search

WithSecureLabs / drozer

The Leading Security Assessment Framework for Android.
https://labs.withsecure.com/tools/drozer
Other
3.96k stars 783 forks source link

False positive because root? #462

Closed EliasTheGrandMasterOfMistakes closed 3 months ago

EliasTheGrandMasterOfMistakes commented 3 months ago

INFO [mvt.android.modules.adb.packages] Extracted at total of 310 installed package names
INFO [mvt.android.modules.adb.logcat] Running module Logcat...
03:25:10 INFO [mvt.android.modules.adb.logcat] The Logcat module does not support checking for indicators
INFO [mvt.android.modules.adb.root_binaries] Running module RootBinaries...
WARNING [mvt.android.modules.adb.root_binaries] Found root binary "su"
WARNING [mvt.android.modules.adb.root_binaries] Found root binary "magisk"
WARNING [mvt.android.modules.adb.root_binaries] Found root binary "magiskpolicy"
INFO [mvt.android.modules.adb.files] Running module Files...
03:25:11 INFO [mvt.android.modules.adb.files] Found file in tmp folder at path /data/local/tmp/shizuku/shizuku.json
INFO [mvt.android.modules.adb.files] Found file in tmp folder at path /data/local/tmp/shizuku_starter
03:25:15 INFO [mvt.android.modules.adb.files] Found 33955 files in primary Android tmp and media folders
INFO [mvt.android.modules.adb.files] Processing full file listing. This may take a while...
03:25:28 INFO [mvt.android.modules.adb.files] Found 305623 total files
03:25:31 INFO [mvt.android.cmd_check_adb] Please disable Developer Options and ADB (Android Debug Bridge) on the device once finished with the acquisition. ADB is a powerful tool which can allow unauthorized access to the
device.
WARNING NOTE: Detected indicators of compromise. Only expert review can confirm if the detected indicators are
signs of an attack. 

              Please seek reputable expert help if you have serious concerns about a possible spyware attack. Such      
              support is available to human rights defenders and civil society through Amnesty International's Security 
              Lab at https://securitylab.amnesty.org/get-help/?c=mvt                                                    
     WARNING  [mvt] The analysis of the Android device produced 3 detections!

What is this 3 detected? is really my root su, magisk and magisk policy? or is WARNING [mvt.android.modules.adb.settings] Found suspicious "secure" setting "install_non_market_apps = 1"

Sorry this looks a big false positive, magisk, su and root can be in a whitelist or really exist attackers using magisk in some cases is because of this is a warning? (in my case is user installer, i need to use magisk)

EliasTheGrandMasterOfMistakes commented 3 months ago

Close sorry for my mistake i have confused with mvt-toolkit repo