After Amnesty International’s Methodology Report from last Sunday, I early-adopted the Mobile Verification Toolkit on Monday evening. At that time, parts of the documentation and cross-referencing were pretty basic, so I'm documenting my process and concentrating links to all resources here.
Less tech-savvy users may want to wait for the announced GUI.
adbinstalled or use the Docker image (this saves some MVT installation steps, too)
I installed the project's dependencies in a
pipenv to not pollute the system's python packages and
# Clone repository git clone https://github.com/mvt-project/mvt.git cd mvt/ # Install dependencies in pipenv pipenv --python 3 pipenv run pip3 install .
Since you can't use the tool to download the APKs and check for malware signatures later, it's best to do this right away. Otherwise you'd need to download the packages twice:
mkdir android-apks pipenv run mvt-android download-apks -o android-apks/ --virustotal
Sometimes the Android device is busy and MVT recommends to reset the
adb server. This works just fine:
On the phone, when downloading the APKs, you will be asked (multiple times, even if you check the 'allow future access' box) to allow
adb access, this dialog needs to be accepted within 5 seconds, otherwise MVT times out. It's best to be attentive and watch the phone screen. ;)
This process is well-documented:
abe.jarfrom the releases page.
# Backup SMS from Android device adb backup com.android.providers.telephony # Extract SMS backup java -jar abe.jar unpack backup.ab backup.tar tar xvf backup.tar # Check backup against STIX v2 file pipenv run mvt-android check-backup . --iocs pegasus.stix2