How your app is replaced, app hijacking virus profiling

I. Introduction of APP hijacking virus

App hijacking refers to the execution process is redirected, but also can be divided into activity hijacking, installation hijacking, traffic hijacking, function execution hijacking and so on. This article will analyze the recent use of acticity hijacking and installation of hijacked viruses.

two. Activity Hijacking virus Analysis2.1 Activity Hijacking virus Introduction

Activity hijacking means that when a window component is launched, it is detected by malicious application, if the window interface is a malicious program preset attack object, the malicious application will launch its own phishing interface to overwrite the original interface, the user is unaware of the situation to enter the login information, the malicious program in the acquisition of data back to the server.

Take Mazarbot Spy Trojan For example, this kind of Trojan has a few characteristics:

• Disguised as a system SMS application, the activation of the request to activate the device management rights, and then hide the icon;
• Use Tor to communicate anonymously with the C&c control center to withstand traffic analysis;
• C&C Control Center issued instructions for mobile phone control, update HTML, and information collection;
• The server dynamically obtains the HTMLData, then implements the interface hijacking, obtains the user account information;

The following is a list of C&c control Center directives:

We found that the Trojan can accept and process a complete set of c&c control instructions, and use Tor for anonymous network communication, so that the source of traffic data and destination is not a path directly connected to increase the difficulty of the attacker's identity back. We will analyze the Trojan interface hijacking process in detail.

2.2 Interface Hijacking process analysis:

The entry comb first sees the Axml file. Workerservice Service Processing C&c Control center issued by the "Update HTML" command, while the background monitoring activity on the top level, if the application to be hijacked will start Injdialog acticity for page hijacking.

Figure Axml Information

is the background service to the top-level acticity monitoring process, if the application to be hijacked to start injdialog hijacking. gettop function to do code compatibility processing, more than 5.0 of the device Trojan can also get the top-level acticity package name.

Figure Background Monitoring

Injdialog activity loads a forged HTML application interface via WebView, calling Webview.setwebchromeclient (New Hookchromeclient ()) to set up an HTML page to interact with Java. In the forged HTML page call prompt the user input information in JS passed to the Java,hookchromeclient class rewrite Onjsprompt method, processing user input information, and finally the hijacked user information via Tor anonymously uploaded to the specified domain name.

Figure Hijacking User Information

Image upload hijacking information

three. Application installation hijacking virus Analysis3.1 Installing the hijacked virus introduction

Install the hijacking virus by monitoring the Android.intent.action.PACKAGE_ADDED and Android.intent.action.PACKAGE_REPLACED intent to implement the attack, including two ways, One is to uninstall and remove the APK that was actually installed, replace it with an attacker-forged app, and the other is to use the message that the user is installing and quietly install the other apps that you've promoted. This process is like the "six walnuts" you normally drink, and one day you actually drink "seven walnuts".

3.2 Application-related information

The app is an app called "Flashlight", the package name: Com.gouq.light, and the app icon is as follows:

3.3 Main Component Analysis

. App application class, load Assest directory encrypted jar package, get interface Exchangeimpl object, implement Interface function in Jar onapplicationcreate, Triggerreceiver, Triggertimerservice; start the core service lightservice;

. Lightservice Application Core Service, can call start lighttiservice externally, reach the replacement process name, and am start service to self-keepalive;

. Lighttiservice is initiated by Lightservice, the service invokes the Triggertimerservice interface method in the dynamic load package, completes the deletion of the installation application, uploads the current device information, and downloads the application to be installed from the server;

. The Appreceiver broadcast receiver, implemented by the Triggerreceiver interface method in the loaded jar package, handles Android.intent.action.PACKAGE_ Added and Android.intent.action.PACKAGE_REPLACED intent see if the installation and the new app are hijacking applications, or if the installation is hijacked through ExecCmd.

Install the hijacking process and implement a silent installation of the associated other apps by listening to the app's installation and updates.

Figure Installation Hijacking

You can know that this malicious app borrows the installation or update intent, installs the preset affiliate app, so that after the installation is complete, the user is not sure which is the newly installed application, which increases the chances of using click-to-run.

Four. How to effectively prevent app hijacking or security recommendations

For enterprise users:

As a mobile app developer, the easiest way to protect your app from being hijacked by the interface is to detect whether the most front-end activity application is itself or a system application in the OnPause method of key activity such as the login window.

Of course, the operation industry has specialized, professional things to the professional people to do. Ali Poly Security Products Security Components SDK has security signature, security encryption, secure storage, simulator detection, anti-debugging, anti-injection, anti-activity hijacking and other functions. Developers need to simply integrate the security Components SDK can effectively solve the above login window by Trojan virus hijacking problem, thereby helping users and businesses to reduce losses.

For individual users:

Install Ali Money Shield protection app from app hijacking Trojan threat.

Anti-Baba @ Ali Mobile Security, more technical articles, please click the Ali Poly Security Blog

How your app is replaced, app hijacking virus profiling