Analysis of a reinforcement virus disguised as WeChat

Analysis of a disguised reinforcement Virus

Not long ago, there was a disguised virus on the Internet. After a long time, I had an analysis of the virus, so I tried it.

The icon after the virus is installed is shown in:

After the application is opened, the system prompts you to activate the Administrator:

After activation, you are required to add bank card information, including name, ID card number, and mobile phone number. <喎?http: www.bkjia.com kf ware vc " target="_blank" class="keylink"> VcD48cD48aW1nIHNyYz0 = "http://www.bkjia.com/uploads/allimg/140919/042R25025-4.png" data-ke-src = "http://www.bkjia.com/uploads/allimg/140919/042R25025-4.png" alt = "\"/>

In addition, we found the package name through the AndroidManifest. xml file:

Through the above information, we can basically guess that the disguised application is a virus that steals user bank accounts and related information.

Decompile the apk and find that the virus has been reinforced. We can see that the class com. secapk. wrapper. ApplicationWrapper is basically reinforced by "zookeeper.

Fortunately, there is a shelling program on the Internet, and it is decisive:

Decompile the obtained odex file into a smali file, and then decompile it into a dex file (if an error occurs during the re-compilation process, comment out the error part ). Continue to convert it to the jar file for viewing. Now all the cool and cool are coming out:

The following is a detailed analysis. The app registers two broadcast receivers, the first of which is used to register the Device Manager. The second broadcast receiver is used to monitor events such as system startup, SMS reception, and application installation and uninstallation.

When an application is uninstalled, an email is sent. The sent content includes the user's mobile phone number, voicemail number, device ID, IMEI, IMSI, network operator name, and other private information.

If a message is sent to an attacker, the attacker can intercept the message and obtain the sender, content, and time of the message. The email is sent at: lanjiema@126.com, And the password is admin903. The address of the received message is: 12114860@qq.com.