search

mvt-project / mvt

MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
https://mvt.re
Other
10.29k stars 952 forks source link

False Positives #482

Closed L0laL33tz closed 5 months ago

L0laL33tz commented 5 months ago

MVT seems to make no distinctions between websites visited and software installed

Got a detection warning a few months back. Got extremely spooked, notified colleagues for possible spyware detection, never heard back from Amnesty Techlab – all in all an extremely unpleasant experience. Turned out I had visited a spyvendors website.

Please find a way to deal with false postivie detections if you can't respond to them individually.

Some documentation of verified detections vs. possible false positives may help, or offering training in using MVT beyond the yearly five-person FFD fellowship program. Trained journos/activists could train others, etc – happy to help with this if someone wants to give me a run down.

roaree commented 5 months ago

Hey @L0laL33tz thanks for opening an issue.

Re:

MVT seems to make no distinctions between websites visited and software installed

could you give more details on the false positive you encountered, e.g. which modules are involved?

We've recently added some clearer messaging around non-expert use, particularly if detections are found:

NOTE: Detected indicators of compromise. Only expert review can confirm if the detected indicators are signs of an attack. Please seek reputable expert help if you have serious concerns about a possible spyware attack. Such support is available to human rights defenders and civil society through Amnesty International's Security Lab at https://securitylab.amnesty.org/get-help/?c=mvt

L0laL33tz commented 5 months ago

Sure, here's the detection it threw:

mvtdetect_01 mvtdetect_02

I did reach out to amnesty techlab but never heard back. I understand that it's probably overwhelming to answer every request, so re:

Only expert review can confirm if the detected indicators are signs of an attack

do you think its possible to document verified detections vs. false positives or offer some training for MVT? Seems like this would have been an easy catch for someone more versed in the software even if not a technical expert

roaree commented 5 months ago

do you think its possible to document verified detections vs. false positives or offer some training for MVT? Seems like this would have been an easy catch for someone more versed in the software even if not a technical expert

We're looking at introducing confidence levels in detections in future - some early work around this in https://github.com/mvt-project/mvt/pull/431.

It looks like this ClevGuard indicator originated from https://github.com/AssoEchap/stalkerware-indicators. In this case it's detecting a visit to a stalkerware related domain name - an expert should review among other things the MVT output, the possible matching indicator and the context of other events on the forensic timeline to determine whether an infection actually occurred.

At this time the Security Lab can only provide forensic support to members of civil society. If you fulfil this category and have a concern in future please do reach out again via https://securitylab.amnesty.org/get-help/ and we'll do our best to help. In terms of partnership proposals please reach out to share [ AT symbol] amnesty.tech. Due to the volume of requests, we may be unable to respond to requests which are not clearly from civil society.