MVT
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
On Android, MVT works mainly by collecting system information using ADB.
Install
Running Check
mvt-android check-adb --output <directory>
Looking for Indicators in MVT Output
In this section, we will explain the types of data gathered by MVT on Android and what indicators to look for.
command.log
command.log
is the main MVT output. Pay attention on the WARNING
messages. Many of MVT's automated checks overlaps with the manual checks introduced in Checking Android Devices Basic. Such as:
Also, pay attention to "Found non-system package with name...", which lists the packages not installed from the Google Play Store.
In the above example, a HTTPS interception tool used for debugging is installed by "None" because it was installed manually by opening a APK file in a file browser.
When encountering a suspicious app, check the file path and hash in packages.json
:
Search the package name or file hash on VirusTotal or Koodous platform and read the analysis.
packages.json
As noted by MVT's developer:
Walking through this
packages.json
file is an important first step. Prioritize looking at non-system and third-party apps. Look out for any that were disabled (for example, a commercial security app marked as disabled might be a red flag). Search online for package names and hashes of those apps that do not look familiar, have odd names, or might show an unusual installer.
files/
In the output folder, there is a files/
folder, which contains files pulled from /data/local/tmp
on the phone. This path is often used as a staging area for malwares.
Check the file hashes of those files on VirusTotal.