Android device forensics (adb) Strictly read-only adb collector + AndroidSecurityDetector for banking-trojan / stalkerware / commercial-spyware fingerprints.
Closes digger's long-pending mobile gap. Modern Android attacks
land via sideloaded APKs that abuse BIND_ACCESSIBILITY_SERVICE
(banking trojans Anubis, Cerberus, ERMAC, SharkBot, Coper, BRATA,
BlackRock) and BIND_DEVICE_ADMIN (stalkerware persistence).
digger connects to a USB-attached or network-bridged device via adb,
enumerates package + permission + device-policy state, and runs the
six detection layers (A1–A6).
Strictly read-only
No APKs are pushed, no settings changed, no pm install
issued. digger only invokes enumeration commands. The operator
must enable adb-debugging and authorize the host pairing themselves
— the forensic stance is "what the user's device sees about itself".
Commands invoked
pm list packages -f -i -U— name, code path, installerpm list packages -d— disabled packagesdumpsys package <pkg>— granted/requested permissions, install source, flags, target sdk, signersdumpsys device_policy,dumpsys accessibilitysettings get global install_non_market_appssettings get secure enabled_accessibility_servicesgetprop ro.build.fingerprint,ro.build.version.security_patch,ro.product.model
Graceful degradation: missing adb / no device / device offline / unauthorized all produce zero artifacts (no exceptions). Per-command timeout, 16 MiB output cap, 600-package default dump cap.
Detection layers (A1–A6)
| ID | Severity | What it catches | MITRE |
|---|---|---|---|
| A1 | medium → high | Sideloaded install. Medium for non-Play installer; high for a known stalkerware-installer (com.android.fileinstall etc). | T1404 |
| A2 | critical | AccessibilityService abuse: non-system, non-Play app holds BIND_ACCESSIBILITY_SERVICE. The banking-trojan signature. | T1417 |
| A3 | critical | Unexpected device-admin: non-system, non-Play app holds BIND_DEVICE_ADMIN. Lets the app block uninstall and force lock-screen passwords. | T1626 |
| A4 | high | Swiss-army-knife permission combo: SMS + contacts/call-log + sensor (camera/mic/location). The stalkerware fingerprint (mSpy, FlexiSpy, KidsGuard). | T1430 |
| A5 | medium → high | Stale Android security patch — >180 days old (medium); >365 days (high). Device exposed to all post-patch CVEs. | T1404 |
| A6 | medium | install_non_market_apps globally enabled. Pre-Android-8 legacy toggle. | T1404 |
CLI
$ digger android collect --case-dir /tmp/case [--serial emulator-5554] [--max-packages 600]
[android] binary: /usr/local/bin/adb
[android] devices in 'device' state: ['emulator-5554']
[android] selected serial: emulator-5554
[android] packages listed: 187
[android] packages dumped: 187
[android] artifacts emitted: 195
[android] elapsed: 14.2s
Operator note: remediation is manual
digger never auto-removes a malicious package or revokes a
permission. Remediation goes to the report for the operator to
apply via Settings → Apps or adb shell pm uninstall.
Consistent with the P2 "no host modification
without explicit consent" gate.