Android Black Technology Series-modified lock screen password and malicious lock machine Sample principle Analysis

first, the encryption algorithm in Android

The previous article has introduced the Android System lock screen cipher algorithm principle, here to summarize said:

The first type: input cipher algorithm

Enter the plaintext password + The salt value of the device, then manipulate MD5 and SHA1 after the conversion to hex value for stitching, the final encryption information is saved to the local directory:/data/system/password.key

The second type: gesture cipher algorithm

Convert the point data in the nine Gongge gesture password into the corresponding byte array, and then directly SHA1 the encryption. The final encrypted information is saved to the local directory:/data/system/gesture.key

second, the Lock machine sample principle Analysis

In the previous article also said, why should look at the lock machine password encryption algorithm, because recently played King Glory, under a plug, the result was locked machine, too pit, so to analyze the market now through the lock machine to blackmail money sample production principle:

Most are using the System Device Manager to obtain permissions and then modify the password, and then prompt you need to restart the device in order to be effective, such a sample through a special application name and icon to induce users to download the installation authorization, general small white users in order to play pesticide, nothing, directly from the online search an installation began operation, The results are self-pit, so download software must go to the formal application market. Do not download the application, and such a lock machine sample is generally will choose to strengthen, but unfortunately they are to save costs are used non-enterprise version of the free version of the reinforcement, shelling is relatively simple, and then reverse analysis code can find his set of lock machine password, and then decryption can.

And if the above is a small white user is locked machine, almost difficult to solve, because this time the device is locked screen, connect the computer also need authorization, but must first unlock, then will find their cell phone and picked up the same, unable to operate, but you can choose to copy ROM to SD, and then brush the machine or restore, That's a big cost. So be sure to be careful.

third, root permissions to modify the lock machine password

After analysis of the above lock machine sample, we know that at this stage is the need to authorize the operation, and this authorization to change the lock screen password, a person fooled after the person may not be fooled, so we have to think of other ways to make a more ruthless sample. While the above mentioned Device Manager has a lot of uses, previously applied in order to prevent being uninstalled by the user, also requested this permission. Because once an application has a Device Manager it will not be uninstalled because his privileges are already very high. Cannot be uninstalled. However, you can see how many apps have this permission on the Settings page:

For security reasons, such permissions are generally chosen to be rejected, and security is very dangerous. Once authorized, it's unthinkable.

Since the previous article we already know, the device of the lock machine encryption algorithm, but also know where he exists, why not use root permissions to do simple operation without requesting permission to modify the lock password, and for these want to play the game using the auxiliary tools, for root permissions they are acceptable, Because they don't know what root is after? Think it is better to experience the game effect. With root access, we're simple. Get a new password directly, whether it is a gesture password or a complex character password, then encrypt it through the encryption algorithm and then write to the specified key file. Restart the device to take effect. The code here is not much to say, the principle is simple:

So we can construct a nine Gongge gesture password, or a numeric password, and then encrypt the content, and write it to the key file:

Then we can write a simple lock machine sample application, directly write the modified password encrypted content to the application sandbox file, and then overwrite the file in the system's password key file, and finally restart the device to take effect. Of course, here is the modification of the character password, we in order to more Dahua operation, you can also manipulate the gesture password, so that regardless of the user device is using which type of password can be modified successfully.

Iv. Solving the fingerprint lock problem

The above is the use of root permissions to modify the user's lock password, but here is a problem, is now many devices have been supported fingerprint lock, and fingerprint lock the future is also a trend, then if a device with a fingerprint lock, how to do? It is impossible to operate with the Device Manager permission above. But for root privileges we can still operate, we analyzed the lock machine password encryption process found that the system will be the current lock type values are saved to the database:

This value exists in the/DATA/SYSTEM/LOCKSETTINGS.DB database and we can view:

This is the decimal data, we can convert to 16 binary is 0x60000, and then we look at the code he corresponds to which type:

is the complex character cipher type, and of course there are other types, which are defined in the Devicepolicymanager.java class. So here we have ideas, if the type of device is a fingerprint lock, then we can modify the table data in this field to change it into a gesture password or character password type, and then after the modified two types of password to write to the key file, restart the device can filter the fingerprint lock password. Because we have the root permission, read and write this database file is not difficult, and the specific implementation of the code here is given, interested students can try to operate a bit.

For the current variety of malicious lock machine Software, Google official in different versions have given the protection scheme (the following excerpt from the Security Network):

Android L (Android 5.0-5.1)

In earlier versions of Android, the Getrunningtasks method was used to get the currently running stack Top program, but the method was deprecated from Android 5.0. At the same time, the use of getrunningappprocesses and Getapptasks methods is limited, which suppresses the emergence of hijacking activity-like ransomware.

Android M (Android 6.0)

Most mobile ransomware's trick is to lock down a user's device by opening a specific system type window with System_alert_window permissions and displaying it on top of all other applications and Windows. The advent of Android M makes ransomware-making people encounter a major bottleneck in the implementation of mobile phone ransomware-dynamic permission requests, since Android M, System_alert_window began to be classified as a more dangerous privilege to be treated specially-that is, the need for user dynamic authorization. This change means that as long as the target system of the ransomware is Android M, it will not be able to lock the user device as usual without the user's precaution, but there must be a user authorization stage, which has a certain degree of hindrance to the development of ransomware.

Android N (Android 7.0-7.1)

Unlike the previous version, which can be arbitrarily set or reset the lock screen password, Android n explicitly stipulates that third-party app developers can only use Devicepolicymanager.resetpassword to set the initial password for a password-free device without resetting or clearing an existing device password. The restrictions added to the ResetPassword API in Android N can prevent the Trojan from resetting the existing lock screen password, thereby invalidating some ransomware.

The most common type of window lock machine is to use WindowManager to set the highest permissions, causing the device to click anywhere no response, and in Android O has been a serious limitation of the window permissions: Android o preview once released to the ransomware hit, The new system has 5 windows disabled. As shown, which includes 3 types of system Windows commonly used by ransomware, Windows top class ransomware Trojan "survival" of the system window type is restricted to use.

In previous versions of Android, Ransomware had completely overwritten its windows with third-party applications and other system windows by invoking a particular system window type, and the user was unable to respond to other windows, and the device was locked, but in Android O, these types of system windows with top privileges were deprecated. Ransomware makers cannot find other window types that completely overwrite third-party applications and other system windows, and Windows pinned class lock screens will not be implemented.

Before Android 6.0, it was very easy to use the System Class window to blackmail your phone, just request System_alert_window permissions in the androidmanifest manifest file to use Type_system_alert, Type_ System_error, such as high-level windows, users to open the mobile phone ransomware without extra action or even too late to respond, the system window is pinned, the phone is immediately locked.

From Android 6.0 to the Android 7.1,android system to open the dynamic permissions model, System_alert_window permissions are listed as a special right, although their permission level (Signature) is not dangerous, However, developers must also dynamically obtain user authorization before use, only after the user authorization, the application can freely use Type_system_alert, Type_system_overlay, Type_system_error and other high-level windows. At this stage, the user opens the settings "display on top of other apps" page through a action--manage_overlay_permission, as shown in the User manual permission, the System High-level window permissions Open, this time can successfully use these windows for mobile phone ransomware.

v. Technical Summary

Here, we analyze how to modify the lock screen password in Android, there are two main ways:

First: Use Device Manager permissions to directly modify the system-provided API

The second kind: using the root privilege and the lock screen cipher algorithm directly modifies the system lock machine password file content

And these two modes of operation after the completion of the need to restart the device to take effect, and for both ways have pros and cons, but needles for some games plug-in root permissions are generally available, so the second is the best solution. And for some common malicious application root permissions are very few, you can use the first way to operate is the best solution.

Encryption algorithm Source: HTTPS://GITHUB.COM/FOURBROTHER/ANDROIDSCREENOFFPWD

Six, safety tips

But is it not possible to avoid these malware-locking software users? Of course you can avoid, as long as you do not have crooked ideas, such as why you play games to think of plug-ins? Why do you want to download bad apps, because you have distractions in mind. If you are a pure user, may not choose other channels to download the application, will go to the regular market download applications, so you can not be engaged, if you are a heart without distractions of users, will not arbitrarily authorized to the application, will not choose the root device. So the reason is that the illegal molecule is using a small number of people's mind, produced this sample to start extortion. And if once blackmailed, the first time is to think of their own solution, brush machine or recovery, not to pay the settlement, because for those who ransom money, not indulgence, is not to give money. Prefer not to phone, nor to you. Of course, the last thing to think about this Device Manager permissions in Android, especially the change of password this operation is actually for the user device is lost, to locate erase data or change the password to avoid the phone more information is stolen, but such an API is not reasonable after use, If you can expect the system to better optimize this piece of functionality.

Android Black Technology Series-modified lock screen password and malicious lock machine Sample principle Analysis