INFO     [mvt.android.download_apks] Found non-system package with name
              "com.microsoft.teams" installed by "com.android.vending" on   
              2022-05-11 14:24:27                                           
     ERROR    [mvt.android.lookups.virustotal] Unfortunately VirusTotal     
              lookup is disabled until further notice, due to unresolved    
              issues with the API service.                                  
     INFO     [mvt.android.lookups.koodous] Looking up all extracted files  
              on Koodous (www.koodous.com)                                  
     INFO     [mvt.android.lookups.koodous] This might take a while...      

Looking up 151 packages... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0% -:--:-- Traceback (most recent call last): File "/home/vicpala/.local/lib/python3.10/site-packages/requests/models.py", line 910, in json return complexjson.loads(self.text, **kwargs) File "/home/vicpala/.local/lib/python3.10/site-packages/simplejson/init.py", line 525, in loads return _default_decoder.decode(s) File "/home/vicpala/.local/lib/python3.10/site-packages/simplejson/decoder.py", line 373, in decode raise JSONDecodeError("Extra data", s, end, len(s)) simplejson.errors.JSONDecodeError: Extra data: line 1 column 5 - line 2 column 1 (char 4 - 19)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/home/vicpala/.local/bin/mvt-android", line 8, in sys.exit(cli()) File "/usr/lib/python3/dist-packages/click/core.py", line 1128, in call return self.main(*args, **kwargs) File "/usr/lib/python3/dist-packages/click/core.py", line 1053, in main rv = self.invoke(ctx) File "/usr/lib/python3/dist-packages/click/core.py", line 1659, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/usr/lib/python3/dist-packages/click/core.py", line 1395, in invoke return ctx.invoke(self.callback, **ctx.params) File "/usr/lib/python3/dist-packages/click/core.py", line 754, in invoke return __callback(*args, **kwargs) File "/usr/lib/python3/dist-packages/click/decorators.py", line 26, in new_func return f(get_current_context(), *args, **kwargs) File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/cli.py", line 93, in download_apks download.run() File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/download_apks.py", line 181, in run self.get_packages() File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/download_apks.py", line 117, in get_packages m.run() File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/modules/adb/packages.py", line 266, in run koodous_lookup(packages_to_lookup) File "/home/vicpala/.local/lib/python3.10/site-packages/mvt/android/lookups/koodous.py", line 34, in koodous_lookup report = res.json() File "/home/vicpala/.local/lib/python3.10/site-packages/requests/models.py", line 917, in json raise RequestsJSONDecodeError(e.msg, e.doc, e.pos) requests.exceptions.JSONDecodeError: [Errno Extra data] 404 page not found : 4 vicpala@vicpala-H97N-WIFI:~/mvt$

Most people use windows as their main OS and find linux confusing. If you want the most people possible to check their devices for this stuff you need a tool that works on the operating system they use.

Hi Tried mvt-android download-apks on phone but result:

NFO     [mvt.android.download_apks] Retrieving list of installed      
                  packages...                                                   
11:51:17 INFO     [mvt.android.download_apks] Extracted at total of 0 installed 
                  package names                                                 
11:51:18 INFO     [mvt.android.download_apks] Starting extraction of installed  
                  APKs at folder xxxxxxxx                              
         INFO     [mvt.android.download_apks] Selected only 0 packages which are
                  not marked as system                                          
         INFO     [mvt.android.download_apks] No packages were selected for     
                  download            

although apks are certainly installed and works OK with other phones

( this is a suspicious phone, almost certain) best regards

MVT-Tool is not hashing DataUsage.sqlite when it is using it as a method to check for IOCs.

It is possible to inject data into the ZPROCESS table and fake an infection based on the fact that MVT-Tool is looking only for keywords.

Prep:

You can download the CSV I used to inject here https://github.com/jonathandata1/Pegasus-CatalanGate-False-Positives/blob/main/IOC_CSV/ZPROCESS_2.csv

0d609c54856a9bb2d56729df1d68f2958a88426b = DataUsage.sqlite

1. Make an encrypted backup
2. decrypt with mvt tool
3. cd into the decrypted backup folder
4. sqlite3 0d609c54856a9bb2d56729df1d68f2958a88426b ".import --csv ZPROCESS_2.csv ZPROCESS"

I was able to create false positive results for all processes listed in the Amnesty Investigations. To prove that this method works to forge false positive results for the processes, I added a record that was not part of the processes.

The CSV file injected into the sqlite db contains this record at the end

236 | 7 | 3 | 482697172.9 | 482697172.9 | com.apple.CrashReporter.plist | com.apple.CrashReporter.plist -- | -- | -- | -- | -- | -- | --

The MVT-Tool does not recognize this as an indicator of compromise for processes but successfully recognizes all 80 processes as malicious.

Result

Without having the physical device, and without hashing the databases suspected to hold the IOCs, reliance on a backup provided by a client or a backup taken by a 3rd party forensics team cannot guarantee the integrity of the backup.

Hello,

So I'm not a develop and I need some help trying to debug my phone. I currently have my android in developer mode with USB debugging enabled. I downloaded Xcode and Homebrew on my MacBook Pro using the terminal and everything was fine until I tried to run the mvt-android code. When I try to run this code

mvt-android download-apks --output /path/to/folder

I just see" quote " in the terminal and I don't know what it's asking me to enter. I keep checking the folder that I created to store the APKs but nothing has been added to it.

What am I doing wrong?

Legitimate Apple Apps can be seen as malicious

Setting Up

I performed the following to achieve the forgery.

1. Downloaded the Appium iOS Test App https://github.com/appium/ios-test-app
2. Load the test app into Xcode
3. I changed the Display Name to Phone Diagnostics and named the Bundle Identifier Diagnosticd. Diagnosticd is one of the malicious indicators of compromise found in the STIX2 file created by Amnesty International
4. This is an example of what the app looks like on the device
5. idevicebackup2 encryption on 123
6. idevicebackup2 backup --full .
7. mkdir decrypt
8. mkdir results
9. mvt-ios decrypt-backup -d decrypt/ -p 123 0137152d6c6b1fe5cc8af13f34f123e080128445/
10. mvt-ios check-backup -o results/ decrypt/

Results

Watch the video here

WARNING [mvt.ios.cli] The analysis of the backup produced 2 detections!

WARNING [mvt.ios.modules.mixed.locationd] Found a known suspicious process name "Diagnosticd" matching indicators from "Pegasus" WARNING [mvt.ios.modules.mixed.locationd] Found a suspicious process name in LocationD entry Diagnosticd WARNING [mvt.ios.modules.mixed.osanalytics_addaily] Found a known suspicious process name "Diagnosticd" matching indicators from "Pegasus"

MVT-Tool is only looking for a text name, there is no logic or reasoning behind the software that is supposed to detect Pegasus Spyware.

The results generated by the MVT-Tool do not show The CFBundleDisplayName of the malicious process

The application is only looking for the "BundleId"

This is an example output from the results file generated by MVT-Tool { "BundleId": "Diagnosticd", "SupportedAuthorizationMask": 1, "Executable": "/private/var/containers/Bundle/Application/F0DD3918-FD87-4733-A89A-7B32A0B13C2C/Dignosticd.app/Dignosticd", "Registered": "/private/var/containers/Bundle/Application/F0DD3918-FD87-4733-A89A-7B32A0B13C2C/Dignosticd.app/Dignosticd", "package": "Diagnosticd", "matched_indicator": { "value": "Diagnosticd", "type": "processes", "name": "Pegasus", "stix2_file_name": "raw.githubusercontent.com_AmnestyTech_investigations_master_2021-07-18_nso_pegasus.stix2" }

If you run the following command with the physical iPhone you will see that Diagnosticd is the identifier for a legitimate iPhone App.

ideviceinstaller --list-apps CFBundleIdentifier, CFBundleVersion, CFBundleDisplayName Diagnosticd, "1.0", "Phone Diagnostics"

Conclusion

• Without physical devices a proper iOS mobile forensics examination and analysis cannot be performed
• Legitimate Apple App store applications can be mistaken as Pegasus processes because MVT-Tool disregards the Application Name

Hi,

first and foremost great work. I cloned the repo and did everything to install it properly. Debug mode is on and connected via usb. I executetd the following command:

mvt-android check-adb

The endresult is the following:

Could not receive data from first 950751bf (timeout 5000ms):LIBUSB_ERROR_TIMEOUT [-7].

There is nothing that should block it. I even checked if i can access my phone. Any clues here ?

Thanks in advance

I'm still new to this all of this, and I've tried to search the web for a solution without any success. so here I am making a fool of myself and posting my issue here to hopefully find a solution for (because I REALLY need to make sure my phone doesn't have this software in it as it may pose a risk to my life) my device doesn't show up when I try the adb devices command, even though I downloaded the adb driver on windows. can I please be walked through this like the noob I am thank you very much for your effort

it runs ok for a rsync filesystem copy with check-fs but fails with check-backup after successfully decrypting an itunes backup

         INFO     [mvt.ios.modules.backup.backup_info] The BackupInfo module does not support checking for indicators
         INFO     [mvt.ios.modules.backup.configuration_profiles] Running module ConfigurationProfiles...
         INFO     [mvt.ios.modules.backup.configuration_profiles] Extracted details about 11 configuration profiles
         INFO     [mvt.ios.modules.backup.configuration_profiles] The ConfigurationProfiles module does not support checking for indicators
         INFO     [mvt.ios.modules.backup.manifest] Running module Manifest...
         INFO     [mvt.ios.modules.backup.manifest] Found Manifest.db database at path: /srv/temp/mvt/Manifest.db
         ERROR    [mvt.ios.modules.backup.manifest] Error reading manifest file metadata
                  Traceback (most recent call last):
                    File "/usr/local/lib/python3.6/dist-packages/mvt/ios/modules/backup/manifest.py", line 118, in run
                      file_plist = plistlib.load(io.BytesIO(file_data["file"]))
                    File "/usr/lib/python3.6/plistlib.py", line 1015, in load
                      return p.parse(fp)
                    File "/usr/lib/python3.6/plistlib.py", line 626, in parse
                      return self._read_object(top_object)
                    File "/usr/lib/python3.6/plistlib.py", line 741, in _read_object
                      result[self._read_object(k)] = self._read_object(o)
                    File "/usr/lib/python3.6/plistlib.py", line 741, in _read_object
                      result[self._read_object(k)] = self._read_object(o)
                    File "/usr/lib/python3.6/plistlib.py", line 744, in _read_object
                      raise InvalidFileException()
                  plistlib.InvalidFileException: Invalid file

i always get this error: 07:15:27 CRITICAL [mvt.android.modules.adb.base] Could not receive data from first 149d1947 (timeout 5000ms): LIBUSB_ERROR_TIMEOUT [-7] idk how to solve this i am using a garbage OPPO maybe thats why pls help.

Running on BigSur, when executing mvt-ios decrypt-backup, python errors are generated when specifying passwords trailing with the 'bang' aka '!' character. Let me know if you want an screen shots etc. Thanks!

I am requesting an iOS Pegasus spyware sample to be shared with everyone as there is no control to test against. Furthermore, there is no logic built into the MVT-Tool or documentation explaining why specific modules are being checked or why certain processes are considered malicious.

Next, there is no information about the success to error rates that can be expected, no list of iOS versions that have been studied, no table of documentation for false positive results that have been identified, and there are no specific conditions that need to be met in order to properly identify a device with your tool.

As I had mentioned before, Enabling Wifi and Disabling Wi-Fi yield different results https://github.com/mvt-project/mvt/issues/319

I am a professional in information security, I am a computer scientist, I am paid for my speciality in forensics investigations, I meet all of the criteria in the MVT-Tool disclaimer, and I cannot find a reproducible methodology describing why the MVT-Tool is functioning as it is.

Warning: MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance.

Everything I am asking for is logical and not unreasonable. I have read your forensics methodology, and there is nothing in the methodology that can be reproduced or validated. The methodology is based on assumptions.

Amnesty has acknowledged many false positives but has never corrected any of the reports or provided a methodology update.

For example this [false positive]

(https://github.com/AmnestyTech/investigations/commit/1c694217c3efb4e40f34822b6ef99a7b5bd8a064) was removed without any reasoning why. That false positive impacted the cases of 2 people Amnesty identified to be infected with Pegasus. Omar Radi and Claude Mangin

| Country | Name | Date | Pegasus Indicator of Compromise | |---------|---------------|--------------------|-----------------------------------------| | Morocco | Omar Radi | 2019-09-13 17:02:35 | com.apple.softwareupdateservicesd.plist | | France | Claude Mangin | 2020-10-08 8:40:42 | com.apple.softwareupdateservicesd.plist |

After Amnesty found the false positive indicator, what actions were taken regarding the 2 people you had identified to be infected with the removed indicator? Please provide your documentation. How did your method for identification change? What did you find wrong with the now removed indicator?

We cannot progress in science without data to show where we have failed and succeeded.

I am open to discussion, please don't close this ticket out because you have personal issues with me, please set those issues aside and let us focus on the science.

Respectfully, Jonathan Scott

I managed to embarass myself by mistaking the output of the script loading the .STIX2 files as and indication that the device was infected i.e.

INFO [mvt.ios.cmd_check_backup] Extracted 1547 indicators for collection with name "Pegasus" ...

I think it would be really helpful to include a visual example of what the log output for an infected device looks like at the end of the "Check a backup with mvt-ios" documentation page.

https://docs.mvt.re/en/latest/ios/backup/check/

e.g an image like this

https://teguh.co/static/99db988b40d1f3994f06983d8baee869/37ff2/iosfinal.png

And/or possibly to include a line at the very end of the log output that either says that some evidence of malware was found, or to confirm that no evidence was found and the device can be trusted.

initial version, added a small gui with tkinter to simplify the process. Only iOS is implemented. Auto download from STIX2 files. Implement decrypt and check back up steps in one click button. No commands in cmd are necessary.
Auto install from mvt libs via pip if there are not installed.

In some cases, you can check an incomplete backup, in that case it would be great to highlight files that should be in the backup (exist in the Manifest) but are not in the folder. I have for instance done that with c5ccaef0c4d6fb228b558756e8f34e3ccd477db2 for the SafariBrowserState module, but it should be possible to have this done automatically in the base class. I am also not sure if it should be an error or just an info.

added pure-python-adb support as a replacement for adb-shell in mvt-android.

adb-shell had troubles with tcp-based adb connections (tls is unsupported), while ppadb is not affected by the connection type because it communicates to the local adb server (and the adb server is responsible for communicating with the device).

still not well tested (+no error/exception handling), but seems to work.