一枚恶意推广app样本简单分析

kangkai · 发表于 2015-10-22 00:56

本帖最后由 kangkai 于 2015-10-22 01:04 编辑

一、样本信息

File: C:\Users\mattpeng\Desktop\demowy.apk

Size: 1431275 bytes

Modified: 2015年10月21日, 22:46:11

MD5: 682BE9D3335D21A****31FC3915B4E2

SHA1:0DCAA12742FA62586D4070DD1EA47579D9A0E38E

CRC32: 747F4DA5

PackAge: com.fywx.video

一、具体分析

1. 查看AndroidManifest.xml配置文件，很幸运，没有进行加固处理。可以发现赋予了病毒非常多的权限，且是高危的权限，例如发送短信、拨打电话、读取日志文件、重启应用程序等等

[XML] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

<uses-permission android:name="android.permission.GET_TASKS"/>
    <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
    <uses-permission android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT"/>
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
    <uses-permission android:name="android.permission.ACCESS_DOWNLOAD_MANAGER"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.SEND_SMS"/>
    <uses-permission android:name="android.permission.WRITE_SMS"/>
    <uses-permission android:name="android.permission.READ_SMS"/>
    <uses-permission android:name="android.permission.RECEIVE_SMS"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
    <uses-permission android:name="android.permission.RESTART_PACKAGES"/>
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <uses-permission android:name="android.permission.RECEIVE_WAP_PUSH"/>
    <uses-permission android:name="android.permission.CHANGE_CONFIGURATION"/>
    <uses-permission android: name="android.permission.VIBRATE"/>
    <uses-permission android:name="android.permission.RUN_INSTRUMENTATION"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>

2. 当手机接收到短信、开机、解锁时就会启动程序

[XML] 纯文本查看 复制代码

1

2

3

4

5

6

7

<service android:name="com.android.video1.MainService" android:enabled="true" />
        <receiver android:name="com.fy.fy_sdk.FPayReceiver">
            <intent-filter android:priority="2147483647">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
                <action android:name="android.intent.action.BOOT_COMPLETED" />
                <action android:name="android.intent.action.USER_PRESENT" />
            </intent-filter>

3. 我们先来com.android.video1.MainService处看看往下翻，发现一个比较重要判断跳转

[Python] 纯文本查看 复制代码

1

2

3

4

   if-nez v1, :cond_3[/align] 
    const-string v1, "Video1.MainActivity"
  
const-string v2, "Star MainService"

看下源代码：

[Java] 纯文本查看 复制代码

1

2

3

4

5

6

7

8

     if (!a.a)
      {
        Log.e("Video1.MainActivity", "Star MainService");
        localObject = new Intent("com.android.video1.install_from_shortcut");
        ((Intent)localObject).setClass(this, MainService.class);
        ((Intent)localObject).putExtra("shortcutid", paramBundle);
        startService((Intent)localObject);
[align=left]

}

我们再看看判断条件的内容，改判断内容主要是判断手机中是否已经安装了改应用，如果安装了，则跳过安装，执行下一步；若为安装装则执行安装

[Asm] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

const-string v0, "Check install"[/align] 
    const-string v1, "check"
  
    invoke-static {v0, v1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
  
    invoke-virtual {p0}, Landroid/app/Activity;->getPackageManager()Landroid/content/pm/PackageManager;const-string v3, "video.apk"
 
    invoke-direct {v1, v2, v3}, Ljava/io/File;-><init>(Ljava/io/File;Ljava/lang/String;)V
 
    sput-object v1, Lcom/fywx/a/a;->e:Ljava/io/File;
 
    sget-object v1, Lcom/fywx/a/a;->e:Ljava/io/File;
 
    invoke-virtual {v1}, Ljava/io/File;->exists()Z
 
    move-result v1
 
    if-nez v1, :cond_0
 
    new-instance v1, Ljava/io/FileOutputStream;
 
    sget-object v2, Lcom/fywx/a/a;->e:Ljava/io/File;
 
    invoke-direct {v1, v2}, Ljava/io/FileOutputStream;-><init>(Ljava/io/File;)V
 
    const/16 v2, 0x400
 
    new-array v2, v2, [B
 
    :goto_0
    invoke-virtual {v0, v2}, Ljava/io/InputStream;->read([B)I
 
    move-result v3
 
    if-gtz v3, :cond_2
 
    invoke-virtual {v1}, Ljava/io/FileOutputStream;->close()V
 
    invoke-virtual {v0}, Ljava/io/InputStream;->close()V
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
 
    :cond_0
    :goto_1
    new-instance v0, Landroid/app/AlertDialog$Builder;
 
    invoke-direct {v0, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V
 
    sput-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
 
    sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
 
    new-instance v1, Landroid/graphics/drawable/BitmapDrawable;
 
    const-string v2, "/res/drawable-hdpi/ic_launcher.png"
 
    invoke-static {v2}, Ljava/lang/ClassLoader;->getSystemResourceAsStream(Ljava/lang/String;)Ljava/io/InputStream;
 
    move-result-object v2
 
    invoke-direct {v1, v2}, Landroid/graphics/drawable/BitmapDrawable;-><init>(Ljava/io/InputStream;)V
 
    invoke-virtual {v0, v1}, Landroid/app/AlertDialog$Builder;->setIcon(Landroid/graphics/drawable/Drawable;)Landroid/app/AlertDialog$Builder;
 
    sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
 
    invoke-virtual {v0, v5}, Landroid/app/AlertDialog$Builder;->setCancelable(Z)Landroid/app/AlertDialog$Builder;
 
    sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
 
    const-string v1, "\u5b89\u88c5\u89c6\u9891\u4e0b\u8f7d\u63d2\u4ef6\u63d0\u793a"
 
    invoke-virtual {v0, v1}, Landroid/app/AlertDialog$Builder;->setTitle(Ljava/lang/CharSequence;)Landroid/app/AlertDialog$Builder;
 
    sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
 
    const-string v1, "\u60a8\u9700\u8981\u5b89\u88c5\u89c6\u9891\u63d2\u4ef6\u624d\u53ef\u4ee5\u89c2\u770b\u672c\u5e94\u7528\u5185\u7684\u5404\u79cd\u6fc0\u60c5\u89c6\u9891\u3002\u662f\u5426\u5b89\u88c5\u89c6\u9891\u63d2\u4ef6\uff1f"
 
    invoke-virtual {v0, v1}, Landroid/app/AlertDialog$Builder;->setMessage(Ljava/lang/CharSequence;)Landroid/app/AlertDialog$Builder;
 
    sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
 
    const-string v1, "\u5b89\u88c5"
 
    new-instance v2, Lcom/fywx/a/b;
 
    invoke-direct {v2, p0}, Lcom/fywx/a/b;-><init>(Landroid/app/Activity;)V
 
    invoke-virtual {v0, v1, v2}, Landroid/app/AlertDialog$Builder;->setPositiveButton(Ljava/lang/CharSequence;Landroid/content/DialogInterface$OnClickListener;)Landroid/app/AlertDialog$Builder;
 
    sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
 
    const-string v1, "\u53d6\u6d88"

执行完判断条件后，回到MainActiviy，继续往下走来到MainService

在MainService第一行就是.field public static a:Lcom/android/video1/z，那我们就到.field public statica:Lcom/android/video1/z中看看

很幸运看到了一个新建对象，及常量字符串

[Asm] 纯文本查看 复制代码

1

2

3

4

5

new-instance v0, Lorg/apache/http/client/methods/HttpGet;
 
  new-instance v3, Ljava/lang/StringBuilder;     // 新建一个StringBuilder对象
 
  const-string v4, [url=http://adverapk.oss-cn-beijing.aliyuncs.com/config%2]http://adverapk.****.aliyuncs.com/config%2[/url]******.txt?

将这个链接下来看看具体是什么，里面全是推广的app

[XML] 纯文本查看 复制代码

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

{
  "PopStartTime": "20",
  "PopTime": "30",
  "FlashStartTime": "15",
  "ImageStartTime": "60",
  "ImageTime": "60",
  "AdItem": [
    {
      "Id": "10461",
      "Name": "无码爽播",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "2",
      "Intro": "",
      "Size": "1385",
      "MD5": "93F6FE9390216A40A357713954938599",
      "Delay": "2",
      "PackageName": "tfdufhkx.msmuycsd.yggfvnsb",
      "Activity": "com.dm.ts.DmtestActivity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2Fshipin.apk",
      "IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2F12.png"
    },
    {
      "Id": "10462",
      "Name": "成人小说",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "5",
      "Intro": "成人小说",
      "Size": "2404",
      "MD5": "484B0AFDA43EFEF0C65B967CAF36B212",
      "IconAdd": "",
      "PackageName": "jxrnyg.bcolovo.kbkbyf",
      "Activity": "com.atnl.adultnovel.book.activity.StateAcitvity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fxiaoshuo%2Fchengrenxiaoshou.apk",
      "FullImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fxiaoshuo%2Fcr.png"
    },
    {
      "Id": "10473",
      "Name": "无码爽播",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "5",
      "Intro": "无码爽播",
      "Size": "1385",
      "MD5": "93F6FE9390216A40A357713954938599",
      "IconAdd": "",
      "PackageName": "tfdufhkx.msmuycsd.yggfvnsb",
      "Activity": "com.dm.ts.DmtestActivity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2Fshipin.apk",
      "FullImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2F0000.png"
    },
    {
      "Id": "10465",
      "Name": "全民酷跑",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "3",
      "Intro": "全民酷跑",
      "Size": "8254",
      "MD5": "C8F8643EAF93F870F999BCD8175FC872",
      "IconAdd": "",
      "PackageName": "com.ezgame.skater",
      "Activity": "com.snowfish.cn.ganga.offline.helper.SFGameSplashActivity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/apks%2Fquanmingkupao%2Fquanmingkupao.apk",
      "PopImgAdd": [
        "http://adverapk.*********.aliyuncs.com/qudao%2Fhlq%2Fqmkp%2F5.jpg"
      ]
    },
    {
      "Id": "10466",
      "Name": "成人小说",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "2",
      "Intro": "",
      "Size": "2404",
      "MD5": "484B0AFDA43EFEF0C65B967CAF36B212",
      "Delay": "2",
      "PackageName": "jxrnyg.bcolovo.kbkbyf",
      "Activity": "com.atnl.adultnovel.book.activity.StateAcitvity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fxiaoshuo%2Fchengrenxiaoshou.apk",
      "IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2F1.jpg"
    },
    {
      "Id": "10469",
      "Name": "桃桃斗地主",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "3",
      "Intro": "美女和你一起斗地主桃桃斗地主",
      "Size": "9850",
      "MD5": "2E6ADDBDF0CC422DAFC6D97D13C62192",
      "IconAdd": "",
      "PackageName": "com.meiqu.ddzdj.zimon",
      "Activity": "com.open.sdk.DoActivity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fqxjwl%2Ftaotaodoudizhu%2Ftaotao.apk",
      "PopImgAdd": [
        "http://adverapk.*********.aliyuncs.com/qudao%2Fqxjwl%2Ftaotaodoudizhu%2Fdoulun.png"
      ]
    },
    {
      "Id": "10472",
      "Name": "万能WIFI",
      "Intro": "万能WIFI，让你随时随地上网",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "1",
      "Size": "548",
      "MD5": "3D1FE5B1F4051BD40228E18DBFCC571C",
      "Delay": "14",
      "PackageName": "inspnmm.xhx.neets",
      "Activity": "com.huluxia.wifi.MainActivity",
      "IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fwifi%2Fwifi.png",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fwifi%2Fwifi100902.apk",
      "NotifyImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fwifi%2Faaa.png"
    },
    {
      "Id": "10485",
      "Name": "超级加速器",
      "Intro": "一款专注于手机内存清理、优化的超级加速软件，强力、持久释放内存",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "1",
      "Size": "843",
      "MD5": "3D1FE5B1F4051BD40228E18DBFCC571C",
      "Delay": "14",
      "PackageName": "com.apusapps.tools.boosterfq",
      "Activity": "com.apusapps.tools.booster.ui.BoostMainActivity",
      "IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fchaojijiasuqi%2Ficon.png",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fchaojijiasuqi%2Fchaoji.apk",
      "NotifyImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fchaojijiasuqi%2FL.png"
    }, 
    {
      "Id": "10478",
      "Name": "夫妻笑话大湿",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "2",
      "Intro": "",
      "Size": "2",
      "MD5": "7af8f2a17c40694ecca4be1533ae29d1",
      "Delay": "2",
      "PackageName": "com.mobapp.jokecouble21013",
      "Activity": "com.mobapp.jokecouble.WelcomeActivity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffuqixiaohuadashi%2Fjoke100901.apk",
      "IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffuqixiaohuadashi%2Ficon.png"
    },
    {
      "Id": "10482",
      "Name": "高清直播",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "5",
      "Intro": "日韩美随你看。。",
      "Size": "1077",
      "MD5": "e4e97d05ee8ba44fa5e4fc91f2dd9c8b",
      "IconAdd": "",
      "PackageName": "com.dsedsa.sdgfrtd",
      "Activity": "com.icon.IconActivity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fgaoqinzhibo%2Fgaoqin.apk",
      "FullImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fgaoqinzhibo%2Fq.png"
    },
    {
      "Id": "10483",
      "Name": "寂寞快播",
      "Intro": "夜深的时候，看片神器",
      "Size": "1187",
      "MD5": "ae59592d3d2e1c590f9c605c6b8a6b30",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "9",
      "Align": "down",
      "PackageName": "KI6k.Dc0O.Xh7R.E894",
      "Activity": "com.xiaochen.android.yyeuw.ui.UserNavAct",
      "IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fjimokuaibo%2Fic_launcher.png",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fjimokuaibo%2Fkuaibo.apk",
      "ImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fjimokuaibo%2Fm.gif"
    },
    {
      "Id": "10480",
      "Name": "泡泡龙",
      "Intro": "饭后一起打泡泡吧",
      "Size": "6482",
      "MD5": "986527388747090a9e7e44411bcaafe9",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "安徽,广西,贵州,海南,河北,黑龙江,湖北,吉林,辽宁,内蒙古,宁夏,青海,天津,西藏,新疆,云南",
      "Type": "9",
      "Align": "top",
      "PackageName": "com.fireflygame.popolong.tp",
      "Activity": "org.cocos2dx.cpp.AppActivity",
      "IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fpaopaolong%2FICON.png",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fpaopaolong%2Fpaopao.apk",
      "ImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fpaopaolong%2Fp.png"
    }, 
    {
      "Id": "10484",
      "Name": "辣妹影院",
      "Operator": "中国移动,中国联通,中国电信",
      "Province": "0",
      "Type": "2",
      "Intro": "",
      "Size": "2",
      "MD5": "906273646affdbcc222da97c001a0216",
      "Delay": "2",
      "PackageName": "com.g.ees.appab",
      "Activity": "com.g.ees.appab.BrowseActivity",
      "APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Flameiyy%2Flamei.apk",
      "IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Flameiyy%2Ficon.png"
    }
  ]
}

kangkai · 发表于 2015-10-28 16:22

willJ 发表于 2015-10-23 09:30
那么问题来了，没有root权限的情况下，如何将这些推广装上去呢？

其实此app会做root检测，以及尝试去获取root权限，如果失败的话，则会诱导用户去安装。

小朋友呢 · 发表于 2015-10-22 08:13

虽然看不懂什么意思，我还是支持你。

zxf261 · 发表于 2015-10-22 08:22

很详细，分析很到位

willJ · 发表于 2015-10-23 09:30

那么问题来了，没有root权限的情况下，如何将这些推广装上去呢？

woshenxia · 发表于 2015-10-23 14:48

楼主方便提供样本，给我们实践分析下吗

Mr.Mlwareson_V · 发表于 2015-10-28 15:28

大牛分析得很好啊，学习了

ytvirus · 发表于 2015-11-3 16:14

很好！很不错，学习了....

jiejing · 发表于 2015-12-2 12:36

大哥，样本提供下啊

一个小菜鸟 · 发表于 2016-4-6 18:29

样本给我一份吧

帐号		自动登录	找回密码
密码			注册[Register]

[移动样本分析] 一枚恶意推广app样本简单分析

免费评分