Impovements for SMS module (#438)

* Add indicator checking in the SMS module * Don't add SMS entries when read timestamp not set * Remove print() line
mvt-project · Dec 17, 2023 · 013282d · 013282d
1 parent ab33789
commit 013282d
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 8 deletions.
diff --git a/mvt/ios/modules/mixed/sms.py b/mvt/ios/modules/mixed/sms.py
@@ -44,20 +44,25 @@ def __init__(
     def serialize(self, record: dict) -> Union[dict, list]:
         text = record["text"].replace("\n", "\\n")
         sms_data = f"{record['service']}: {record['guid']} \"{text}\" from {record['phone_number']} ({record['account']})"
-        return [
+        sms_data = [
             {
                 "timestamp": record["isodate"],
                 "module": self.__class__.__name__,
                 "event": "sms_received",
                 "data": sms_data,
             },
-            {
-                "timestamp": record["isodate_read"],
-                "module": self.__class__.__name__,
-                "event": "sms_read",
-                "data": sms_data,
-            },
         ]
+        # If the message was read, we add an extra event.
+        if record["isodate_read"]:
+            sms_data.append(
+                {
+                    "timestamp": record["isodate_read"],
+                    "module": self.__class__.__name__,
+                    "event": "sms_read",
+                    "data": sms_data,
+                }
+            )
+        return sms_data
 
     def check_indicators(self) -> None:
         for message in self.results:

diff --git a/mvt/ios/modules/mixed/sms_attachments.py b/mvt/ios/modules/mixed/sms_attachments.py
@@ -55,6 +55,10 @@ def serialize(self, record: dict) -> Union[dict, list]:
 
     def check_indicators(self) -> None:
         for attachment in self.results:
+            # Check for known malicious filenames.
+            if self.indicators.check_file_path(attachment["filename"]):
+                self.detected.append(attachment)
+
             if (
                 attachment["filename"].startswith("/var/tmp/")
                 and attachment["filename"].endswith("-1")

diff --git a/tests/ios_backup/test_sms.py b/tests/ios_backup/test_sms.py
@@ -17,7 +17,7 @@ def test_sms(self):
         m = SMS(target_path=get_ios_backup_folder())
         run_module(m)
         assert len(m.results) == 1
-        assert len(m.timeline) == 2  # SMS received and read events.
+        assert len(m.timeline) == 1
         assert len(m.detected) == 0
 
     def test_detection(self, indicator_file):