荣耀彩票代理

  • 热门专题

拥有300万安装量的应用是如何恶意推广刷榜的?

作者:阿里聚安全  发布日期:2016-07-12 21:13:16
  • 背景:

    荣耀彩票代理SUIZHEYIDONGDUANYINGYONGSHICHANGSHULIANGBAOZHASHIZENGZHANG,AppTUIGUANGHEPUGUANGLVYEYUELAIYUENAN。NALIYOUXUQIUNALIJIUYOUSHENGCAIZHIDAO,ZIRAN,AppSHUABANGYEJIUXINGCHENGLEYITIAOCHANYELIAN,TANENGGOUZAIDUANQINEIDAFUTIGAOXIAZAILIANGHEYONGHULIANG,JINERTIGAOYINGYONGDEPUGUANGLV。


    近期,阿里移动安全发现一款名叫“魔百Wi-Fi”应用,该应用官方的一个版本捆绑了多个病毒,目的是对GooglePlay商店应用刷榜和刷大量未知应用安装量。该病毒在该设备锁屏时对设备root,root成功后向系统目录植入“刷榜僵尸”病毒,“刷榜僵尸”对指定应用在GooglePlay商店上恶意刷量,同时还会诱骗用户安装“下载者”病毒,“下载者”病毒会在设备屏幕亮起状态会弹出广告页面,若用户触碰广告页面推广的应用将会自动安装运行。该病毒技术相当成熟,root提权使用最高广的漏洞(CVE-2014-3153 TOAWELROOT、CVE-2015-3636 PINGPONG和PUTUSER等),2015年10月之前的设备全部受影响。我们对恶意应用的证书对比,惊人的发现并非被重打包!


    “魔百Wi-Fi”在2015年末首次发布,向用户打着安全Wi-Fi旗号,短短半年用户安装量已高达300万。我们发现它具备专业的应用推广团队,目前已在国内知名渠道发布多篇宣传文章,并与国内多家应用商店合作,下图是”魔百Wifi”前不久的一篇文章,文中还提到“截至目前,魔百WiFi拥有超过2亿的国内外热点,已覆盖商场、酒店,热点全线接入”。

    TU1

     

    荣耀彩票代理“MOBAIWifi”MUQIANZUIXINBANBENWEI2.3.18。GENJUYINGYONGZHENGSHUmd5(5919ee638614c467152ab4d07c9cc2dc)PAICHA,FAXIANBANBEN2.3.5~2.3.10BEIGUANFANGCHARULEEYIDAIMA。ZHIDEZHUYIDESHI,GUANFANGFABUDE2.3.8BANBENDALELIANGGEBUTONGDEBAO,YIGEZENGJIArootTIQUANXIANGXITONGMULUZHIRU“SHUABANGJIANGSHI”,LINGWAIYIGEBAOHE2.3.10BANBENYINGYONGDOUKUNBANGLE“XIAZAIZHE”BINGDU。KUNBANGLE“SHUABANGJIANGSHI”HE“XIAZAIZHE”DE“MOBAIWifi”,LIYONGZISHENDEYONGHULIANGDUIYINGYONGSHUABANGHEANZHUANG,JINERFEIFAMOULI。YIXIASHIDUI“MOBAIWi-Fi”2.3.8DAIrootBAODEYINGYONGFENXI。

    一、主包分析:

    GAIBINGDUKUNBANGLEDUOGEZIBAO,YIXIASHIGEGEMOKUAIGUANXITU:

     

    TU2

    1. JIEMIassetsMULUXIAsdk.data、__imageSHUJU,JIEMIHOUsdk.dataSHIYIGEMULU,MULUXIABAOKUOMainJson.txt、dexhostinjection.jar、libDaemonProcess.so, __imageSHIapkWENJIAN;

    2. HUANQIPushDexService、PushJobServiceWANCHENGdexhostinjection.jarJIAZAI,YIJIZHIXINGdexhostinjection.jarDEcom.hostinjectiondex.external.ExternalInterfacesLEIDEstartExternalBodyFANGFA,ZIBAOXIAZAI“XIAZAIZHE”BINGDUupdate,BINGYOUDAOYONGHUANZHUANG。

    3. 开启后台服务利用libgodlikelib.so进行root提权,提权成功将libgodlikelib.so提权工具库写入系统库文件;__image解密的apk文件植入系统目录,取名AndroidDaemonFrame.apk即是“刷榜僵尸”病毒;

    二、root提权

    荣耀彩票代理GAIYANGBENSHIJIYUKAIYUANDERUN_ROOT_SHELLGAIXIEERCHENG,KEYIDUI2015NIAN10YUEFENZHIQIANDEQUANBUSHEBEIroot,ZHUYAOLIYONGLEYIXIALOUDONGJINXINGTIQUAN:

    (1) CVE-2012-4220
    影响设备:Android2.3~4.2
    荣耀彩票代理 使用的QualcommInnovation Center(QuIC)Diagnostics内核模式驱动程序diagchar_core.c在实现上存在整数溢出漏洞,通过向diagchar_ioctl内传递特制的输入,远程攻击者可利用此漏洞执行任意代码或造成拒绝服务。


    (2) /dev/graphics/fb0
    荣耀彩票代理 fb0设备mmap漏洞(触发参数FBIOGET_FSCREENINFO)


    (3) /dev/hdcp
    hdcp设备mmap漏洞


    (4) CVE-2013-6282
    影响版本:linux kernel3.2.1、Linux kernel3.2.2、Linux kernel3.2.13
    荣耀彩票代理 Linux kernel对ARM上的get_user/put_user缺少访问权限检查,本地攻击者可利用此漏洞读写内核内存,获取权限提升。


    (5) /dev/msm_acdb
    高通设备漏洞


    (6) CVE-2013-2595
    /dev/msm_camera/config0高通设备MMAP漏洞。


    (7) CVE-2013-2094
    影响版本:linux kernel3.8.9之前开启了PERF_EVENT的设备
    荣耀彩票代理 利用该漏洞,通过perf_event_open系统调用,本地用户可以获得系统的最高权限。


    (8) CVE-2015-3636
    影响设备:2015年9月份之前的设备
    pingpong该漏洞是Linux kernel的ping套接字上存在的一个Use-After-Free漏洞。


    (9) CVE-2014-3153
    影响设备:2014年6月以前的设备
    漏洞利用了futex_requeue、futex_lock_pi、futex_wait_requeue_pi三个函数存在的RELOCK漏洞和REQUEUE漏洞,造成了对内核栈上的数据修改。


    对设备成功提权后,会将解密的__image植入/system/priv-app目录并命名为AndroidDaemonFrame.apk,将libgodlikelib.so提权工具库植入/system/lib目录。下图提权并向系统目录植入恶意文件。

    TU3

     

    三、AndroidDaemonFrame.apk“刷榜僵尸”分析

    荣耀彩票代理AndroidDaemonFrameYINGYONGSHIZHUBAOJIEMIHOUZHIRUDAOXITONGMULUDEYINGYONG,GAIYINGYONGSHIYIKUANZHUANYONGYUEYISHUABANGDEBINGDU,LIYONGYONGHUSHEBEIZHANGHUXINXIZUOWEISHUABANGJIANGSHI,WANCHENGDUIC&CKONGZHIDUANZHIDINGYINGYONGDEEYISHUABANG。“SHUABANGJIANGSHI”GONGZUOLIUCHENGRUXIA:

    TU4

    1.“刷榜僵尸”C&C控制端配置keywords和package_name。

    2.“SHUABANGJIANGSHI”XIANGgoogleplayFAQIRENZHENG,TONGGUOHUOQUDESHEBEIgoogleplayZHANGHAOHEMIMA,HUOauthtoken。

    3. MONIgoogleplayXIEYIDUIMUBIAOYINGYONGSOUSUO、LIULANHEXIAZAI。

    SHUABANGJIANGSHIBINGDUZAISHEBEIQIDONG、PINGMUJIESUOHEWANGLUOGAIBIANCHUFABootReceiverZUJIANZHIXING,SUIHOUQIDONGHEXINFUWUDispatcherService,GAIFUWUCHUANGJIANupdateTaskHEgooglePlayTaskDINGSHIRENWU。

    TU5

     

    定时任务googlePlayTask

    googlePlayTask每3小时执行一次,对配置文件里的keywords和package_name指定的应用从GooglePlay爬取。下图root提权重定向设备账户文件。

    TU6

    BINGDUTONGGUOGooglePlayYANZHENGYOULIANGZHONGFANGSHI,YISHIYONGauthtoken,QUANCHENGauthentication token,YOULETABINGDUWUXUMEICICAOZUODOUXIANGgoogleFUWUQIFASONGMIMA, ZHIXINGYUJU:sql.rawQuery('select type,authtoken from authtokens where type like 'com.android.vending%' and accounts_id='+ accounts_id, null);ERSHIHUOQUgoogleZHANGHUname、passwordHE_idZHI。ZHIXINGYUJU:sql.rawQuery('select * from accounts where type = ?', new String []{'com.google'})。RUXIATU。

    TU7

    CHENGGONGYUgoogle playFUWUQILIANJIEHOU,TONGGUOPEIZHIWENJIANTIGONGDEkeywordsHEpackage_nameWANCHENGYINGYONGSOUSUO、LIULANHEXIAZAI

    TU8

    DANGQIANPEIZHIWENJIANRUXIATU,FAXIANBINGDUZHENGZAIDUIpackage_nameSHIcom.felink.shineDEYINGYONGSHUALIANG。

    TU9

    BINGDUWANQUANMONIgoogle playXIAZAIXIEYI,BAOKUOSHEZHIcookie(AndroidId + authToken)、User-agent(AndroidDownloadManager)DENG,GooglePlayYINGYONGXIAZAIQINGQIULIUCHENGDAZHIRUXIATU(http://github.com/egirault/googleplay-api/issues/30):

    TU10

    荣耀彩票代理“SHUABANGJIANGSHI”BINGDUDEGooglePlayRequesterGONGJULEIMONILEYISHANGGUOCHENG,SHIXIANgoogle playSHANGDIANYINGYONGXIAZAI。

    四、子包dexhostinjection.jar

    荣耀彩票代理ZIBAOdexhostinjection.jarYOUassetsMULUXIAsdk_dataWENJIANJIEMIDEDAO,WANCHENGLEYIXIAJIGEGONGNENG:

    4.1 服务保活

    JIEXIZHUBAOCHUANDIDE000(m_pkgname)、001(m_class_name)、002(m_sdk_data)、003(libDaemonProcess)、004(1.apk)CANSHU,LIYONGlibDaemonProcessKUFUWUBAOHUO,ZAIDICENGZHIXINGam startserviceQIDONGZHUBAOCHUANDIDEservice,YEJIUSHIZHUBAOZHONGDEcom.hostinjectionmain.control.DexService。RUXIATU。

    TU11

    4.2 下载“下载者”病毒

    荣耀彩票代理ZHUBAO004CANSHUCHUANDIDEYINGYONGMING,BINGKAOBEIDAOSHEBEIsdcard/databaseMULUMINGMINGWEI5supdate.apk,TONGSHIPEIZHI“XIAZAIZHE”BINGDUXIANGGUANWENJIAN,CUNFANGMULUZAIsdcard/databaseMULUXIA。BAOKUOactiondownJILUBAOMINGYIJIQIDONGFUWUMING、actionsukYINGYONGZUIJINYICIYUNXINGSHIJIAN、install.abFUWUQITUIGUANGYINGYONGANZHUANGQINGKUANG、mychannelYINGYONGQUDAO,ZHEIXIEWENJIANSHUJUQUANBUDOUAESJIAMICUNFANG。ActiondownJILUXIAZAIZHEBINGDUBAOMINGYIJIRUKOUFUWU。

    actiondown:{'downLoadPackageName':'com.android.ucgmap','downLoadVersionKey':1,'downLoadStartMethod':'com.android.ucgmap/com.android.ucgmap.AimService”}

    4.3 诱骗用户安装,并启动“下载者”病毒

    ZIBAODONGTAIZHUCEJIANTINGandroid.intent.action.PACKAGE_ADDED、android.intent.action.USER_PRESENTXIAOXIGUANGBO。CHULIBAOANZHUANGWANBIXIAOXI,RUOCICIANZHUANGBAOMINGSHIactiondownLIdownLoadPackageNameZIDUANJILUDE“XIAZAIZHE”BINGDU,DUQUdownLoadStartMethodZIDUANQIDONG“XIAZAIZHE”。

    TU12

    荣耀彩票代理SHIYONGLIANGZHONGCELVEYOUPIANYONGHUANZHUANG“XIAZAIZHE”BINGDU(QIYINGYONGMINGWEIupdate),YIMORENMOSHIYIYINGYONGGENGXINYOUPIANYONGHUDIANJIANZHUANG;ERYOUFUWUQISHEZHI,DANCHUXITONGGENGXINYOUPIANYONGHUDIANJIANZHUANG。

    TU13

     4.4 子包自更新

    ZIBAODELIANJIEBINGBUSHIZHIJIEBAOLUDE,ERSHIZUOLELIANGCENGTIAOBAN。PEIZHIXIAYITIAOZHUANFANGWENDIZHIhttp://dispatch.smartchoiceads.com/v2.1/2000,CANSHUSHEBEIaid、imsi、gaid、mac(wifi),requestHEresponseSHUJUQUANBUAESJIAMI。FUWUDUANHUIGENJUSHANGCHUANDESHEBEIXINXIFANHUICISHEBEIDUIYINGDEurlDIZHI,SUIHOUSHEBEIHUISHIYONGGAIDIZHIXIAZAIFUWUDUANTUIGUANGDEYINGYONG。XIATUFANGWENurl_1(http://dispatch.smartchoiceads.com/v2.1/2000)FANHUIJIAMIDESHUJU,JINGAESJIEMITIQUdataZHIHUOQUDANGQIANSHEBEIDEDUIYINGFANGWENDEFUWUQIDIZHIurl_2。

    TU14

    JIEMIHOUDESHUJUWEI:{'upstream':'http://sdk.smartchoiceads.com'},ZHEIYANGHUOQULEXIAYITIAOBANDEDIZHI。 FANGWENTIAOBANDIZHI,XIAZAI、JIAZAIHEYUNXINGZUIXINBANZIBAO。 FANGWENFUWUQIPEIZHIDEurl_2,FUWUQITONGYANGFANHUIAESJIAMISHUJU,JIEMIHOUDESHUJURUXIA:

    {'solib_name':'libDaemonProcess.so','download_url':'http://u.smartchoiceads.com/sdk/HostDex_20160623163035.jar','classname':

    'com.hostinjectiondex.external.ExternalInterfaces','filename':'dexhostinjection.jar','start_method':

    'startExternalBody','solib_url':'http://u.smartchoiceads.com/sdk/libDaemonProcess_20160520175142.so','stop_method':

    'stopExternalBody','request_interval':'1800','version':'8'}。

    荣耀彩票代理GENJUJIEMIHUOQUDEZIDUAN,XIAZAIXINBANBENDEdexhostinjection.jarBAO,YIJIlibKU,MUQIANFUWUQIZUIXINBANBENdexhostinjection_8.jar。ZIBAOTONGGUOXIANGZHUBAODEDexServiceFASONGcom.injection.action.RELOAD_DEXXIAOXIYITU,WANCHENGZIBAOGENGXINJIAZAI。

    TU15

    五、“下载者”分析

    ZIBAOdexhostinject.jarXIAZAIDE5supdate.apkCUNFANGWEIZHIZAIsdcard/databaseMULUXIA,JISHI“XIAZAIZHE”BINGDUANZHUANGBAO,TONGGUOYINGYONGGENGXINHUOXITONGGENGXINYOUPIANYONGHUANZHUANG,ANZHUANGHOUdexhostinject.jarQIDONG“XIAZAIZHE”DAOCHUFUWUAimService。“XIAZAIZHE”BINGDUGONGZUOLIUCHENGTURUXIA:

    TU16

     

    5.1 ChatActivity组件,强制激活设备管理

    荣耀彩票代理dexhostinject.jarQIDONGYINGYONGDECANSHUHUIHUANQIChatActivityZUJIANYUNXING。ChatActivityJINXINGSHEBEIGUANLIJIHUO,YIDANYONGHUJIHUOSHEBEIGUANLI,YINGYONGJIANGHENNANBEIXIEZAI。YONGHUZAIQUXIAOJIEHUOSHEBEIGUANLISHI,AdminReciverHUIJINXINGSUOPINGCAOZUOBINGTIAOZHUANDAOZHUOMIAN。

    TU17

     

    5.2 组件AimService

    荣耀彩票代理1.JIAZAItarget.jarZIBAO,BAOHU“XIAZAIZHE”HEXINFUWUAimServiceBUSI

    2.QIDONGApsService,ZUJIANApsServiceSHIYUNDUANTUISONGFUWU,ZHUCESHIZHONGGUANGBOMEI10FENZHONGFASONGGUANGBOZHUANJIAOJIApsAdReceiverCHULI

    TU18

    荣耀彩票代理3.onStartCommandCHULIXIAOXIYITU,BAOKUO:

    荣耀彩票代理    a)com.injection.action.RELOAD_DEX,GENGXINtarget.jarZIBAO;

        b)com.injection.action.stopJobService,TINGZHIJobSchedulerBINGJINCHENGZISHA;

        c)-a com.android.startadmin --es isadmin true,HUANQIChatActivityZUJIAN,JINXINGJIHUOSHEBEIGUANLI。GAIYITUXIAOXISHIdexhostinject.jarFASONGJIAimServiceDE。

    5.3“下载者”应用推送分析

    YINGYONGXIAZAI、ANZHUANGHEQIDONGYOUApsServiceHEApsAdReceiverLIANHEWANCHENG。DANGupdateYINGYONGCHUYUHOUTAIYUNXING,BINGQIEPINGMUCHUYULIANGQIZHUANGTAI,“XIAZAIZHE”XIANGC&CFUWUQIFAQIQINGQIU,XIATUFANGWENC&CKONGZHI。

    TU19

    荣耀彩票代理“XIAZAIZHE”BINGDUHUIMEIGE10FENZHONGFANGWENhttp://www.gamecpi.com/tapcash/com.android.ucgmap/control.json,FANHUISHUJUJIEGOURUXIA。

    {
    
      'isOpened':true,
    
      'isOpenHideNativeAd':true,
    
      'fid':'',
    
      'fnid':'558734714274962_641985812616518',
    
      'aid':'ca-app-pub-2499265864844132/2514086206',
    
      'bnid':660078,
    
      'solaid':5011,
    
      'soltid':1000171,
    
      'ad_interval':10,
    
      'no_ad_start':0,
    
      'no_ad_end':6
    
    }

    GAISHUJUJIEGOUXINXISHIDANGQIANTUIGUANGYINGYONGDEXINXI,SUIHOUTONGGUOXIAOXIhandlerZHUANJIAOJIstartAdWorkHANSHUCHULI。

    TU20

     

    MEIGE120FENZHONGQINGQIUKONGZHIDUANXIAZAITUIGUANGYINGYONG,http://www.gamescpa.com/SDKManager/cpa/downloadlink.php?country=cn&packageName=com.android.ucgmap,C&CKONGZHIDUANFANHUITUISONGDEYINGYONGXINXI,BAOKUOpackgae(YINGYONGBAOMING)、url(YINGYONGXIAZAILIANJIE)、size(YINGYONGDAXIAO),FANHUISHUJUZHUANJIAOJIXIAOXIhandlerCHULI,JINXINGYINGYONGXIAZAIANZHUANG。

    TU21

    荣耀彩票代理ZAIPEIHEZHIQIANZHUCEDESHIZHONGGUANGBOApsAdReceiver,WANMEIWANCHENGTUIGUANGYINGYONGQIDONG。

    TU22

     

    六、 病毒sha1:

          01b3e575791642278b7decf70f5783ecd638564d       5900fabbe36e71933b3c739ec62ba89ac15f5453       7ebdd80761813da708bad3325b098dac9fa6e4f5       ea781498268ced8dbb892d02aeaad23f4b87a510       44e81be6f7242be77582671d6a11de7e33d19aca       34b7b38ce1ccdd899ae14b15dd83241584cee32b       74a55e9ea67d5baf90c1ad231e02f6183195e564       4e5af777fe28f450a670e789b23fb3669dc6e6b6       d59f97297de38db7f85349c9486413e914ff35b5       b219db613284a3dd0e87edea67da744be59e7732       9b9109ecfa38d9664084a513392ffc3f41349f02       2b1da376212e63cb25a19900642c4bbca6e49c01       18d9546193a354aec0c76d141dd66fbf99181bad       63c20ee3c1e1b39921d2b3d86aade39de738ea9b       5d2a08d7c1f665ea3affa7f9607601ffae387e8b       70105591ea9f2b42534062278f31dbf9788575b3       34b7b38ce1ccdd899ae14b15dd83241584cee32b       78e9c7e0510b0c28abf28dd46910ab14c56ab4df       88745ecb3114fc0539ca05db388e1c77d3e76109       885fe0dca39d0fe281aad78cbce2fb73f27f3aea       50bdc0195ed3c6f9909e62d4926f26d312cc39fa

    七、总结

    GAIBINGDUYINGYONGTONGGUOBANBENGENGXIN,JINXINGEYIBANBENXIAFA,ZAIWANCHENG“SHUABANGJIANGSHI”HE“XIAZAIZHE”BINGDUHOUYOULIYONGBANBENGENGXINTIHUANCHENGXIANSHANGANQUANBANBEN,RUCIZAIGEDAYINGYONGSHICHANGSHANGQICUNHUO。ALIYIDONGANQUANTONGXUEJIANYI,YONGHUXIAZAICILEIAppQINGRENZHUNDACHANGSHANGPINPAIYINGYONG;JINSHENDIANJIRUANJIANNEIDETUISONGGUANGGAO;LAIYUANBUMINGDEYINGYONGBUYAOSUIYIDIANJI;QINGDINGQISHIYONGALIQIANDUNDENGSHOUJIANQUANRUANJIANCHASHABINGDU。

    作者:逆巴、如凌@阿里聚安全,更多技术文章,请访问阿里聚安全博客

延伸阅读:

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规