Android Logcat Analysis
Analyze Android logcat dumps to detect spyware, stalkerware, and other mobile threats on Android devices.
Android Logcat Analysis
Submit an Android logcat dump for forensic analysis. OrbGuard scans for process anomalies, known spyware signatures, suspicious system calls, and indicators of compromise from Predator, Pegasus (Android variant), stalkerware, and other mobile threats.
POST
/api/v1/forensics/android/logcatAnalyze an Android logcat dump for spyware indicators and anomalies
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
device_id | string | Required | Unique identifier for the Android device being analyzed. Used for tracking scan history and correlating results. |
data | string | Required | Base64-encoded contents of the Android logcat dump. |
Capturing Logcat Output
To capture a logcat dump from an Android device, connect via ADB and run: adb logcat -d > logcat.txt. For a more comprehensive dump, use: adb bugreport > bugreport.zip. The logcat file can then be base64-encoded and submitted for analysis.
# Base64-encode the logcat dump and submit
LOGCAT_DATA=$(base64 -i /path/to/logcat.txt)
curl -X POST https://guard.orbai.world/api/v1/forensics/android/logcat \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d "{
\"device_id\": \"pixel-8-pro-xyz456\",
\"data\": \"$LOGCAT_DATA\"
}"200Android logcat forensic analysis complete
{
"id": "scan_android_4e5f6a7b8c9d",
"device_id": "pixel-8-pro-xyz456",
"platform": "android",
"scan_type": "logcat",
"started_at": "2026-02-08T10:15:00Z",
"completed_at": "2026-02-08T10:15:18Z",
"duration_ms": 18320,
"total_anomalies": 3,
"critical_count": 1,
"high_count": 1,
"medium_count": 1,
"low_count": 0,
"anomalies": [
{
"id": "anom_and_001",
"type": "suspicious_service",
"severity": "critical",
"confidence": 93,
"title": "Known Predator Spyware Service Detected",
"description": "Service 'com.serv.services' identified in logcat output. This package name is associated with Predator spyware implants deployed by Cytrox/Intellexa.",
"path": "/data/app/com.serv.services-1/base.apk",
"process_name": "com.serv.services",
"process_pid": 5234,
"timestamp": "2026-02-07T14:32:10Z",
"mitre_techniques": ["T1398", "T1407", "T1417.001"],
"evidence": "Logcat: ActivityManager: Start proc 5234:com.serv.services/u0a182 for service"
},
{
"id": "anom_and_002",
"type": "accessibility_abuse",
"severity": "high",
"confidence": 85,
"title": "Suspicious Accessibility Service Usage",
"description": "An unrecognized application is using Android Accessibility Services to monitor screen content and input events. This technique is commonly used by stalkerware.",
"path": null,
"process_name": "com.helper.system.overlay",
"process_pid": 4891,
"timestamp": "2026-02-07T14:30:05Z",
"mitre_techniques": ["T1517", "T1411"],
"evidence": "Logcat: AccessibilityServiceConnection: com.helper.system.overlay bound to accessibility"
},
{
"id": "anom_and_003",
"type": "network_anomaly",
"severity": "medium",
"confidence": 72,
"title": "Suspicious Outbound Connection",
"description": "Process established connection to IP address associated with known command-and-control infrastructure during device idle state.",
"path": null,
"process_name": "com.serv.services",
"process_pid": 5234,
"timestamp": "2026-02-07T03:15:22Z",
"mitre_techniques": ["T1071.001", "T1573.002"],
"evidence": "Logcat: NetworkMonitor: Process 5234 connected to 198.51.100.45:443"
}
],
"timeline": [
{
"timestamp": "2026-02-07T14:30:05Z",
"event": "Suspicious accessibility service binding detected",
"severity": "high"
},
{
"timestamp": "2026-02-07T14:32:10Z",
"event": "Known Predator service started",
"severity": "critical"
},
{
"timestamp": "2026-02-07T03:15:22Z",
"event": "C2 connection during device idle",
"severity": "medium"
}
],
"infection_likelihood": 0.89,
"detected_threats": [
{
"name": "Predator",
"type": "predator",
"confidence": 0.89
},
{
"name": "Unknown Stalkerware",
"type": "stalkerware",
"confidence": 0.72
}
],
"recommendations": [
"Immediately disconnect the device from all networks (Wi-Fi and cellular).",
"Do not factory reset -- preserve the device for forensic investigation.",
"Uninstall suspicious applications identified in the analysis if immediate remediation is needed.",
"Review all accounts accessed from this device and change all passwords from a different device.",
"Check for unknown Device Administrator apps in Settings > Security > Device Admins.",
"Consider a full device backup for forensic preservation before any remediation.",
"Report the infection to your security team or relevant authorities."
]
}400Invalid request data
{
"success": false,
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid base64 encoding in data field. Ensure the logcat dump is properly base64-encoded."
}
}Upload Logcat (Multipart)
Upload an Android logcat file directly as multipart form data. Maximum file size is 50 MB.
POST
/api/v1/forensics/android/logcat/uploadUpload an Android logcat file for forensic analysis via multipart form data
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
file | file | Required | The logcat dump file to analyze. Maximum file size: 50 MB. Sent as multipart form data. |
device_id | string | Required | Unique identifier for the Android device being analyzed. Sent as a form field. |
File Size Limit
The maximum file upload size is 50 MB. For larger logcat dumps, consider trimming the output to the most recent entries or using adb logcat -d -t 50000 to limit the number of log lines captured.
curl -X POST https://guard.orbai.world/api/v1/forensics/android/logcat/upload \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "file=@/path/to/logcat.txt" \
-F "device_id=pixel-8-pro-xyz456"200Analysis complete (same ForensicResult format as JSON endpoint)
{
"id": "scan_android_upload_2b3c4d5e",
"device_id": "pixel-8-pro-xyz456",
"platform": "android",
"scan_type": "logcat",
"started_at": "2026-02-08T10:20:00Z",
"completed_at": "2026-02-08T10:20:14Z",
"duration_ms": 14100,
"total_anomalies": 0,
"critical_count": 0,
"high_count": 0,
"medium_count": 0,
"low_count": 0,
"anomalies": [],
"timeline": [],
"infection_likelihood": 0.03,
"detected_threats": [],
"recommendations": [
"No significant threats detected in the logcat analysis.",
"Continue monitoring with regular scans for ongoing protection.",
"Keep your device updated to the latest Android security patch level.",
"Review installed apps and remove any you do not recognize."
]
}413File too large
{
"success": false,
"error": {
"code": "PAYLOAD_TOO_LARGE",
"message": "File size exceeds the 50 MB limit. Please reduce the logcat dump size."
}
}