荣耀彩票代理

IT技术互动交流平台

你的应用是如何被替换的 App劫持病毒剖析

作者:阿里移动安全  发布日期:2016-04-19 21:18:18

一.App劫持病毒介绍

荣耀彩票代理AppJIECHISHIZHIZHIXINGLIUCHENGBEIZHONGDINGXIANG,YOUKEFENWEIActivityJIECHI、ANZHUANGJIECHI、LIULIANGJIECHI、HANSHUZHIXINGJIECHIDENG。BENWENJIANGDUIJINQILIYONGActicityJIECHIHEANZHUANGJIECHIDEBINGDUJINXINGFENXI。

二.Activity劫持病毒分析

2.1 Activity劫持病毒介绍

ActivityJIECHISHIZHIDANGQIDONGMOUGECHUANGKOUZUJIANSHI,BEIEYIYINGYONGTANZHI,RUOGAICHUANGKOUJIEMIANSHIEYICHENGXUYUSHEDEGONGJIDUIXIANG,EYIYINGYONGJIANGQIDONGZIJIFANGMAODEJIEMIANFUGAIYUANJIEMIAN,YONGHUZAIHAOWUCHAJUEDEQINGKUANGXIASHURUDENGLUXINXI,EYICHENGXUZAIBAHUOQUDESHUJUFANHUIJIFUWUDUAN。

荣耀彩票代理YIMazarBOTJIANDIEMUMAWEILI,GAILEIMUMAYOUYIXIAJIGETEDIAN:

伪装成系统短信应用,启动后请求激活设备管理权限,随后隐藏图标; 利用Tor与C&C控制中心进行匿名通信,抵御流量分析; C&C控制中心下发指令进行手机控制、update html、以及信息收集; 通过服务器动态获取htmlData,然后实施界面劫持,获取用户账号信息;

荣耀彩票代理YIXIASHIC&CKONGZHIZHONGXINZHILINGLIEBIAO:

WOMENFAXIANGAIMUMANENGJIESHOUBINGCHULIYITAOWANZHENGDEC&CKONGZHIZHILING,BINGQIESHIYONGTorJINXINGNIMINGWANGLUOTONGXIN,SHIDELIULIANGSHUJUDELAIYUANHEMUDEDIBUSHIYITIAOLUJINGZHIJIEXIANGLIAN,ZENGJIADUIGONGJIZHESHENFENFANSUDENANDU。JIEXIALAIWOMENJIANGXIANGXIFENXIGAIMUMAJIEMIANJIECHIGUOCHENG。

2.2 界面劫持过程分析:

RUKOUSHULISHOUXIANKANDAOaxmlWENJIAN。WorkerServiceFUWUCHULIC&CKONGZHIZHONGXINXIAFADE”update html”ZHILING,TONGSHIHOUTAIJIANKONGDINGCENGYUNXINGDEActivity,RUOSHIDAIJIECHIDEYINGYONGJIANGHUIQIDONGInjDialog ActicityJINXINGYEMIANJIECHI。

TUaxmlXINXI

荣耀彩票代理XIATUSHIHOUTAIFUWUDUIDINGCENGActicityJIANKONGGUOCHENG,RUOSHIDAIJIECHIYINGYONGZEQIDONGInjDialogJINXINGJIECHI。getTopHANSHUZUOLEDAIMAJIANRONGXINGCHULI,5.0YISHANGDESHEBEIMUMAYEKEYIHUOQUDINGCENGActicityDEBAOMING。

TUHOUTAIJIANKONG

InjDialog ActivityTONGGUOwebViewJIAZAIWEIZAODEhtmlYINGYONGJIEMIAN,DIAOYONGwebView.setWebChromeClient(new HookChromeClient())SHEZHIhtmlYEMIANYUJavaJIAOHU,ZAIWEIZAODEHtmlYEMIANLIDIAOYONGpromptBAJSZHONGDEYONGHUSHURUXINXICHUANDIDAOJava,HookChromeClientLEIZHONGXIEonJsPromptFANGFA,CHULIYONGHUSHURUXINXI,ZUIHOUJIANGJIECHIDEYONGHUXINXITONGGUOTorNIMINGSHANGCHUANDAOZHIDINGYUMING。

TUJIECHIYONGHUXINXI

TUSHANGCHUANJIECHIXINXI

三.应用安装劫持病毒分析

3.1安装劫持病毒介绍

荣耀彩票代理ANZHUANGJIECHIBINGDUTONGGUOJIANTINGandroid.intent.action.PACKAGE_ADDEDHEandroid.intent.action.PACKAGE_REPLACED intentSHISHIGONGJI,BAOKUOLIANGZHONGSHOUDUAN,YIZHONGSHIXIEZAISHANCHUDIAOZHENZHENGANZHUANGDEapk,TIHUANWEIGONGJIZHEWEIZAODEYINGYONG;LINGWAIYIZHONGSHIJIEYONGYONGHUZHENGZAIANZHUANGDEZHEIGEXIAOXI,QIAOQIAODEANZHUANGZIJITUIGUANGDEQITAYINGYONG。ZHEIGEGUOCHENGJIUXIANGNIPINGSHIHEDE“LIUGEHETAO”,MOUTIANNIJURANHEDAO“QIGEHETAO”。

3.2应用相关信息

该应用是一款名为”Flash荣耀彩票代理Light”的应用,程序包名:com.gouq.light,应用图标如下:

3.3主要组件分析

.App YINGYONGApplicationLEI,JIAZAIAssestMULUXIAJIAMIjarBAO,HUOQUJIEKOUExchangeImplDUIXIANG,ZAIjarLISHIXIANJIEKOUHANSHUonApplicationCreate、triggerReceiver、triggerTimerService;QIDONGHEXINFUWULightService;

荣耀彩票代理.LightService YINGYONGHEXINFUWU,KEWAIBUDIAOYONGQIDONGLightTiService,DADAOTIHUANJINCHENGMING,YIJIamQIDONGFUWUYIZISHENBAOHUO;

荣耀彩票代理.LightTiService YOULightServiceQIDONG,GAIFUWUHUIDIAOYONGDONGTAIJIAZAIBAOLIDEtriggerTimerServiceJIEKOUFANGFA,WANCHENGDUIYIANZHUANGYINGYONGDESHANCHU、DANGQIANSHEBEIXINXISHANGCHUAN、CONGFUWUQIXIAZAIDAIANZHUANGYINGYONG;

荣耀彩票代理.AppReceiver GUANGBOJIESHOUQI,TONGGUOJIAZAIDEjarBAOLItriggerReceiverJIEKOUFANGFASHIXIAN,CHULIandroid.intent.action.PACKAGE_ADDEDHEandroid.intent.action.PACKAGE_REPLACED intentCHAKANANZHUANGGENXINYINGYONGSHIFOUSHIJIECHIYINGYONG,RUOSHITONGGUOexecCmdJINXINGANZHUANGJIECHI。

XIATUANZHUANGJIECHIGUOCHENG,TONGGUOJIANTINGYINGYONGDEANZHUANGHEGENGXIN,SHISHIGUANLIANDEQITAYINGYONGDEJINGMOANZHUANG。

TUANZHUANGJIECHI

SHANGTUKEYIZHIDAOCIEYIYINGYONGJIEYONGANZHUANGHUOGENGXINintent,ANZHUANGYUSHEDEGUANLIANYINGYONG,ZHEIYANGZAIANZHUANGWANBIHOUYONGHUBINGBUQINGCHUNAGESHIGANGZHENZHENGANZHUANGDEYINGYONG,ZHEIYANGZENGJIALETUIGUANGYINGYONGDIANJIYUNXINGDEJILV。

四.怎么有效防治App劫持或安全防护建议

ZHENDUIQIYEYONGHU:

ZUOWEIYIMINGYIDONGYINGYONGKAIFAZHE,YAOFANGYUAPPBEIJIEMIANJIECHI,ZUIJIANDANDEFANGFASHIZAIDENGLUCHUANGKOUDENGGUANJIANActivityDEonPauseFANGFAZHONGJIANCEZUIQIANDUANActivityYINGYONGSHIBUSHIZISHENHUOZHESHIXITONGYINGYONG。

荣耀彩票代理DANGRAN,SHUYEYOUZHUANGONG,ZHUANYEDESHIQINGJIAOJIZHUANYEDERENLAIZUO。ALIJUANQUANQIXIACHANPINANQUANZUJIANSDKJUYOUANQUANQIANMING、ANQUANJIAMI、ANQUANCUNCHU、MONIQIJIANCE、FANDIAOSHI、FANZHURU、FANActivityJIECHIDENGGONGNENG。 KAIFAZHEZHIXUYAOJIANDANJICHENGANQUANZUJIANSDKJIUKEYIYOUXIAOJIEJUESHANGSHUDENGLUCHUANGKOUBEIMUMABINGDUJIECHIDEWENTI,CONGERBANGZHUYONGHUHEQIYEJIANSHAOSUNSHI。

ZHENDUIGERENYONGHU:

ANZHUANGALIQIANDUNBAOHUYINGYONGMIANSHOUAppJIECHIMUMAWEIXIE。

作者:逆巴@阿里移动安全,更多技术文章,请点击阿里聚安全博客

Tag标签:   
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规