This article describes how anti-virus software and viruses obtain all notifications in the notification bar and use the information to kill applications.
In the previous article, I used the root permission to perform a silent installation. Some people will say that the APK will be installed. Anyway, my brother has the Kingsoft mobile guard, and my brother has 360 active defense ...... They will send me a notification!
After a new application is installed, the mobile phone will send broadcasts. These so-called anti-virus software will listen to these broadcasts, and a notification will pop up.
Okay, I admit, they are still a little useful in a sense. Let's put this question aside first, and let's talk about two additional things.
360 and Kingsoft mobile guard both have a feature that makes Android Developers suffer: Check advertisement notifications!
When there is an advertisement in the notification bar, run 360 to perform a check, which will tell you which application the advertisement is (of course, this is not limited to advertising, they get all notifications, then filter), and then he will let the user choose: Do not process; disable the notification (in fact, kill the process, the entire software stops running); uninstall the software.
Although I have never released an Android Application, I know that, if you make money by using software, your income is already embarrassing. In addition, these fucking software provide these fucking functions ...... Ah
If you don't like paid software, we will be free of charge. If you click a little advertisement to support the head office, you will put it there. (Of course, some software can launch advertisements without any play)
After talking so much nonsense, let's take a look at how the so-called anti-virus software handles everyone.
At the key point, there is actually a line of code ...... And let everyone down...
adb shell dumpsys notification
For example, the output result is
Current notification manager State: notification list: icationicationrecord {41453c70 PKG = com. zdworks. android. toolbox id = 7f090092 tag = NULL pri = 0} icon = 0x0/<name unknown> contentintent = NULL deleteintent = NULL tickertext = NULL contentview = NULL defaults = 0x0 flags = 0x62 sound = NULL vibrate = NULL ledargb = 0x0 ledonms = 0 ledoffms = 0 icationicationrecord {paif48e8 PKG = com. zdworks. android. toolbox id = 7f090080 tag = NULL pri = 100} icon = 0x7f0200fd/COM. zdworks. android. toolbox: drawable/barttery_policy_icon contentintent = pendingintent {41949028: pendingintentrecord {412e3c20 COM. zdworks. android. toolbox startactivity} deleteintent = NULL tickertext = power prompt contentview = android. widget. remoteviews @ 416e7b90 ults = 0x0 flags = 0x22 sound = NULL vibrate = NULL ledargb = 0x0 ledonms = 0 ledoffms = 0 icationicationrecord {416db3e0 PKG = Android id = 1040414 tag = NULL pri = 100} icon = 0x10804f5/Android: drawable/stat_sys_adb contentintent = pendingintent {41275de8: pendingintentrecord {416dade8 Android startactivity} deleteintent = NULL tickertext = USB debugging connected contentview = android. widget. remoteviews @ 416daf40 defaults = 0x0 flags = 0x2 sound = NULL vibrate = NULL ledargb = 0x0 ledonms = 0 ledoffms = 0 icationicationrecord {pai90de8 PKG = com. HTC. android. psclient id = 7f020010 tag = NULL pri = 100} icon = 0x7f020010/COM. HTC. android. psclient: drawable/usb_to_pc_policy contentintent = pendingintent {416c3e38: pendingintentrecord {rjbc968 COM. HTC. android. psclient startactivity} deleteintent = NULL tickertext = NULL contentview = android. widget. remoteviews @ 4169d128 defaults = 0x0 flags = 0x2 sound = NULL vibrate = NULL ledargb = 0x0 ledonms = 0 ledoffms = 0 msoundnotification = NULL msound = com. android. server. icationicationplayer @ 413e73b8 mvibratenotification = NULL mdisabledconfigurations = 0x0 msystemready = true
Now everyone knows. It's so easy to handle.
The following is simple:
1. Find a way to obtain this log
2. extract package name
3. process the whitelist according to the blacklist whitelist in the database.
4. Your application is probably in the blacklist, and the final result is that the process is killed.
(Here we will not describe part 3 or Part 4. We will only describe part 1 and part 2)
testButton = (Button)findViewById(R.id.exec);testButton.setOnClickListener(new View.OnClickListener() { public void onClick(View v) { String[] commands = {"dumpsys notification"}; Process process = null; DataOutputStream dataOutputStream = null; try { process = Runtime.getRuntime().exec("su"); dataOutputStream = new DataOutputStream(process.getOutputStream()); int length = commands.length; for (int i = 0; i < length; i++) { Log.e(TAG, "commands[" + i + "]:" + commands[i]); dataOutputStream.writeBytes(commands[i] + "\n"); } dataOutputStream.writeBytes("exit\n"); dataOutputStream.flush(); process.waitFor(); BufferedReader reader = null; reader = new BufferedReader(new InputStreamReader(process.getInputStream())); String line = ""; List<String> lineList = new ArrayList<String>(); final StringBuilder log = new StringBuilder(); String separator = System.getProperty("line.separator"); Pattern pattern = Pattern.compile("pkg=[^\\s]+"); while ((line = reader.readLine()) != null) { if(line != null && line.trim().startsWith("NotificationRecord")){ Matcher matcher = pattern.matcher(line); if(matcher.find()){ lineList.add(matcher.group()); }else{ Log.e(TAG, "what's this?!"); } } log.append(line); log.append(separator); } Log.v(TAG, "log:" + log.toString()); int size = lineList.size(); for (int i = 0; i < size; i++) { Log.i(TAG, "app:" + lineList.get(i)); } } catch (Exception e) { Log.e(TAG, "copy fail", e); } finally { try { if (dataOutputStream != null) { dataOutputStream.close(); } process.destroy(); } catch (Exception e) { } } Log.v(TAG, "finish"); } });}
The above Code has no technical content, so it is a joke for a netizen.
Explain in order
First, run the dumpsys notification command, which is already available in the previous code.
Then, the output is read by row through process. getinputstream (). Here we only care about the log
NotificationRecord{40dacad8 pkg=com.htc.android.psclient id=7f020010 tag=null pri=100}
Then extract the package name.
Here, the regular expression is used to extract the package name. If you want to know the regular expression, you can refer to my regular expression tutorial.
Getting started with regular expressions (Java)
The execution result here is (it seems that two notifications are prompted for one application)
app:pkg=com.zdworks.android.toolboxapp:pkg=com.zdworks.android.toolboxapp:pkg=androidapp:pkg=com.htc.android.psclient
The subsequent work is to display the list to the user and let the user select
Since 360 can do this, why can't viruses? Virus fake.apkyou can install the application real.apkin the middle of the night. Several seconds later, fake.apk will perform the above operations, get 360, and kill it! Great!
If you are interested, you can decompile Jinshan and 360. They basically do this. I found that 360 is poor. As for why, let's discover it by yourself.
PS: I am using the free version of Kaspersky. Anti-virus software does not care whether there is any advertisement push. advertisements are not viruses, and anti-virus software should not do anything wrong!
Please do not use the root mobile phone to download software at will, or use any excuse to create any virus!
References:
Security issues after root of Android phone (II)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
