System-level state storage — holds global OS configs, app registry, permissions, and security settings.
/data/system
| Artifact | What it contains | Typical Use Case |
|---|---|---|
packages.xml | Installed apps, install/update times (it/ut/ft), permissions, UID | When was malware installed? What permissions did it get? |
packages.list | Package ↔ UID ↔ data path mapping | Map /data/data/<pkg> to UID / processes |
appops.xml | Runtime permission usage (camera, mic, storage, etc.) | Did malware access mic/camera/storage? |
device_policies.xml | Device admin apps | Detect admin abuse by RATs |
settings_secure.xml | Accessibility services, security toggles | Was accessibility enabled for malware? |
settings_global.xml | Global system configs (ADB, network flags) | ADB enabled? unusual global settings |
settings_system.xml | UI/system-level settings | Occasionally useful for user behavior |
users/0/settings_secure.xml | User-specific secure settings | Confirm per-user abuse |
users/0/settings_system.xml | User UI settings | Rarely critical |
users/0/settings_global.xml | User-scoped global settings | Cross-check configs |
usagestats/ | App usage timeline (foreground/background) | When was malware used/executed? |
recent_tasks/ | Recently opened apps | Was malicious app opened manually? |
notification_policy.xml | Notification settings | Malware hiding notifications |
netpolicy.xml | Network usage policies | Detect data exfil patterns |
accounts.xml | Stored accounts (Google, etc.) | Victim profiling, account abuse |
sync/ | Sync adapters + configs | Less common but possible |
dropbox/ | System crash & log dumps | Sometimes contains malware traces |
procstats/ | Process statistics over time | Which processes ran frequently |
battery-stats.xml | App battery usage | Malware running persistently |
job/ or jobs.xml | Scheduled jobs (JobScheduler) | RAT periodic execution |
alarm_stats.xml / alarm_history.xml | AlarmManager usage | Beaconing / periodic triggers |
Timestamps
packages.xml uses hex-encoded time values for these fields:
ft= APK file timestamp / last file change timeit= first install timeut= last update time
# HEX → epoch
printf "%d\n" 0x1935f2b00f3
# epoch → UTC
date -u -d @$(($(printf "%d" 0x1935f2b00f3)/1000))
Perms
<perms>
Runtime permissions acquired by the package.