Skip to content

Latest commit

 

History

History
81 lines (46 loc) · 2.82 KB

README.md

File metadata and controls

81 lines (46 loc) · 2.82 KB

SpyWare Check for Android

you can see the video here:

https://www.youtube.com/watch?v=Yk7pUPjlU4U

Background :

Although the title is about Pegasus spyware, but the scope is also checking others spyware, such as Cytrox, Stalkerware, RCS Lab etc.

Enable the ADB Mode in your android

before Enable the ADB Mode in your Android, you need to enable the USB debug mode with the guidance in this video:
https://www.youtube.com/shorts/6yeNltxuEiQ

After enable the USB Debug mode then we good to go for ADB Mode in Android, then follow these steps

  1. connect your android phone to your laptop with cable data
  2. run this command: "adb tcpip 5555"
  3. and run this again : "adb connect YourAndroidWlanIP"
  4. unplug the cable

Prepare the verification tools

Pull Image from Docker

https://docs.mvt.re/en/latest/docker/

git clone https://github.com/mvt-project/mvt.git

cd mvt

docker build -t mvt .

docker run --rm -it --network host mvt

or if you want to mounting directory you can use this command
docker run --rm -it --network host -v "$PWD:/mnt/tmp" mvt

Alternatively if The DockerFile above not Work For Build

Pull from my Image Repository https://hub.docker.com/r/arifkyi/mvt to build

docker run --rm -it --network host -v "$PWD:/mnt/tmp" arifkyi/mvt

the rest of the steps are the same

Usage

Now download the IOCS STIX files

mvt-android download-iocs

If just in case in the future:

download IOCSnot work, i already backup in this repository in Zip file Android_IOCS_STIX2.zip

indicators "NSO Group Pegasus Indicators of Compromise" to

/root/.local/share/mvt/indicators/raw.githubusercontent.com_AmnestyTech_investigations_master_2021-07-18_nso_pegasus.stix2

indicators "Cytrox Predator Spyware Indicators of Compromise" to

/root/.local/share/mvt/indicators/raw.githubusercontent.com_AmnestyTech_investigations_master_2021-12-16_cytrox_cytrox.stix2

indicators "RCS Lab Spyware Indicators of Compromise" to

/root/.local/share/mvt/indicators/raw.githubusercontent.com_mvt-project_mvt-indicators_main_2022-06-23_rcs_lab_rcs.stix2

indicators "Stalkerware Indicators of Compromise" to

/root/.local/share/mvt/indicators/raw.githubusercontent.com_AssoEchap_stalkerware-indicators_master_generated_stalkerware.stix2


Check one by one by fire these commands below:

mvt-android check-adb --serial AndroidWlanIP:5555 --output /home/output --iocs [full path name of the stix file you need to look from the output of command above]

example if you want to check the Pegasus Spyware :

mvt-android check-adb --serial 192.168.1.21:5555 --output /home/output --iocs /root/.local/share/mvt/indicators/raw.githubusercontent.com_AmnestyTech_investigations_master_2021-07-18_nso_pegasus.stix2