One SMS Trojan tracking and analysis

One SMS Trojan tracking and analysis
Virus features

Program name: Photo Album Image

Package name: com.net.cn

Program size: 323 K (331,603 bytes)

Mobile phone hardware: MI3/China Mobile

Security Software: LBE Security Master/Zjdroid
Hook plug-in

Analysis process 1. send SMS/email upon opening

After the program is installed, the LBE Security Master detects it as a virus and analyzes the specific hazards. An obvious prompt is displayed on the main interface, as shown in:

According to the specific hazards prompted by the LBE Security Master, we can clearly see that it has applied for many sensitive system permissions, as shown in:

When you open the program, you will find that the LBE Security mage prompts you to silently send a text message notification, indicating that the specific recipient number and text message content are displayed. The text message content is: "6-" + mobile phone IMEI. For example:

Analyze the main Acitivity of the program, first look at the OnCreate () method:

The recipient's mobile phone number is in the pnoneNumber character segment of the Consesdrqwe31ants class:

It can be seen that the information is encrypted and stored in so. However, through simple static injection, it is easy to obtain the plaintext account, password, and recipient's mobile phone number. As follows:

After obtaining the account password, you can log on to the 163 mailbox and try:

The email account has been completed. In fact, only the mobile phone number, device number, and text message content sent to the mailbox are displayed:

The content of the text message is shown in the getInstallFlag method of the Asseyfgsdw12ets class, as follows:

2. The background Service obtains text messages and contacts.

 

3. Activate the Device Manager

The first interface on which the user opens the sample Virus is to ask the user to select "Activate Device Manager", as shown in:

 

After the user activates the Device Manager, the program is hidden in the setting Device Manager List. After the application is activated as the Device Manager, the screen lock and user data can be erased, in addition, you cannot detach an ECS instance in the normal uninstall mode.

When implementing the Device Manager, Android needs to register a broadcast receiver in AndroidManifest. xml. The Code is as follows:

The corresponding method is in master Acitivity: ClientActivity:

After you click "Activate", a misleading Dialog will pop up, such:

Click "OK" and return to the desktop. The system finds that the program is gone, which makes the user think that the mobile phone is incompatible with the software and the software is unloaded. In fact, it has enabled the monitoring mode in the background,

4. Boot and start Permissions

5. Log Exposure monitoring Behavior

The Log print address is:

Summary and killing methods

By activating the Device Manager, this app opens a background service to steal users' device information, text messages, call records, contacts, and other privacy information, and sends it via SMS or email, to obtain a large amount of data. The known recipient number is: 18317050340; email address: sha13049367853@vip.163.com, password: qq123123. A little human:

Because the program itself cannot identify the security software, the scanning and removal method can be directly used by the security software to detect and uninstall the program.