Recently, some media reported that the most advanced Android trojan has appeared. It is said that "it can use the unknown vulnerabilities of the Android operating system to escalate program permissions and prevent uninstallation ." This malicious program is called "Backdoor. AndroidOS. Obad. a" and its malicious behavior is to make a profit by quietly sending text messages to value-added service numbers. How amazing is the "strongest Android Trojan horse in history" that has never been detected and cannot be uninstalled using Android? In this regard, the mobile phone security experts made a deep analysis for us, detailed explanation of the entire process of breaking the "strongest Trojan" layer-3 anti-detection and removal.
Level 1: the main entrance to blocking virus analysis prevents security engineers from obtaining security information
First, the trojan is indeed painstaking to escape anti-virus software detection and removal. It takes some special measures for virus analysts in the Code to make it more difficult for security companies to analyze it. For example, when most security companies analyze Android Trojan samples, they usually use the AXML parsing tool to parse the sample's main configuration file AndroidManifest. xml. This file contains the entry information of the main modules of the Android Application and is an important clue in Trojan analysis. The Obad. a Trojan intentionally constructs a non-standard AndroidManifest. xml file, so that the virus analysts cannot obtain complete data.
Layer 2: Special processing of instruction code to prevent Decompilation
This trojan not only encrypts the code, but also performs special processing on the instruction code, so that the Java decompilation tools commonly used by security companies cannot decompile their instructions correctly, increase the difficulty of Trojan analysis:
Layer 3: prevents users from uninstalling using system defects
This trojan is painstaking to Prevent Users From detaching it after discovering it. Android 2.2 and later versions provide a "Device Manager" function. Its original intention is to deploy remote IT control for enterprises, to prevent employees from uninstalling the Enterprise-installed Device Manager without authorization, the Device Manager cannot be deleted once the Device Manager is activated. However, due to the incomplete design of this function in the Android system, Trojans can be used to register themselves as a Device Manager to Prevent Users From uninstalling the device.
The trojan will first prompt the user to "Activate the Device Manager ":
Once the user accidentally clicks "Activate", the trojan is registered as a device manager. At this time, the "Force stop" and "unmount" buttons of the Trojan are completely invalid, that is, the trojan cannot be closed or uninstalled:
The most terrible thing is that the Device Manager still has some defects. When a trojan deliberately registers the Device Manager in an incorrect way, the Android system can also make it successfully registered, however, it is not displayed in the Device Manager List. Therefore, the user cannot find the cancel Device Manager entry, and cannot cancel the device management permission of the Trojan horse.
The system does not even list the device managers registered with Trojans.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
