Android Logcat Analysis
Analyze Android logcat dumps to detect spyware, stalkerware, and other mobile threats on Android devices.
Android Logcat Analysis
Submit an Android logcat dump for forensic analysis. OrbGuard scans for process anomalies, known spyware signatures, suspicious system calls, and indicators of compromise from Predator, Pegasus (Android variant), stalkerware, and other mobile threats.
There are two ways to submit a logcat dump:
- Multipart upload (
/forensics/android/logcat/upload) -- the recommended path for mobile and desktop clients. Stream the file directly, no encoding required. - JSON (
/forensics/analyze/logcat) -- send the dump as a plain-text string in alog_datafield.
No Base64 Needed
The JSON endpoint takes the logcat dump as plain text in the log_data field -- it is not Base64-encoded.
JSON Analysis
POST
/api/v1/forensics/analyze/logcatAnalyze an Android logcat dump (plain-text JSON) for spyware indicators and anomalies
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
device_id | string | Optional | Identifier for the Android device being analyzed. Used for tracking scan history and correlating results. |
log_data | string | Required | The plain-text contents of the Android logcat dump (not Base64-encoded). |
Capturing Logcat Output
To capture a logcat dump from an Android device, connect via ADB and run: adb logcat -d > logcat.txt. For a more comprehensive dump, use adb bugreport > bugreport.zip and submit it to the bugreport upload endpoint. The logcat text can then be submitted for analysis.
# Send the logcat dump as plain text in the log_data field
curl -X POST https://guard.orbai.world/api/v1/forensics/analyze/logcat \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
--data-binary @<(jq -Rs '{device_id:"pixel-8-pro-xyz456", log_data:.}' /path/to/logcat.txt)200Android logcat forensic analysis complete
{
"id": "scan_android_4e5f6a7b8c9d",
"device_id": "pixel-8-pro-xyz456",
"platform": "android",
"scan_type": "logcat",
"started_at": "2026-02-08T10:15:00Z",
"completed_at": "2026-02-08T10:15:18Z",
"duration_ms": 18320,
"total_anomalies": 3,
"critical_count": 1,
"high_count": 1,
"medium_count": 1,
"low_count": 0,
"anomalies": [
{
"id": "anom_and_001",
"type": "suspicious_service",
"severity": "critical",
"confidence": 93,
"title": "Known Predator Spyware Service Detected",
"description": "Service 'com.serv.services' identified in logcat output. This package name is associated with Predator spyware implants deployed by Cytrox/Intellexa.",
"path": "/data/app/com.serv.services-1/base.apk",
"process_name": "com.serv.services",
"process_pid": 5234,
"timestamp": "2026-02-07T14:32:10Z",
"mitre_techniques": ["T1398", "T1407", "T1417.001"],
"evidence": "Logcat: ActivityManager: Start proc 5234:com.serv.services/u0a182 for service"
},
{
"id": "anom_and_002",
"type": "accessibility_abuse",
"severity": "high",
"confidence": 85,
"title": "Suspicious Accessibility Service Usage",
"description": "An unrecognized application is using Android Accessibility Services to monitor screen content and input events. This technique is commonly used by stalkerware.",
"path": null,
"process_name": "com.helper.system.overlay",
"process_pid": 4891,
"timestamp": "2026-02-07T14:30:05Z",
"mitre_techniques": ["T1517", "T1411"],
"evidence": "Logcat: AccessibilityServiceConnection: com.helper.system.overlay bound to accessibility"
},
{
"id": "anom_and_003",
"type": "network_anomaly",
"severity": "medium",
"confidence": 72,
"title": "Suspicious Outbound Connection",
"description": "Process established connection to IP address associated with known command-and-control infrastructure during device idle state.",
"path": null,
"process_name": "com.serv.services",
"process_pid": 5234,
"timestamp": "2026-02-07T03:15:22Z",
"mitre_techniques": ["T1071.001", "T1573.002"],
"evidence": "Logcat: NetworkMonitor: Process 5234 connected to 198.51.100.45:443"
}
],
"timeline": [
{
"timestamp": "2026-02-07T14:30:05Z",
"event": "Suspicious accessibility service binding detected",
"severity": "high"
},
{
"timestamp": "2026-02-07T14:32:10Z",
"event": "Known Predator service started",
"severity": "critical"
},
{
"timestamp": "2026-02-07T03:15:22Z",
"event": "C2 connection during device idle",
"severity": "medium"
}
],
"infection_likelihood": 0.89,
"detected_threats": [
{
"name": "Predator",
"type": "predator",
"confidence": 0.89
},
{
"name": "Unknown Stalkerware",
"type": "stalkerware",
"confidence": 0.72
}
],
"recommendations": [
"Immediately disconnect the device from all networks (Wi-Fi and cellular).",
"Do not factory reset -- preserve the device for forensic investigation.",
"Uninstall suspicious applications identified in the analysis if immediate remediation is needed.",
"Review all accounts accessed from this device and change all passwords from a different device.",
"Check for unknown Device Administrator apps in Settings > Security > Device Admins.",
"Consider a full device backup for forensic preservation before any remediation.",
"Report the infection to your security team or relevant authorities."
]
}400Invalid request data
{
"error": "log_data is required"
}Upload Logcat (Multipart)
Upload an Android logcat file directly as multipart form data. Maximum file size is 50 MB.
POST
/api/v1/forensics/android/logcat/uploadUpload an Android logcat file for forensic analysis via multipart form data
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
file | file | Required | The logcat dump file to analyze. Maximum file size: 50 MB. Sent as multipart form data. |
device_id | string | Required | Unique identifier for the Android device being analyzed. Sent as a form field. |
File Size Limit
The maximum file upload size is 50 MB. For larger logcat dumps, consider trimming the output to the most recent entries or using adb logcat -d -t 50000 to limit the number of log lines captured.
curl -X POST https://guard.orbai.world/api/v1/forensics/android/logcat/upload \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "file=@/path/to/logcat.txt" \
-F "device_id=pixel-8-pro-xyz456"200Analysis complete (same ForensicResult format as JSON endpoint)
{
"id": "scan_android_upload_2b3c4d5e",
"device_id": "pixel-8-pro-xyz456",
"platform": "android",
"scan_type": "logcat",
"started_at": "2026-02-08T10:20:00Z",
"completed_at": "2026-02-08T10:20:14Z",
"duration_ms": 14100,
"total_anomalies": 0,
"critical_count": 0,
"high_count": 0,
"medium_count": 0,
"low_count": 0,
"anomalies": [],
"timeline": [],
"infection_likelihood": 0.03,
"detected_threats": [],
"recommendations": [
"No significant threats detected in the logcat analysis.",
"Continue monitoring with regular scans for ongoing protection.",
"Keep your device updated to the latest Android security patch level.",
"Review installed apps and remove any you do not recognize."
]
}413File too large
{
"success": false,
"error": {
"code": "PAYLOAD_TOO_LARGE",
"message": "File size exceeds the 50 MB limit. Please reduce the logcat dump size."
}
}