Skip to content

Checking SMSs from Android backup

Some attacks against Android phones are done by sending malicious links by SMS. The Android backup feature does not allow to gather much information that can be interesting for a forensic analysis, but it can be used to extract SMSs and check them with MVT.

To do so, you need to connect your Android device to your computer. You will then need to enable USB debugging on the Android device.

If this is the first time you connect to this device, you will need to approve the authentication keys through a prompt that will appear on your Android device.

Then you can use adb to extract the backup for SMS only with the following command:

adb backup com.android.providers.telephony

You will need to approve the backup on the phone and potentially enter a password to encrypt the backup. The backup will then be stored in a file named backup.ab.

You will need to use Android Backup Extractor to convert it to a readable file format. Make sure that java is installed on your system and use the following command:

java -jar ~/Download/abe.jar unpack backup.ab backup.tar
tar xvf backup.tar

(If the backup is encrypted, the password will be asked by Android Backup Extractor).

You can then extract SMSs containing links with MVT:

$ mvt-android check-backup --output . .
16:18:38 INFO     [mvt.android.cli] Checking ADB backup located at: .
         INFO     [mvt.android.modules.backup.sms] Running module SMS...
         INFO     [mvt.android.modules.backup.sms] Processing SMS backup
                  file at ./apps/com.android.providers.telephony/d_f/000
                  000_sms_backup
16:18:39 INFO     [mvt.android.modules.backup.sms] Extracted a total of
                  64 SMS messages containing links

Through the --iocs argument you can specify a STIX2 file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output.