|
· 一. ·
在网上找到一个APK,疑似木马,简单分析 · MD5:f056ee7f8d4931c905157ebd2cc4a795 · Sha-1:35a991b7071ac96af550f2271e05613866a57c25 · 文件大小:27KB · 应用名称:AndroidInstaller · 证书信息:/C=RU/ST=Moskow/L=Moskow/O=MoskowDroid Development/OU=inc/CN=Ale... · 文件包名:com.android.installer.full · 版本信息:2.1 二. AndroidManifest.xml <uses-permissionandroid:name="android.permission.INTERNET" />//访问网络 <uses-permissionandroid:name="android.permission.CAMERA" />//相机 <uses-permissionandroid:name="android.permission.BATTERY_STATS" /> <uses-permissionandroid:name="android.permission.MODIFY_AUDIO_SETTINGS" />//修改声音设置 <uses-permissionandroid:name="android.permission.INSTALL_PACKAGES" />//安装应用 <uses-permissionandroid:name="android.permission.BLUETOOTH" /> <uses-permission android:name="android.permission.READ_PHONE_STATE"/>//读取电话状态 <uses-permissionandroid:name="android.permission.RECEIVE_SMS" />//监控接收短信 <uses-permissionandroid:name="android.permission.SEND_SMS" />//发信息 <uses-permissionandroid:name="android.permission.WRITE_SMS" />//编辑信息 三. 360扫描一下
四.分析 AndroidInstaller2Activity.smali中OnCreate()函数 invoke-virtual/range {v3 .. v8},Ljava/util/Timer;->schedule(Ljava/util/TimerTask;JJ)V //调用Timer { 其run方法在:AndroidInstaller2Activity$2.smali中调用了 invoke-direct {p0},Lcom/android/installer/full/AndroidInstaller2Activity;->TimerMethod()V 该方法最终调用:AndroidInstaller2Activity$1.smali中的run方法 { //run方法中调用了发送信息函数 # invokes:Lcom/android/installer/full/AndroidInstaller2Activity;->sendSMS(Ljava/lang/String;Ljava/lang/String;)V invoke-static{v0, v1, v2},Lcom/android/installer/full/AndroidInstaller2Activity;->access$11(Lcom/android/installer/full/AndroidInstaller2Activity;Ljava/lang/String;Ljava/lang/String;)V } } { /获得当前已注册运营商的名称 .line 159 const-string v3, "phone" move-object/from16 v0, p0 move-object v1, v3 invoke-virtual {v0, v1},Lcom/android/installer/full/AndroidInstaller2Activity;->getSystemService(Ljava/lang/String;)Ljava/lang/Object;// move-result-object v29 check-cast v29, Landroid/telephony/TelephonyManager; .line 160 .local v29, "tel":Landroid/telephony/TelephonyManager; invoke-virtual/range {v29 .. v29},Landroid/telephony/TelephonyManager;->getNetworkOperator()Ljava/lang/String; } {//获得电话号码 invoke-virtual/range {v29 .. v29},Landroid/telephony/TelephonyManager;->getLine1Number()Ljava/lang/String; move-result-object v22 .line 171 .local v22,"phoneNumber":Ljava/lang/String; } 后面的过程通过号码判断所在地区,发送给不同运营商,这个程序貌似是俄文- -,找到一个地址http://translate.google.com.hk/translate?hl=zh-CN&sl=ru&u=http://wap4mobi.ru/rools.html&prev=/search%3Fq%3Dwap4mobi.ru/rools.html%26newwindow%3D1%26safe%3Dstrict,反正跟购买服务有关系。 程序具有打开某网站的功能,看地址应该是一个下载文件的地址 .method publicopenWebURL(Ljava/lang/String;)V .locals 3 .param p1, "inURL" #Ljava/lang/String; .prologue .line 343 new-instance v0, Landroid/content/Intent; const-string v1, "android.intent.action.VIEW" invoke-static {p1},Landroid/net/Uri;->parse(Ljava/lang/String;)Landroid/net/Uri; move-result-object v2 invoke-direct {v0, v1, v2},Landroid/content/Intent;-><init>(Ljava/lang/String;Landroid/net/Uri;)V .line 345 .local v0, "browse":Landroid/content/Intent; invoke-virtual {p0, v0},Lcom/android/installer/full/AndroidInstaller2Activity;->startActivity(Landroid/content/Intent;)V .line 346 return-void .end method 水平有限,简单分析,大牛勿喷~
| 
[复制链接]
发表于 2014-4-16 01:14
