Analysis on brute force cracking of "the strongest Android trojan in history"

Source: Internet
Author: User

Recently, some media reported that the most advanced Android trojan has appeared. It is said that "it can use the unknown vulnerabilities of the Android operating system to escalate program permissions and prevent uninstallation ." This malicious program is called "Backdoor. AndroidOS. Obad. a" and its malicious behavior is to make a profit by quietly sending text messages to value-added service numbers. How amazing is the "strongest Android Trojan horse in history" that has never been detected and cannot be uninstalled using Android? In this regard, the mobile phone security experts made a deep analysis for us, detailed explanation of the entire process of breaking the "strongest Trojan" layer-3 anti-detection and removal.

Level 1: the main entrance to blocking virus analysis prevents security engineers from obtaining security information

First, the trojan is indeed painstaking to escape anti-virus software detection and removal. It takes some special measures for virus analysts in the Code to make it more difficult for security companies to analyze it. For example, when most security companies analyze Android Trojan samples, they usually use the AXML parsing tool to parse the sample's main configuration file AndroidManifest. xml. This file contains the entry information of the main modules of the Android Application and is an important clue in Trojan analysis. The Obad. a Trojan intentionally constructs a non-standard AndroidManifest. xml file, so that the virus analysts cannot obtain complete data.

Layer 2: Special processing of instruction code to prevent Decompilation

This trojan not only encrypts the code, but also performs special processing on the instruction code, so that the Java decompilation tools commonly used by security companies cannot decompile their instructions correctly, increase the difficulty of Trojan analysis:

Layer 3: prevents users from uninstalling using system defects

This trojan is painstaking to Prevent Users From detaching it after discovering it. Android 2.2 and later versions provide a "Device Manager" function. Its original intention is to deploy remote IT control for enterprises, to prevent employees from uninstalling the Enterprise-installed Device Manager without authorization, the Device Manager cannot be deleted once the Device Manager is activated. However, due to the incomplete design of this function in the Android system, Trojans can be used to register themselves as a Device Manager to Prevent Users From uninstalling the device.

The trojan will first prompt the user to "Activate the Device Manager ":

Once the user accidentally clicks "Activate", the trojan is registered as a device manager. At this time, the "Force stop" and "unmount" buttons of the Trojan are completely invalid, that is, the trojan cannot be closed or uninstalled:

The most terrible thing is that the Device Manager still has some defects. When a trojan deliberately registers the Device Manager in an incorrect way, the Android system can also make it successfully registered, however, it is not displayed in the Device Manager List. Therefore, the user cannot find the cancel Device Manager entry, and cannot cancel the device management permission of the Trojan horse.

The system does not even list the device managers registered with Trojans.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.