Analysis and testing of DenDroid for super-strong mobile Trojan

Analysis and testing of DenDroid for super-strong mobile Trojan

2cto: Mobile Trojan Dendroid

Symantec researchers discovered a new Dendroid trojan in the mobile phone field, which can easily achieve remote malicious control of mobile phones. Before that, Symantec discovered an android remote management software named AndroidRAT, which is regarded as the first malicious binding software. However, this newly discovered Dendroid running on http is more powerful.

Dendroid can generate malicious apk with the following remote command function:

You can delete call records. You can open a webpage to call records of any number, and steal text messages to intercept and upload pictures, opening any application of a video to launch a DDoS attack node (which will consume a lot of Internet traffic or cause a cell phone to crash) can change the command and control the server

1. Server web Console Installation

The server is PHP + Mysql, and the server environment is easy to handle. server packages such as phpnow and xampp can be quickly handled. The server is mainly used to record the information of the controlled mobile phone and send related commands to the mobile phone. The server package is unwrapped as follows:

 

Set up the server environment (skip the steps here), record the IP address or domain name of the server, open reg. php, and modify the following:

After modification, place the above server php code in the web root directory, and then directly access http: // server address or domain name/setup/to start installation and deployment:

Click begin setup to enter the server configuration process,

You can see that the page needs to set the relevant information about the database. We need to deploy the database before the operation. Here we use phpMyAdmin to create the database dendroid:
 

Open SQL. SQL in the package, copy and import it to dendroid:
 

 

You can see that the table is successfully created:
 

Go back to Step 1 on the server configuration page and enter the relevant information to complete the deployment:

Click Finish Setup to enter the logon interface of the server management console. Enter the configured username and password to log on to the console:

Note: dendroid calls the google map API. to display the API properly, use a proxy.

Ii. Client APK Compilation

Download the Android SDK and import the DendroidApk In the compressed package:

 

If an API package is missing after import, click window> AndroidSDK Manager to download the package:

Remember to use a proxy when updating the file, and set it in the Tools option (who asked tianchao to drag the google wall ).

After the import is complete, expand src to view the main functional modules of the server:

From the perspective of naming, we can understand the general functions of each functional module. Here we only modify the parameter section of the Connected Server to ensure that the compiled APK can be connected to the server we just created and open MyService. java:

The preceding three parts are Base64 encoded. Note that the encodePassword part is the base64 encoding of 'Password' by default. If you modify the encoding, You need to modify get on the server. php, get-functions.php, new-upload.php, $ _ GET 'Password'] In the upload-pictures.php file,

 

After modification, export:

Generated successfully:

3. Upload the mobile phone and install it.

During the installation process, you need to grant the APK some necessary permissions, such as the camera and positioning function to enable permissions for convenient testing. The program name and icon can be modified before compilation. The Android version is 4.4.2.

In the test environment, the console machines and mobile phones are in the same LAN (3g or 4G environments are recommended for mobile data ). After the APP is installed, you will see that the location is called:

 

 

At this time, the mobile phone is also online in the console:
 

 

Iv. Main Control Functions

Through the console, we can control whether the mobile phone is muted, on-screen, intercept text messages, automatically enable background recording, taking photos, and video records, get text message content and contact information, and open the specified app.

Run the following commands on the controlled mobile phone (client with malicious APK installed) and server (WEB Console:

The following describes the implementation of the mobile phone online and text message interception functions (similar to other functions:

1. Launch

1) the client sends a request to get. php on the console to bring the controlled host online and refresh its status.

2) obtain the physical ID code:

 

3) construct a request URL to the server

4) Get. php processes the parameter values sent in the GET method, and processes these values through updateSlave (updateSlave is defined in functions. php ):

5) in functions. php, you can determine whether to update or insert the property information of the mobile phone by checking whether the mobile phone has been recorded in the bot table:

6) display results on the control page:

2. Text message interception

 

1) click the button:

AddCommand function processing. The first value is the 'intercept' command string, and the second value is true:

2) insert the Request command into the commands table:
 

3) The client requests the get-funtions.php to get the command to be executed:

 

4) after verifying the Password, the server queries the action requested on the console interface (that is, the 'intercept' inserted into the database) by using the UID (physical ID code of the Android phone mentioned above '), finally, it is passed to the client in the following format:

5) Determine whether the returned content contains "intercept (". If yes, set the value of the key 'intercept' to true:
 

6) Get the text message content:

7) data obtained from the urlPost request:

 

8) message. php calls addMessage after receiving the request Data and inserts the messages database,
 

9) refresh the control page and query the database to get the information:
 

Consistent with the information received by the mobile phone:

3. photo records

Similar to the preceding execution process, the server is not automatically uploaded, but is manually uploaded. It is estimated that the transmission of this type of file occupies a large amount of bandwidth and does not prevent transmission failure. You can upload the file multiple times:

1) Select the front or rear camera:

After the command is inserted into the database, wait for the client to obtain the command type to perform the upload operation.

4) Upload Command Execution display:

6) download and preview
 

To modify the image size, you can modify the following section in CameraView. java (marked in red box ):