.lint]
 select = ["C90", "E", "F", "W"] # flake8 default set
@@ -94,7 +103,7 @@ max-complexity = 10
 
 [tool.setuptools]
 include-package-data = true
-package-dir = {"" = "src"}
+package-dir = { "" = "src" }
 
 [tool.setuptools.packages.find]
 where = ["src"]
@@ -103,4 +112,4 @@ where = ["src"]
 mvt = ["ios/data/*.json"]
 
 [tool.setuptools.dynamic]
-version = {attr = "mvt.common.version.MVT_VERSION"}
+version = { attr = "mvt.common.version.MVT_VERSION" }

src/mvt/android/artifacts/dumpsys_adb.py

@@ -4,6 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 import base64
+import binascii
 import hashlib
 
 from .artifact import AndroidArtifact
@@ -89,11 +90,16 @@ class DumpsysADBArtifact(AndroidArtifact):
         else:
             key_base64, user = user_key, b""
 
+        try:
             key_raw = base64.b64decode(key_base64)
             key_fingerprint = hashlib.md5(key_raw).hexdigest().upper()
             key_fingerprint_colon = ":".join(
                 [key_fingerprint[i : i + 2] for i in range(0, len(key_fingerprint), 2)]
             )
+        except binascii.Error:
+            # Impossible to parse base64
+            key_fingerprint_colon = ""
+
         return {
             "user": user.decode("utf-8"),
             "fingerprint": key_fingerprint_colon,

src/mvt/android/artifacts/mounts.py

@@ -0,0 +1,186 @@
+# Mobile Verification Toolkit (MVT)
+# Copyright (c) 2021-2023 The MVT Authors.
+# Use of this software is governed by the MVT License 1.1 that can be found at
+#   https://license.mvt.re/1.1/
+
+from typing import Any
+
+from .artifact import AndroidArtifact
+
+SUSPICIOUS_MOUNT_POINTS = [
+    "/system",
+    "/vendor",
+    "/product",
+    "/system_ext",
+]
+
+SUSPICIOUS_OPTIONS = [
+    "rw",
+    "remount",
+    "noatime",
+    "nodiratime",
+]
+
+ALLOWLIST_NOATIME = [
+    "/system_dlkm",
+    "/system_ext",
+    "/product",
+    "/vendor",
+    "/vendor_dlkm",
+]
+
+
+class Mounts(AndroidArtifact):
+    """
+    This artifact parses mount information from /proc/mounts or similar mount data.
+    It can detect potentially suspicious mount configurations that may indicate
+    a rooted or compromised device.
+    """
+
+    def parse(self, entry: str) -> None:
+        """
+        Parse mount information from the provided entry.
+
+        Examples:
+        /dev/block/bootdevice/by-name/system /system ext4 ro,seclabel,relatime 0 0
+        /dev/block/dm-12 on / type ext4 (ro,seclabel,noatime)
+        """
+        self.results: list[dict[str, Any]] = []
+
+        for line in entry.splitlines():
+            line = line.strip()
+            if not line:
+                continue
+
+            device = None
+            mount_point = None
+            filesystem_type = None
+            mount_options = ""
+
+            if " on " in line and " type " in line:
+                try:
+                    # Format: device on mount_point type filesystem_type (options)
+                    device_part, rest = line.split(" on ", 1)
+                    device = device_part.strip()
+
+                    # Split by 'type' to get mount_point and filesystem info
+                    mount_part, fs_part = rest.split(" type ", 1)
+                    mount_point = mount_part.strip()
+
+                    # Parse filesystem and options
+                    if "(" in fs_part and fs_part.endswith(")"):
+                        # Format: filesystem_type (options)
+                        fs_and_opts = fs_part.strip()
+                        paren_idx = fs_and_opts.find("(")
+                        filesystem_type = fs_and_opts[:paren_idx].strip()
+                        mount_options = fs_and_opts[paren_idx + 1 : -1].strip()
+                    else:
+                        # No options in parentheses, just filesystem type
+                        filesystem_type = fs_part.strip()
+                        mount_options = ""
+
+                    # Skip if we don't have essential info
+                    if not device or not mount_point or not filesystem_type:
+                        continue
+
+                    # Parse options into list
+                    options_list = (
+                        [opt.strip() for opt in mount_options.split(",") if opt.strip()]
+                        if mount_options
+                        else []
+                    )
+
+                    # Check if it's a system partition
+                    is_system_partition = mount_point in SUSPICIOUS_MOUNT_POINTS or any(
+                        mount_point.startswith(sp) for sp in SUSPICIOUS_MOUNT_POINTS
+                    )
+
+                    # Check if it's mounted read-write
+                    is_read_write = "rw" in options_list
+
+                    mount_entry = {
+                        "device": device,
+                        "mount_point": mount_point,
+                        "filesystem_type": filesystem_type,
+                        "mount_options": mount_options,
+                        "options_list": options_list,
+                        "is_system_partition": is_system_partition,
+                        "is_read_write": is_read_write,
+                    }
+
+                    self.results.append(mount_entry)
+
+                except ValueError:
+                    # If parsing fails, skip this line
+                    continue
+            else:
+                # Skip lines that don't match expected format
+                continue
+
+    def check_indicators(self) -> None:
+        """
+        Check for suspicious mount configurations that may indicate root access
+        or other security concerns.
+        """
+        system_rw_mounts = []
+        suspicious_mounts = []
+
+        for mount in self.results:
+            mount_point = mount["mount_point"]
+            options = mount["options_list"]
+
+            # Check for system partitions mounted as read-write
+            if mount["is_system_partition"] and mount["is_read_write"]:
+                system_rw_mounts.append(mount)
+                if mount_point == "/system":
+                    self.log.warning(
+                        "Root detected /system partition is mounted as read-write (rw). "
+                    )
+                else:
+                    self.log.warning(
+                        "System partition %s is mounted as read-write (rw). This may indicate system modifications.",
+                        mount_point,
+                    )
+
+            # Check for other suspicious mount options
+            suspicious_opts = [opt for opt in options if opt in SUSPICIOUS_OPTIONS]
+            if suspicious_opts and mount["is_system_partition"]:
+                if (
+                    "noatime" in mount["mount_options"]
+                    and mount["mount_point"] in ALLOWLIST_NOATIME
+                ):
+                    continue
+                suspicious_mounts.append(mount)
+                self.log.warning(
+                    "Suspicious mount options found for %s: %s",
+                    mount_point,
+                    ", ".join(suspicious_opts),
+                )
+
+            # Log interesting mount information
+            if mount_point == "/data" or mount_point.startswith("/sdcard"):
+                self.log.info(
+                    "Data partition: %s mounted as %s with options: %s",
+                    mount_point,
+                    mount["filesystem_type"],
+                    mount["mount_options"],
+                )
+
+        self.log.info("Parsed %d mount entries", len(self.results))
+
+        # Check indicators if available
+        if not self.indicators:
+            return
+
+        for mount in self.results:
+            # Check if any mount points match indicators
+            ioc = self.indicators.check_file_path(mount.get("mount_point", ""))
+            if ioc:
+                mount["matched_indicator"] = ioc
+                self.detected.append(mount)
+
+            # Check device paths for indicators
+            ioc = self.indicators.check_file_path(mount.get("device", ""))
+            if ioc:
+                mount["matched_indicator"] = ioc
+                self.detected.append(mount)

src/mvt/android/artifacts/settings.py

@@ -51,11 +51,6 @@ ANDROID_DANGEROUS_SETTINGS = [
         "key": "send_action_app_error",
         "safe_value": "1",
     },
-    {
-        "description": "enabled installation of non Google Play apps",
-        "key": "install_non_market_apps",
-        "safe_value": "0",
-    },
     {
         "description": "enabled accessibility services",
         "key": "accessibility_enabled",

src/mvt/android/artifacts/tombstone_crashes.py

@@ -8,6 +8,7 @@ from typing import List, Optional, Union
 
 import pydantic
 import betterproto
+from dateutil import parser
 
 from mvt.common.utils import convert_datetime_to_iso
 from mvt.android.parsers.proto.tombstone import Tombstone
@@ -52,7 +53,7 @@ class TombstoneCrashResult(pydantic.BaseModel):
     file_name: str
     file_timestamp: str  # We store the timestamp as a string to avoid timezone issues
     build_fingerprint: str
-    revision: int
+    revision: str
     arch: Optional[str] = None
     timestamp: str  # We store the timestamp as a string to avoid timezone issues
     process_uptime: Optional[int] = None
@@ -62,14 +63,14 @@ class TombstoneCrashResult(pydantic.BaseModel):
     process_name: Optional[str] = None
     binary_path: Optional[str] = None
     selinux_label: Optional[str] = None
-    uid: Optional[int] = None
+    uid: int
     signal_info: SignalInfo
     cause: Optional[str] = None
     extra: Optional[str] = None
 
 
 class TombstoneCrashArtifact(AndroidArtifact):
-    """ "
+    """
     Parser for Android tombstone crash files.
 
     This parser can parse both text and protobuf tombstone crash files.
@@ -120,11 +121,11 @@ class TombstoneCrashArtifact(AndroidArtifact):
     def parse_protobuf(
         self, file_name: str, file_timestamp: datetime.datetime, data: bytes
     ) -> None:
-        """
+        """Parse Android tombstone crash files from a protobuf object."""
-        Parse Android tombstone crash files from a protobuf object.
-        """
         tombstone_pb = Tombstone().parse(data)
-        tombstone_dict = tombstone_pb.to_dict(betterproto.Casing.SNAKE)
+        tombstone_dict = tombstone_pb.to_dict(
+            betterproto.Casing.SNAKE, include_default_values=True
+        )
 
         # Add some extra metadata
         tombstone_dict["timestamp"] = self._parse_timestamp_string(
@@ -141,21 +142,23 @@ class TombstoneCrashArtifact(AndroidArtifact):
     def parse(
         self, file_name: str, file_timestamp: datetime.datetime, content: bytes
     ) -> None:
-        """
+        """Parse text Android tombstone crash files."""
-        Parse text Android tombstone crash files.
-        """
-
-        # Split the tombstone file into a dictonary
         tombstone_dict = {
             "file_name": file_name,
             "file_timestamp": convert_datetime_to_iso(file_timestamp),
         }
         lines = content.decode("utf-8").splitlines()
-        for line in lines:
+        for line_num, line in enumerate(lines, 1):
             if not line.strip() or TOMBSTONE_DELIMITER in line:
                 continue
+            try:
                 for key, destination_key in TOMBSTONE_TEXT_KEY_MAPPINGS.items():
-                self._parse_tombstone_line(line, key, destination_key, tombstone_dict)
+                    if self._parse_tombstone_line(
+                        line, key, destination_key, tombstone_dict
+                    ):
+                        break
+            except Exception as e:
+                raise ValueError(f"Error parsing line {line_num}: {str(e)}")
 
         # Validate the tombstone and add it to the results
         tombstone = TombstoneCrashResult.model_validate(tombstone_dict)
@@ -165,7 +168,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
         self, line: str, key: str, destination_key: str, tombstone: dict
     ) -> bool:
         if not line.startswith(f"{key}"):
-            return None
+            return False
 
         if key == "pid":
             return self._load_pid_line(line, tombstone)
@@ -184,7 +187,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
             raise ValueError(f"Expected key {key}, got {line_key}")
 
         value_clean = value.strip().strip("'")
-        if destination_key in ["uid", "revision"]:
+        if destination_key == "uid":
             tombstone[destination_key] = int(value_clean)
         elif destination_key == "process_uptime":
             # eg. "Process uptime: 40s"
@@ -197,51 +200,50 @@ class TombstoneCrashArtifact(AndroidArtifact):
         return True
 
     def _load_pid_line(self, line: str, tombstone: dict) -> bool:
-        pid_part, tid_part, name_part = [part.strip() for part in line.split(",")]
+        try:
+            parts = line.split(" >>> ") if " >>> " in line else line.split(">>>")
+            process_info = parts[0]
 
-        pid_key, pid_value = pid_part.split(":", 1)
+            # Parse pid, tid, name from process info
-        if pid_key != "pid":
+            info_parts = [p.strip() for p in process_info.split(",")]
-            raise ValueError(f"Expected key pid, got {pid_key}")
+            for info in info_parts:
-        pid_value = int(pid_value.strip())
+                key, value = info.split(":", 1)
+                key = key.strip()
+                value = value.strip()
 
-        tid_key, tid_value = tid_part.split(":", 1)
+                if key == "pid":
-        if tid_key != "tid":
+                    tombstone["pid"] = int(value)
-            raise ValueError(f"Expected key tid, got {tid_key}")
+                elif key == "tid":
-        tid_value = int(tid_value.strip())
+                    tombstone["tid"] = int(value)
+                elif key == "name":
+                    tombstone["process_name"] = value
 
-        name_key, name_value = name_part.split(":", 1)
+            # Extract binary path if it exists
-        if name_key != "name":
+            if len(parts) > 1:
-            raise ValueError(f"Expected key name, got {name_key}")
+                tombstone["binary_path"] = parts[1].strip().rstrip(" <")
-        name_value = name_value.strip()
-        process_name, binary_path = self._parse_process_name(name_value, tombstone)
 
-        tombstone["pid"] = pid_value
-        tombstone["tid"] = tid_value
-        tombstone["process_name"] = process_name
-        tombstone["binary_path"] = binary_path
             return True
 
-    def _parse_process_name(self, process_name_part, tombstone: dict) -> bool:
+        except Exception as e:
-        process_name, process_path = process_name_part.split(">>>")
+            raise ValueError(f"Failed to parse PID line: {str(e)}")
-        process_name = process_name.strip()
-        binary_path = process_path.strip().split(" ")[0]
-        return process_name, binary_path
 
     def _load_signal_line(self, line: str, tombstone: dict) -> bool:
-        signal, code, _ = [part.strip() for part in line.split(",", 2)]
+        signal_part, code_part = map(str.strip, line.split(",")[:2])
-        signal = signal.split("signal ")[1]
-        signal_code, signal_name = signal.split(" ")
-        signal_name = signal_name.strip("()")
 
-        code_part = code.split("code ")[1]
+        def parse_part(part: str, prefix: str) -> tuple[int, str]:
-        code_number, code_name = code_part.split(" ")
+            match = part.split(prefix)[1]
-        code_name = code_name.strip("()")
+            number = int(match.split()[0])
+            name = match.split("(")[1].split(")")[0] if "(" in match else "UNKNOWN"
+            return number, name
+
+        signal_number, signal_name = parse_part(signal_part, "signal ")
+        code_number, code_name = parse_part(code_part, "code ")
 
         tombstone["signal_info"] = {
-            "code": int(code_number),
+            "code": code_number,
             "code_name": code_name,
             "name": signal_name,
-            "number": int(signal_code),
+            "number": signal_number,
         }
         return True
 
@@ -252,13 +254,7 @@ class TombstoneCrashArtifact(AndroidArtifact):
 
     @staticmethod
     def _parse_timestamp_string(timestamp: str) -> str:
-        timestamp_date, timezone = timestamp.split("+")
+        timestamp_parsed = parser.parse(timestamp)
-        # Truncate microseconds before parsing
-        timestamp_without_micro = timestamp_date.split(".")[0] + "+" + timezone
-        timestamp_parsed = datetime.datetime.strptime(
-            timestamp_without_micro, "%Y-%m-%d %H:%M:%S%z"
-        )
-
         # HACK: Swap the local timestamp to UTC, so keep the original time and avoid timezone conversion.
         local_timestamp = timestamp_parsed.replace(tzinfo=datetime.timezone.utc)
         return convert_datetime_to_iso(local_timestamp)

src/mvt/android/cli.py

@@ -31,6 +31,8 @@ from mvt.common.help import (
     HELP_MSG_HASHES,
     HELP_MSG_CHECK_IOCS,
     HELP_MSG_STIX2,
+    HELP_MSG_DISABLE_UPDATE_CHECK,
+    HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK,
 )
 from mvt.common.logo import logo
 from mvt.common.updates import IndicatorsUpdates
@@ -53,12 +55,37 @@ log = logging.getLogger("mvt")
 CONTEXT_SETTINGS = dict(help_option_names=["-h", "--help"])
 
 
+def _get_disable_flags(ctx):
+    """Helper function to safely get disable flags from context."""
+    if ctx.obj is None:
+        return False, False
+    return (
+        ctx.obj.get("disable_version_check", False),
+        ctx.obj.get("disable_indicator_check", False),
+    )
+
+
 # ==============================================================================
 # Main
 # ==============================================================================
 @click.group(invoke_without_command=False)
-def cli():
+@click.option(
-    logo()
+    "--disable-update-check", is_flag=True, help=HELP_MSG_DISABLE_UPDATE_CHECK
+)
+@click.option(
+    "--disable-indicator-update-check",
+    is_flag=True,
+    help=HELP_MSG_DISABLE_INDICATOR_UPDATE_CHECK,
+)
+@click.pass_context
+def cli(ctx, disable_update_check, disable_indicator_update_check):
+    ctx.ensure_object(dict)
+    ctx.obj["disable_version_check"] = disable_update_check
+    ctx.obj["disable_indicator_check"] = disable_indicator_update_check
+    logo(
+        disable_version_check=disable_update_check,
+        disable_indicator_check=disable_indicator_update_check,
+    )
 
 
 # ==============================================================================
@@ -166,6 +193,8 @@ def check_adb(
         module_name=module,
         serial=serial,
         module_options=module_options,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -212,6 +241,8 @@ def check_bugreport(ctx, iocs, output, list_modules, module, verbose, bugreport_
         ioc_files=iocs,
         module_name=module,
         hashes=True,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -274,6 +305,8 @@ def check_backup(
             "interactive": not non_interactive,
             "backup_password": cli_load_android_backup_password(log, backup_password),
         },
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -338,6 +371,8 @@ def check_androidqf(
             "interactive": not non_interactive,
             "backup_password": cli_load_android_backup_password(log, backup_password),
         },
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
     )
 
     if list_modules:
@@ -372,7 +407,13 @@ def check_androidqf(
 @click.argument("FOLDER", type=click.Path(exists=True))
 @click.pass_context
 def check_iocs(ctx, iocs, list_modules, module, folder):
-    cmd = CmdCheckIOCS(target_path=folder, ioc_files=iocs, module_name=module)
+    cmd = CmdCheckIOCS(
+        target_path=folder,
+        ioc_files=iocs,
+        module_name=module,
+        disable_version_check=_get_disable_flags(ctx)[0],
+        disable_indicator_check=_get_disable_flags(ctx)[1],
+    )
     cmd.modules = BACKUP_MODULES + ADB_MODULES + BUGREPORT_MODULES
 
     if list_modules:

src/mvt/android/cmd_check_adb.py

@@ -7,6 +7,7 @@ import logging
 from typing import Optional
 
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.adb import ADB_MODULES
 
@@ -19,18 +20,28 @@ class CmdAndroidCheckADB(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
+            hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-adb"

src/mvt/android/cmd_check_androidqf.py

@@ -9,59 +9,186 @@ import zipfile
 from pathlib import Path
 from typing import List, Optional
 
+from mvt.android.cmd_check_backup import CmdAndroidCheckBackup
+from mvt.android.cmd_check_bugreport import CmdAndroidCheckBugreport
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.androidqf import ANDROIDQF_MODULES
+from .modules.androidqf.base import AndroidQFModule
 
 log = logging.getLogger(__name__)
 
 
+class NoAndroidQFTargetPath(Exception):
+    pass
+
+
+class NoAndroidQFBugReport(Exception):
+    pass
+
+
+class NoAndroidQFBackup(Exception):
+    pass
+
+
 class CmdAndroidCheckAndroidQF(Command):
     def __init__(
         self,
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-androidqf"
         self.modules = ANDROIDQF_MODULES
 
-        self.format: Optional[str] = None
+        self.__format: Optional[str] = None
-        self.archive: Optional[zipfile.ZipFile] = None
+        self.__zip: Optional[zipfile.ZipFile] = None
-        self.files: List[str] = []
+        self.__files: List[str] = []
 
     def init(self):
         if os.path.isdir(self.target_path):
-            self.format = "dir"
+            self.__format = "dir"
             parent_path = Path(self.target_path).absolute().parent.as_posix()
             target_abs_path = os.path.abspath(self.target_path)
             for root, subdirs, subfiles in os.walk(target_abs_path):
                 for fname in subfiles:
                     file_path = os.path.relpath(os.path.join(root, fname), parent_path)
-                    self.files.append(file_path)
+                    self.__files.append(file_path)
         elif os.path.isfile(self.target_path):
-            self.format = "zip"
+            self.__format = "zip"
-            self.archive = zipfile.ZipFile(self.target_path)
+            self.__zip = zipfile.ZipFile(self.target_path)
-            self.files = self.archive.namelist()
+            self.__files = self.__zip.namelist()
+
+    def module_init(self, module: AndroidQFModule) -> None:  # type: ignore[override]
+        if self.__format == "zip" and self.__zip:
+            module.from_zip(self.__zip, self.__files)
+            return
+
+        if not self.target_path:
+            raise NoAndroidQFTargetPath
 
-    def module_init(self, module):
-        if self.format == "zip":
-            module.from_zip_file(self.archive, self.files)
-        else:
         parent_path = Path(self.target_path).absolute().parent.as_posix()
-            module.from_folder(parent_path, self.files)
+        module.from_dir(parent_path, self.__files)
+
+    def load_bugreport(self) -> zipfile.ZipFile:
+        bugreport_zip_path = None
+        for file_name in self.__files:
+            if file_name.endswith("bugreport.zip"):
+                bugreport_zip_path = file_name
+                break
+        else:
+            raise NoAndroidQFBugReport
+
+        if self.__format == "zip" and self.__zip:
+            handle = self.__zip.open(bugreport_zip_path)
+            return zipfile.ZipFile(handle)
+
+        if self.__format == "dir" and self.target_path:
+            parent_path = Path(self.target_path).absolute().parent.as_posix()
+            bug_report_path = os.path.join(parent_path, bugreport_zip_path)
+            return zipfile.ZipFile(bug_report_path)
+
+        raise NoAndroidQFBugReport
+
+    def load_backup(self) -> bytes:
+        backup_ab_path = None
+        for file_name in self.__files:
+            if file_name.endswith("backup.ab"):
+                backup_ab_path = file_name
+                break
+        else:
+            raise NoAndroidQFBackup
+
+        if self.__format == "zip" and self.__zip:
+            backup_file_handle = self.__zip.open(backup_ab_path)
+            return backup_file_handle.read()
+
+        if self.__format == "dir" and self.target_path:
+            parent_path = Path(self.target_path).absolute().parent.as_posix()
+            backup_path = os.path.join(parent_path, backup_ab_path)
+            with open(backup_path, "rb") as backup_file:
+                backup_ab_data = backup_file.read()
+            return backup_ab_data
+
+        raise NoAndroidQFBackup
+
+    def run_bugreport_cmd(self) -> bool:
+        try:
+            bugreport = self.load_bugreport()
+        except NoAndroidQFBugReport:
+            self.log.warning(
+                "Skipping bugreport modules as no bugreport.zip found in AndroidQF data."
+            )
+            return False
+        else:
+            cmd = CmdAndroidCheckBugreport(
+                target_path=None,
+                results_path=self.results_path,
+                ioc_files=self.ioc_files,
+                iocs=self.iocs,
+                module_options=self.module_options,
+                hashes=self.hashes,
+                sub_command=True,
+            )
+            cmd.from_zip(bugreport)
+            cmd.run()
+
+            self.detected_count += cmd.detected_count
+            self.timeline.extend(cmd.timeline)
+            self.timeline_detected.extend(cmd.timeline_detected)
+
+    def run_backup_cmd(self) -> bool:
+        try:
+            backup = self.load_backup()
+        except NoAndroidQFBackup:
+            self.log.warning(
+                "Skipping backup modules as no backup.ab found in AndroidQF data."
+            )
+            return False
+        else:
+            cmd = CmdAndroidCheckBackup(
+                target_path=None,
+                results_path=self.results_path,
+                ioc_files=self.ioc_files,
+                iocs=self.iocs,
+                module_options=self.module_options,
+                hashes=self.hashes,
+                sub_command=True,
+            )
+            cmd.from_ab(backup)
+            cmd.run()
+
+            self.detected_count += cmd.detected_count
+            self.timeline.extend(cmd.timeline)
+            self.timeline_detected.extend(cmd.timeline_detected)
+
+    def finish(self) -> None:
+        """
+        Run the bugreport and backup modules if the respective files are found in the AndroidQF data.
+        """
+        self.run_bugreport_cmd()
+        self.run_backup_cmd()

src/mvt/android/cmd_check_backup.py

@@ -20,6 +20,7 @@ from mvt.android.parsers.backup import (
     parse_backup_file,
 )
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.backup import BACKUP_MODULES
 
@@ -32,20 +33,28 @@ class CmdAndroidCheckBackup(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-backup"
@@ -55,30 +64,21 @@ class CmdAndroidCheckBackup(Command):
         self.backup_archive: Optional[tarfile.TarFile] = None
         self.backup_files: List[str] = []
 
-    def init(self) -> None:
+    def from_ab(self, ab_file_bytes: bytes) -> None:
-        if not self.target_path:
-            return
-
-        if os.path.isfile(self.target_path):
         self.backup_type = "ab"
-            with open(self.target_path, "rb") as handle:
+        header = parse_ab_header(ab_file_bytes)
-                data = handle.read()
-
-            header = parse_ab_header(data)
         if not header["backup"]:
             log.critical("Invalid backup format, file should be in .ab format")
             sys.exit(1)
 
         password = None
         if header["encryption"] != "none":
-                password = prompt_or_load_android_backup_password(
+            password = prompt_or_load_android_backup_password(log, self.module_options)
-                    log, self.module_options
-                )
             if not password:
                 log.critical("No backup password provided.")
                 sys.exit(1)
         try:
-                tardata = parse_backup_file(data, password=password)
+            tardata = parse_backup_file(ab_file_bytes, password=password)
         except InvalidBackupPassword:
             log.critical("Invalid backup password")
             sys.exit(1)
@@ -92,6 +92,16 @@ class CmdAndroidCheckBackup(Command):
         for member in self.backup_archive:
             self.backup_files.append(member.name)
 
+    def init(self) -> None:
+        if not self.target_path:
+            return
+
+        if os.path.isfile(self.target_path):
+            self.backup_type = "ab"
+            with open(self.target_path, "rb") as handle:
+                ab_file_bytes = handle.read()
+            self.from_ab(ab_file_bytes)
+
         elif os.path.isdir(self.target_path):
             self.backup_type = "folder"
             self.target_path = Path(self.target_path).absolute().as_posix()
@@ -109,6 +119,6 @@ class CmdAndroidCheckBackup(Command):
 
     def module_init(self, module: BackupExtraction) -> None:  # type: ignore[override]
         if self.backup_type == "folder":
-            module.from_folder(self.target_path, self.backup_files)
+            module.from_dir(self.target_path, self.backup_files)
         else:
             module.from_ab(self.target_path, self.backup_archive, self.backup_files)

src/mvt/android/cmd_check_bugreport.py

@@ -11,6 +11,7 @@ from zipfile import ZipFile
 
 from mvt.android.modules.bugreport.base import BugReportModule
 from mvt.common.command import Command
+from mvt.common.indicators import Indicators
 
 from .modules.bugreport import BUGREPORT_MODULES
 
@@ -23,54 +24,80 @@ class CmdAndroidCheckBugreport(Command):
         target_path: Optional[str] = None,
         results_path: Optional[str] = None,
         ioc_files: Optional[list] = None,
+        iocs: Optional[Indicators] = None,
         module_name: Optional[str] = None,
         serial: Optional[str] = None,
         module_options: Optional[dict] = None,
-        hashes: bool = False,
+        hashes: Optional[bool] = False,
+        sub_command: Optional[bool] = False,
+        disable_version_check: bool = False,
+        disable_indicator_check: bool = False,
     ) -> None:
         super().__init__(
             target_path=target_path,
             results_path=results_path,
             ioc_files=ioc_files,
+            iocs=iocs,
             module_name=module_name,
             serial=serial,
             module_options=module_options,
             hashes=hashes,
+            sub_command=sub_command,
             log=log,
+            disable_version_check=disable_version_check,
+            disable_indicator_check=disable_indicator_check,
         )
 
         self.name = "check-bugreport"
         self.modules = BUGREPORT_MODULES
 
-        self.bugreport_format: str = ""
+        self.__format: str = ""
-        self.bugreport_archive: Optional[ZipFile] = None
+        self.__zip: Optional[ZipFile] = None
-        self.bugreport_files: List[str] = []
+        self.__files: List[str] = []
+
+    def from_dir(self, dir_path: str) -> None:
+        """This method is used to initialize the bug report analysis from an
+        uncompressed directory.
+        """
+        self.__format = "dir"
+        self.target_path = dir_path
+        parent_path = Path(dir_path).absolute().as_posix()
+        for root, _, subfiles in os.walk(os.path.abspath(dir_path)):
+            for file_name in subfiles:
+                file_path = os.path.relpath(os.path.join(root, file_name), parent_path)
+                self.__files.append(file_path)
+
+    def from_zip(self, bugreport_zip: ZipFile) -> None:
+        """This method is used to initialize the bug report analysis from a
+        compressed archive.
+        """
+        # NOTE: This will be invoked either by the CLI directly,or by the
+        # check-androidqf command. We need this because we want to support
+        # check-androidqf to analyse compressed archives itself too.
+        # So, we'll need to extract bugreport.zip from a 'androidqf.zip', and
+        # since nothing is written on disk, we need to be able to pass this
+        # command a ZipFile instance in memory.
+
+        self.__format = "zip"
+        self.__zip = bugreport_zip
+        for file_name in self.__zip.namelist():
+            self.__files.append(file_name)
 
     def init(self) -> None:
         if not self.target_path:
             return
 
         if os.path.isfile(self.target_path):
-            self.bugreport_format = "zip"
+            self.from_zip(ZipFile(self.target_path))
-            self.bugreport_archive = ZipFile(self.target_path)
-            for file_name in self.bugreport_archive.namelist():
-                self.bugreport_files.append(file_name)
         elif os.path.isdir(self.target_path):
-            self.bugreport_format = "dir"
+            self.from_dir(self.target_path)
-            parent_path = Path(self.target_path).absolute().as_posix()
-            for root, _, subfiles in os.walk(os.path.abspath(self.target_path)):
-                for file_name in subfiles:
-                    file_path = os.path.relpath(
-                        os.path.join(root, file_name), parent_path
-                    )
-                    self.bugreport_files.append(file_path)
 
     def module_init(self, module: BugReportModule) -> None:  # type: ignore[override]
-        if self.bugreport_format == "zip":
+        if self.__format == "zip":
-            module.from_zip(self.bugreport_archive, self.bugreport_files)
+            module.from_zip(self.__zip, self.__files)
         else:
-            module.from_folder(self.target_path, self.bugreport_files)
+            module.from_dir(self.target_path, self.__files)
 
     def finish(self) -> None:
-        if self.bugreport_archive:
+        if self.__zip:
-            self.bugreport_archive.close()
+            self.__zip.close()

src/mvt/android/modules/adb/__init__.py

@@ -4,15 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 from .chrome_history import ChromeHistory
-from .dumpsys_accessibility import DumpsysAccessibility
-from .dumpsys_activities import DumpsysActivities
-from .dumpsys_appops import DumpsysAppOps
-from .dumpsys_battery_daily import DumpsysBatteryDaily
-from .dumpsys_battery_history import DumpsysBatteryHistory
-from .dumpsys_dbinfo import DumpsysDBInfo
-from .dumpsys_adbstate import DumpsysADBState
 from .dumpsys_full import DumpsysFull
-from .dumpsys_receivers import DumpsysReceivers
 from .files import Files
 from .getprop import Getprop
 from .logcat import Logcat
@@ -32,15 +24,7 @@ ADB_MODULES = [
     Getprop,
     Settings,
     SELinuxStatus,
-    DumpsysBatteryHistory,
-    DumpsysBatteryDaily,
-    DumpsysReceivers,
-    DumpsysActivities,
-    DumpsysAccessibility,
-    DumpsysDBInfo,
-    DumpsysADBState,
     DumpsysFull,
-    DumpsysAppOps,
     Packages,
     Logcat,
     RootBinaries,

src/mvt/android/modules/adb/dumpsys_accessibility.py

@@ -1,49 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_accessibility import DumpsysAccessibilityArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysAccessibility(DumpsysAccessibilityArtifact, AndroidExtraction):
-    """This module extracts stats on accessibility."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys accessibility")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        for result in self.results:
-            self.log.info(
-                'Found installed accessibility service "%s"', result.get("service")
-            )
-
-        self.log.info(
-            "Identified a total of %d accessibility services", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_activities.py

@@ -1,45 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_package_activities import (
-    DumpsysPackageActivitiesArtifact,
-)
-
-from .base import AndroidExtraction
-
-
-class DumpsysActivities(DumpsysPackageActivitiesArtifact, AndroidExtraction):
-    """This module extracts details on receivers for risky activities."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else []
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys package")
-        self._adb_disconnect()
-        self.parse(output)
-
-        self.log.info("Extracted %d package activities", len(self.results))

src/mvt/android/modules/adb/dumpsys_adbstate.py

@@ -1,45 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_adb import DumpsysADBArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysADBState(DumpsysADBArtifact, AndroidExtraction):
-    """This module extracts ADB keystore state."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys adb", decode=False)
-        self._adb_disconnect()
-
-        self.parse(output)
-        if self.results:
-            self.log.info(
-                "Identified a total of %d trusted ADB keys",
-                len(self.results[0].get("user_keys", [])),
-            )

src/mvt/android/modules/adb/dumpsys_appops.py

@@ -1,46 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_appops import DumpsysAppopsArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysAppOps(DumpsysAppopsArtifact, AndroidExtraction):
-    """This module extracts records from App-op Manager."""
-
-    slug = "dumpsys_appops"
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys appops")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted a total of %d records from app-ops manager", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_battery_daily.py

@@ -1,44 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_daily import DumpsysBatteryDailyArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysBatteryDaily(DumpsysBatteryDailyArtifact, AndroidExtraction):
-    """This module extracts records from battery daily updates."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys batterystats --daily")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted %d records from battery daily stats", len(self.results)
-        )

src/mvt/android/modules/adb/dumpsys_battery_history.py

@@ -1,42 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_battery_history import DumpsysBatteryHistoryArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysBatteryHistory(DumpsysBatteryHistoryArtifact, AndroidExtraction):
-    """This module extracts records from battery history events."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys batterystats --history")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info("Extracted %d records from battery history", len(self.results))

src/mvt/android/modules/adb/dumpsys_dbinfo.py

@@ -1,47 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_dbinfo import DumpsysDBInfoArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysDBInfo(DumpsysDBInfoArtifact, AndroidExtraction):
-    """This module extracts records from battery daily updates."""
-
-    slug = "dumpsys_dbinfo"
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-    def run(self) -> None:
-        self._adb_connect()
-        output = self._adb_command("dumpsys dbinfo")
-        self._adb_disconnect()
-
-        self.parse(output)
-
-        self.log.info(
-            "Extracted a total of %d records from database information",
-            len(self.results),
-        )

src/mvt/android/modules/adb/dumpsys_receivers.py

@@ -1,44 +0,0 @@
-# Mobile Verification Toolkit (MVT)
-# Copyright (c) 2021-2023 The MVT Authors.
-# Use of this software is governed by the MVT License 1.1 that can be found at
-#   https://license.mvt.re/1.1/
-
-import logging
-from typing import Optional
-
-from mvt.android.artifacts.dumpsys_receivers import DumpsysReceiversArtifact
-
-from .base import AndroidExtraction
-
-
-class DumpsysReceivers(DumpsysReceiversArtifact, AndroidExtraction):
-    """This module extracts details on receivers for risky activities."""
-
-    def __init__(
-        self,
-        file_path: Optional[str] = None,
-        target_path: Optional[str] = None,
-        results_path: Optional[str] = None,
-        module_options: Optional[dict] = None,
-        log: logging.Logger = logging.getLogger(__name__),
-        results: Optional[list] = None,
-    ) -> None:
-        super().__init__(
-            file_path=file_path,
-            target_path=target_path,
-            results_path=results_path,
-            module_options=module_options,
-            log=log,
-            results=results,
-        )
-
-        self.results = results if results else {}
-
-    def run(self) -> None:
-        self._adb_connect()
-
-        output = self._adb_command("dumpsys package")
-        self.parse(output)
-
-        self._adb_disconnect()
-        self.log.info("Extracted receivers for %d intents", len(self.results))

src/mvt/android/modules/adb/packages.py

@@ -107,8 +107,7 @@ class Packages(AndroidExtraction):
                     result["matched_indicator"] = ioc
                     self.detected.append(result)
 
-    @staticmethod
+    def check_virustotal(self, packages: list) -> None:
-    def check_virustotal(packages: list) -> None:
         hashes = []
         for package in packages:
             for file in package.get("files", []):
@@ -143,8 +142,15 @@ class Packages(AndroidExtraction):
 
         for package in packages:
             for file in package.get("files", []):
+                if "package_name" in package:
                     row = [package["package_name"], file["path"]]
-
+                elif "name" in package:
+                    row = [package["name"], file["path"]]
+                else:
+                    self.log.error(
+                        f"Package {package} has no name or package_name. packages.json or apks.json is malformed"
+                    )
+                    continue
                 if file["sha256"] in detections:
                     detection = detections[file["sha256"]]
                     positives = detection.split("/")[0]

src/mvt/android/modules/androidqf/__init__.py

@@ -3,38 +3,22 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-from .dumpsys_accessibility import DumpsysAccessibility
+from .aqf_files import AQFFiles
-from .dumpsys_activities import DumpsysActivities
+from .aqf_getprop import AQFGetProp
-from .dumpsys_appops import DumpsysAppops
+from .aqf_packages import AQFPackages
-from .dumpsys_battery_daily import DumpsysBatteryDaily
+from .aqf_processes import AQFProcesses
-from .dumpsys_battery_history import DumpsysBatteryHistory
+from .aqf_settings import AQFSettings
-from .dumpsys_dbinfo import DumpsysDBInfo
+from .mounts import Mounts
-from .dumpsys_packages import DumpsysPackages
+from .root_binaries import RootBinaries
-from .dumpsys_receivers import DumpsysReceivers
-from .dumpsys_adb import DumpsysADBState
-from .getprop import Getprop
-from .packages import Packages
-from .dumpsys_platform_compat import DumpsysPlatformCompat
-from .processes import Processes
-from .settings import Settings
 from .sms import SMS
-from .files import Files
 
 ANDROIDQF_MODULES = [
-    DumpsysActivities,
+    AQFPackages,
-    DumpsysReceivers,
+    AQFProcesses,
-    DumpsysAccessibility,
+    AQFGetProp,
-    DumpsysAppops,
+    AQFSettings,
-    DumpsysDBInfo,
+    AQFFiles,
-    DumpsysBatteryDaily,
-    DumpsysBatteryHistory,
-    DumpsysADBState,
-    Packages,
-    DumpsysPlatformCompat,
-    Processes,
-    Getprop,
-    Settings,
     SMS,
-    DumpsysPackages,
+    RootBinaries,
-    Files,
+    Mounts,
 ]

src/mvt/android/modules/androidqf/aqf_files.py

@@ -21,8 +21,13 @@ SUSPICIOUS_PATHS = [
 ]
 
 
-class Files(AndroidQFModule):
+class AQFFiles(AndroidQFModule):
-    """This module analyse list of files"""
+    """
+    This module analyzes the files.json dump generated by AndroidQF.
+
+    The format needs to be kept in sync with the AndroidQF module code.
+    https://github.com/mvt-project/androidqf/blob/main/android-collector/cmd/find.go#L28
+    """
 
     def __init__(
         self,

src/mvt/android/modules/androidqf/aqf_getprop.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.getprop import GetProp as GetPropArtifact
 from .base import AndroidQFModule
 
 
-class Getprop(GetPropArtifact, AndroidQFModule):
+class AQFGetProp(GetPropArtifact, AndroidQFModule):
     """This module extracts data from get properties."""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_log_timestamps.py

@@ -13,10 +13,10 @@ from .base import AndroidQFModule
 from mvt.android.artifacts.file_timestamps import FileTimestampsArtifact
 
 
-class LogsFileTimestamps(FileTimestampsArtifact, AndroidQFModule):
+class AQFLogTimestamps(FileTimestampsArtifact, AndroidQFModule):
-    """This module extracts records from battery daily updates."""
+    """This module creates timeline for log files extracted by AQF."""
 
-    slug = "logfile_timestamps"
+    slug = "aqf_log_timestamps"
 
     def __init__(
         self,

src/mvt/android/modules/androidqf/aqf_packages.py

@@ -19,7 +19,7 @@ from mvt.android.utils import (
 from .base import AndroidQFModule
 
 
-class Packages(AndroidQFModule):
+class AQFPackages(AndroidQFModule):
     """This module examines the installed packages in packages.json"""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_processes.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.processes import Processes as ProcessesArtifact
 from .base import AndroidQFModule
 
 
-class Processes(ProcessesArtifact, AndroidQFModule):
+class AQFProcesses(ProcessesArtifact, AndroidQFModule):
     """This module analyse running processes"""
 
     def __init__(

src/mvt/android/modules/androidqf/aqf_settings.py

@@ -11,7 +11,7 @@ from mvt.android.artifacts.settings import Settings as SettingsArtifact
 from .base import AndroidQFModule
 
 
-class Settings(SettingsArtifact, AndroidQFModule):
+class AQFSettings(SettingsArtifact, AndroidQFModule):
     """This module analyse setting files"""
 
     def __init__(