* Housekeeping virus killing principle reverse analysis

This paper studies the implementation of the 2.8-3.6 version of the antivirus module function. As we all know, antivirus software is divided into active killing and passive Avira two ways. * The Butler's active Avira includes quick check-up and overall killing, while the swift Avira and the whole avira use the local Avira technology and the cloud Avira technology.

Quick Avira

Quick Avira First gets all the applications installed by the system. Create a "/data/data/com.anguanjia.safe/classes.dex" file, unzip the APK to be scanned, get the contents of the Classes.dex file in the package and write to "/data/data/ Com.anguanjia.safe/classes.dex "file.

The MD5 value of the "/data/data/com.anguanjia.safe/classes.dex" file is then computed, and the file is deleted when it is finished.

The resulting MD5 again takes the MD5 value and then matches the local database, as shown in the specific detection process:

The GETMYPARAM11 function in the essence is the service string stitching "0x400-service string Length" length of 0 Backward line base64 encoding:

Log output that is monitored to scan the service of the app:

Update the Newapp table code for the AppData database when a virus is detected (L>0):

Cloud Avira

In the cloud Avira, obtain the system installs the application the package name, the application name, the certificate issuer, the certificate serial number, the Classes.dex file MD5 value, whether the system application and so on uploads the information to the http://av.aqgj.cn/p/a1.php.

The following is the data sent to the server-side captured by the cloud when capturing the packet:

The server side returns the detected malicious application information in XML format, as shown in:

The detected malicious application package name, type, and hazard level are then deposited in the Trojan_kill_result table of the Trojankill database:

Save the Avira time to the "last_kill_date" field in the "/data/data/shared_prefs/com.anguanjia.safe_preferences.xml" file. Then save the scan results, scan types, and scanned malicious app package names into the "scanlogdb" table of the SCANLOGDB database:

Total Avira

The full scan is divided into two sections:

(1) With SD card mounted, scan all files of SD card, detect all files with suffix "apk" or "apk", the detection step is the same as the quick Avira.

To determine the file suffix:

(2) If no SD card is mounted, scan all applications installed by the system. The detection step is the same as the quick killing.

Passive Avira

Passive Avira is a virus detection when the app is installed. First, the kill soft will determine the current network connection type:

(1) If the network is not connected or connected to a non-WiFi network, follow the fast killing process, query the local database for malicious application detection.

(2) In the case of a WiFi network, the package name and MD5 value of the app being installed are sent to the server http://apk.scapi.aqgj.cn/xcloud/cloud.php with the following code:

The actual capture packet gets to the data as shown in:

The server returns information such as malicious behavior information, danger level, MD5 value, package name, etc. applied. Information returned by the server to detect a malicious application:

Information returned for the normal application server:

If a malicious app is detected, the malicious app's package name, popularity, scoring, security level, malicious behavior, comment information, and other data are updated to the Newapp table in the AppData database. The virus package name is also written to the Userhabit.xml file.

The Security prompt window appears, asking the user to confirm whether to delete.

and pop-up notification information in the notification bar.

* Housekeeping virus killing principle reverse analysis