Magnet Virtual Summit 2026 CTF - Android Questions
Anything open this time of night? (5 Points)
What is the name of the establishment the user took a screenshot of?
In Axiom, just clicking the pictures artifact page yields too many results, so adding a search query for “DCIM/Screenshots/” filters for screenshots saved in the default directory. This narrows the results down to two images, which happen to be identical.
FLAG
99 Restaurant
Three Star Exit (5 Points)
What was the last time in UTC Clash Of Clans was closed? (Format: YYYY-MM-DD HH:MM:SS)
Axiom parses the Samsung Digital Wellbeing database, which tracks application launches, closes, and background/foreground events. Filter by the app ID of Clash of Clans (com.supercell.clashofclans) and reverse sort by date.
The file for this database lives at:
\data\data\com.samsung.android.forest\databases\dwbCommon.db
FLAG
2025-12-15 18:07:05
Long Distance Call (5 Points)
What country was the other party from for a rejected/declined call?
Axiom parses the call log into a table using the database located at (\data\data\com.samsung.android.providers.contacts\databases\calllog.db), in this table you can sort by “Call Action” to put together every Declined call. The only entries from foreign countries are from Saudi Arabia.
FLAG
Saudi Arabia
Clean Lens (10 Points)
What is the Ingress rating of the security camera that supports night vision?
The Chrome History, located at \data\data\com.android.chrome\app_chrome\Default\History has URLs from an online store for CCTV cameras, one of which supports night vision
Visit the site and check the info about the camera. “Ingress Rating” is a rating about resistance to water/dust.
FLAG
IP67
The MVS Times (10 Points)
What was the answer to the first Wordle puzzle solved?
The NYT Games app has Wordle in it. Use a global filter for com.nytimes.crossword to see related artifacts. In the Samsung Digital Wellbeing DB artifact(\data\data\com.samsung.android.forest\databases\dwbCommon.db), We can see that the user spent time on the app on 2025-11-28 and 2025-12-04.
Focusing on the earlier date, we can look up the Wordle answer for that day.
FLAG
COLIC
Secure Attachment (10 Points)
What is the name of the client the user was most recently working on?
Inside the app folder for Google Drive, within the folder for the work account of the user, there is a database called cello.db that tracks content within the user’s Drive.
\data\data\com.google.android.apps.docs\app_cello\djones.iss.secure@gmail.com\cello.db
The items table has an entry for every item in the drive, both files and folders, as well as timestamps, including modified date. Focus on the most recent non-folder item.
There is a protobuf that contains the ID of the parent folder. We can see that id in entry 2 “Hidden Gems” in the id column. The screenshot below has reordered the columns showing both the protobuf from entry 1 “CLIENT Security Recommendation” and the corresponding entry in the “id” column of entry 2. “Hidden Gems” is in the “Clients” folder.
FLAG
Hidden Gems
Checked Out (10 Points)
What was the reason the Nike app was last exited?
Navigate to the Nike app’s folder, and locate a subfolder called applicationExitInfo:
Select the most recent .dat file, which is located at:
\data\data\com.nike.plusgps\cache\newrelic\applicationExitInfo\aei-556.dat
There is a “reason” key-value pair. The value is the flag.
FLAG
13 (OTHER KILLS BY SYSTEM)
Swimming School (25 Points)
What class had the most badges?
Badges are the small icons (usually red or orange circles with a number) that appear on the corner of app icons to notify you of unread messages, missed calls, or pending alerts. On Samsung phones this is done with the Samsung Badge Provider. The package name for this is com.sec.android.providers.badge. Get to the folder and locate the only database, at:
\data\data\com.sec.android.provider.badge\databases\badge.db
In the database, there is a table called ‘apps’, which can be sorted by ‘badgecount’. The class that is associated with the highest badgecount is the answer.
FLAG
com.ss.android.ugc.aweme.splash.SplashActivity
Guess Again (25 Points)
What was the second guess on the first Wordle the user played?
This question does not show up until you complete its precursor, The MVS Times. We can’t see the user guesses online, so you’ll have to take a different approach.
Navigate to the folder for the NYT Games app, and extract the Local Storage LDB from the app_webview folder:
This can be analyzed in Mushy by navigating and selecting any of the .ldb files.
Scroll down far enough and you can eventually see an entry containing the state of the wordle puzzle as the user was playing, containing the guesses, timestamp, status, and more.
FLAG
MOCKS
Smarty Pants (25 Points)
How many emails were automatically labeled as notifications?
The “automatically labeled” in this question is a hint to Gmail’s Smart Label feature. There are two Gmail accounts on the device, so there are two bigTopDataDB files, we will have to look at both.
We can see the stats we are looking for in the label_counts table. We can see 10 total in the first DB, and 73 in the second DB. Add those together to get the flag.
FLAG
83
Put a Ring on It (25 Points)
What is the hex code of the content color for the entry that expires on 2025-12-01 15:06:45?
This one is a bit tricky to find, but it is easier if you use ALEAPP to view FCM-Dump LDB databases. For the app “com.bd.nproject” (Lemon8) we can see there is an expire_time inside a large JSON object every few rows. By searching for the Unix Seconds format of the timestamp in the question, we can see the hex code for “content_color_s”.
FLAG
#262626
Some Data Hides Many STATs (50 Points)
What was the PID of the app that was in focus at 2025-12-15 17:48:09?
This is a multi-step question needing two artifacts, one of which is not supported.
First, search the Digital Wellbeing DB to find the app that is in focus at that time.
Above you can see that Clash of Clans was in focus. It does briefly show “ACTIVITY_PAUSED” due to a permissions pop-up, but the app is still in the foreground.
Second, use the CPUSTAT table in the \data\data\com.sec.android.sdhms\databases\thermal_log database in the com.sec.android.sdhms package to find the PID of the app there at that time.
The capitalization of the question name includes SDHMS in that order alluding to com.sec.android.sdhms, and STAT is capitalized in the last word alluding to the CPUSTAT table.
FLAG
5254
U Tree C (50 Points)
When in UTC was the timezone set? (YYYY-MM-DD HH:MM:SS)
The purpose of this question is to get people looking at unsupported artifacts. In this case, Samsung Digital Wellbeing seems like something to skip over as it has parsers as of now, but not all the tables within this database are parsed properly, there are still some outliers. One of which is this “Logging” table. The logging table has timestamped records of changes to the active timezone. Two entries show up here that represent changes to the timezone, one second apart. Both of them are valid flags.
FLAG
2025-11-10 18:11:26 OR 2025-11-10 18:11:25
Out of Bounds (75 Points)
What was the top package name in a splitscreen shortcut?
Samsung has an edge panel that can be used by swiping inwards from the right edge about ¾ the way up the screen. In here, there is a quick drawer for launching apps that can be customized by the user. One of the interesting features of this is that it also supports making splitscreen shortcuts, where clicking on an icon opens two apps in a saved layout. While we don’t know of any public research around this artifact, we are excited to share this with you from our testing
The shortcuts placed here are tracked in a file located at:
\data\data\com.sec.android.app.launcher\shared_prefs\apps_edge_sa_status_pref.xml
There is a <string> element within the XML file which contains a list of the app’s package names in this panel, and each of the entries/shortcuts are separated by a “/”. You may notice that one entry has two package names, separated by an “&”. This is the splitscreen shortcut. The first package name is the top app.
This is what it looks like on a test phone, if you are curious:
