Using Citizen Lab and Amnesty's mvt-tool I detected false positive results of spyware infection due to manual manipulation of "known" malicious domains
It took 5 seconds to search domain records and determine that 123tramites.com has a Last Updated Date: 2022-05-21T19:04:14.000Z
Looking at the screenshot in your repository, it clearly states that 123tramites.com was a indictor from April 25th.
You don't have access to the same data Amnesty or CitizenLab had access to so its impossible for you to get the same results.
I will mostly just quote @abashinfetion here:
If there are traces of C2 communication on my device, I want to be alerted.
Whether I've manually inserted those traces or not.
MVT-Tool is flagging those events as suspicious, and they have a disclaimer in their README stating "This is not intended for end-user self-assessment", so no one is blindly using a single suspicious event from MVT-Tool and proclaiming infection.
Now, let's get to the part where MVT-Tool reports differ based on connectivity.
iOS is a very closed OS and researchers are limited in what data they can extract, and even more limited in terms of configuration. It appears that Safari history does not track all redirects for a URL, but it simply logs the end URL. Most likely this behavior can't be configured and no additional data is available.
Because of this, you are suggesting there could be FPs? Why would that be?
It looks to me as if we are dealing with potential FNs rather than FPs.
If a payload uses the redirected URL on a device with connectivity, no malicious event would be logged in Safari history. This is a potential FN, luckily there are many other IOCs provided by MVT-Tool that can be used to determine an infection verdict.
> MVT-Tool is not using logic to make conclusions of a pegasus infection
Yes, this has been already told to you multiple times.
Forensic tools are used as supporting tools during analyses. No one is claiming this tool alone will tell you have been infected or not.
It's in the first line of their README:
> Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
You're not understanding...or pretending not to understand...how this is potential false negative not false positive. How you're coming to the conclusion that an IOS device attempting to communicate with a C2 is actually a false positive is beyond me. The tool makes no such verdict; but if your device is trying to reach out to C2 servers you got some serious potential issues. It is not a sign that everything is fine.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.