Open thedeadliestcatch opened 9 months ago
Te-k
commented
9 months ago Not that I know of. I have seen some spyware check if adb is enable and remove themselves in that case, but I doubt that a hard reset would be a good strategy. Could you do the check with modules one by one and see if a specific module is provoking the hard reset? I have seen some phones reboots in the past because some tools were exhausting their memory but mvt is pretty light generally
thedeadliestcatch
commented
9 months ago BY hard-reset I meant an interaction-free reboot, no userdata loss perceivable.
It is definitely something any post-exploitation kit will do (if developed properly). I will check again module by module. This was observed once, and then never again. Afterwards no IOCs were found.
How does mvt currently handle things like potential baseband compromise or partition alterations? I haven't gone deep into it, but I think it doesn't handle those cases (per limitations of adb possibly).
Te-k
commented
9 months ago How does mvt currently handle things like potential baseband compromise or partition alterations? I haven't gone deep into it, but I think it doesn't handle those cases (per limitations of adb possibly).
It doesn't really, but some data collected could have information about that (like dumsys or processes running). You can see the list of modules here and we are open to add more if you have any suggestions (as long as it is doable through adb)
Working with one device I experienced an immediate hard reset (reboot) as soon as mvt established the adb connection and started the collection process.
Has this been experienced under any circumstances by anyone analyzing a real-world compromised device?