1.病毒介绍
该病毒通过仿冒浏览器,播放器和一些游戏等进行传播,一旦用户手机不慎被感染,该病毒将立即下载提权文件来获取root权限,频繁推送广告,监控用户短信记录,私自发送扣费短信,注入大量恶意文件到手机系统用于守护病毒,防止病毒被卸载。
病毒样本的下载来源大多是来自国外的云服务器如cloudfront.net和amazonaws.com,软件名通常为全英文如WatermelonShare、Calc Master等,推送的广告内容以及下载的软件也都是国外软件,以此推测此病毒的目标应该是国外用户;从病毒功能及代码注释信息上看,此病毒是国内制造的,因此推测此病毒是国内制造,国外流行的典型广告木马,我们根据感染量较大的一个样本中的一些线索推测木马作者可能是在福建福州,一家从事app市场的公司。
病毒感染量变化趋势:
![1.png](https://img-blog.csdn.net/20161115121058854?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
2.样本信息
包名: com.mobo.mrclean
证书: 1D90BFFEC2A26B6CC50151757CBCEE04
Assets目录下的子包
![2.png](https://img-blog.csdn.net/20161115121106783?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
3.恶意行为
1) 病毒运行后,立即下载提权文件来获取root权限,夺取系统的控制权;
2) 注入大量恶意文件到手机系统,阻止病毒被卸载;
3) 私自发送扣费短信,造成用户极大的财产损失;
4) 下载并静默安装恶意子包至手机rom内;
5) 频繁推送恶意广告,影响用户正常使用手机;
![4.png](https://img-blog.csdn.net/20161115121121417?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![5.png](https://img-blog.csdn.net/20161115121129284?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
4.病毒执行流程
![6.png](https://img-blog.csdn.net/20161115121142440?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
5.详细分析
1) 病毒母包行为
加载子包assets/a
![7.png](https://img-blog.csdn.net/20161115121151183?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
调用in1方法解码assets/c,assets/s,生成mcr.apk和libdt.so
![8.png](https://img-blog.csdn.net/20161115121202902?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
调用in2方法加载libdt.so
![9.png](https://img-blog.csdn.net/20161115121211644?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
libdt.so中通过in3方法了mcr.apk
![10.png](https://img-blog.csdn.net/20161115121221558?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
libdt.so的in4方法通过loadClass方式调用了mcr.apk的com.android.provider.power.Power类中的init方法![11.png](https://img-blog.csdn.net/20161115121237870?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
com.android.provider.power.Power类中的init方法
![12.png](https://img-blog.csdn.net/20161115121303480)
initcore方法中通过getIsFirst方法判断程序是否第一次被运行
![](https://img-blog.csdn.net/20161115120258571?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
若是首次运行则调用Door.init(context);方法初始化配置并启动服务b和服务d,激活广告功能
![14.png](https://img-blog.csdn.net/20161115120308662?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
服务b,启动线程DetectAppTask并通过timerSet定时持续发送广播
![15.png](https://img-blog.csdn.net/20161115120326256?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
检测包名通过之后,线程DetectAppTask发送弹窗广播Action"com.fpt.alk.clk"
![16.png](https://img-blog.csdn.net/20161115120341415?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
广播接收器通过接收广播弹出广告
![17.png](https://img-blog.csdn.net/20161115120351447?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
服务d启动诱导消费模块
![18.png](https://img-blog.csdn.net/20161115120400225?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![19.png](https://img-blog.csdn.net/20161115120408791?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
通过startservice方式启动服务c
![20.png](https://img-blog.csdn.net/20161115120419334?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
启动计费服务,创建线程GasLogicRun
![21.png](https://img-blog.csdn.net/20161115120429787?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
启动线程GasLogicRun,调用handlerRet方法发送短信
![22.png](https://img-blog.csdn.net/20161115120443120?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
handlerRet方法解析JSONObject获取相关的计费信息并发送短信进行扣费
![23.png](https://img-blog.csdn.net/20161115120454635?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
拦截含有指定关键字的短信
![24.png](https://img-blog.csdn.net/20161115120505167?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![25.png](https://img-blog.csdn.net/20161115120514026?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
扣费成功后向服务器上传信息
![26.png](https://img-blog.csdn.net/20161115120524745?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
DataStore类用于操作存放屏蔽关键词的数据库fmoonStore.db
![27.png](https://img-blog.csdn.net/20161115120534933?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
Cpsavd类用于监控短信变化
![28.png](https://img-blog.csdn.net/20161115120544976?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
2) Root相关模块
Root启动模块子包com.xx.mas.demo,判断root方案文件是否存在,若存在则加载进行root,若不存在则创建生成再进行root
![29.png](https://img-blog.csdn.net/20161115120559465?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
/data/data/包名/files/.sunny目录下的b.png解压后为r1~r4,分别是四种root方案,利用了CVE-2012-6442、WooYun-2013-21778、CVE-2013-6282等漏洞来进行root提权。
![30.png](https://img-blog.csdn.net/20161115120610195?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![31.png](https://img-blog.csdn.net/20161115120619148?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
3) 其他恶意文件功能简要说明
![32.png](https://img-blog.csdn.net/20161115120631086?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
elf文件.ukd,注入恶意文件至手机系统中
![33.png](https://img-blog.csdn.net/20161115120643180?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
如下注入恶意文件到/system/xbin/.pr.io
![34.png](https://img-blog.csdn.net/20161115120653825?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
Elf文件.pr.io用于守护包名为com.music.store.fore.go的恶意apk并与服务器交互信息
![35.png](https://img-blog.csdn.net/20161115120704904?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
elf文件.pe用于保护root权限;
elf文件supolicy
用于在init.rc和install-recovery.sh中添加恶意文件开机启动
修改后的install-recovery.sh
mkdevsh文件
将恶意文件注入系统中并修改权限
![37.png](https://img-blog.csdn.net/20161115120725185?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
.debuggerd.no注入恶意文件至系统中并设置守护线程
![38.png](https://img-blog.csdn.net/20161115120737321?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
.ir文件用于设置守护线程
![39.png](https://img-blog.csdn.net/20161115120745998?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
4) rom恶意apk子包分析
用户量情况
![40.png](https://img-blog.csdn.net/20161115120754399?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
B90A7FCB2019BB59799646F77746FAEF11EECE37
启动后加载资源子包\assets\is.png,主要用于广告的统计与服务器的交互,也有私自下载静默安装的风险
![41.png](https://img-blog.csdn.net/20161115120804905?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
29E9B1F1285D73612C751ACF3D755A99B31F3509
EF28DE725D2AF36E7BE5E063ADF6D1DF358AE95D
32486B0757215FC94684D85762C836007A6811D0
E6E87065821C5FDEC3F5C1CF6C2A1736B0AC1B8B
A715A1A36DF454C2DCC242D5884DF40150670574
启动后解密并加载资源子包\res\raw\protect.apk,用于唤醒病毒主模块进程,并私自下载安装其他软件
私自下载安装其他软件
5) 样本相关链接
推广信息图片:
http://d3********iyhtno.cloudfront.net/pic/pic1.jpg
Root模块:
http://down.c*****xa.com/b****okr/rtt_0310_577.apk
http://down.c******xa.com/testapk/is1010_1154.jar
Rom内恶意子包netalpha:
http://down.co****n.com/o****in/mains2.apk
6.查杀截图
![44.png](https://img-blog.csdn.net/20161115120837806?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![45.png](https://img-blog.csdn.net/20161115120845822?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![47.png](https://img-blog.csdn.net/20161115120855009?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![48.png](https://img-blog.csdn.net/20161115120901656?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![49.png](https://img-blog.csdn.net/20161115120910640?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![46.png](https://img-blog.csdn.net/20161115120918619?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
7.清除方案
要将此病毒彻底清除需要清理系统中的恶意文件:
![50.png](https://i-blog.csdnimg.cn/blog_migrate/9728d615901193d6efbee0b8d3988006.jpeg)