[Android virus analysis report]-KorBankDemon "money-absorbing ghost"

Recently, Baidu security lab has discovered a new virus called "ghost of money", which is used to steal information about users' financial accounts. According to the monitoring data, the virus is currently only targeted at South Korean users, but it cannot be ruled out whether there is a possibility of targeting users in other countries. The virus is disguised as Google Store to trick users into downloading. After the installation is successful, the app icon is automatically hidden in the App list. This prevents users from perceiving the existence of programs and thus resident on user devices for a long time. It dynamically detects the runtime environment. If it runs in the simulator environment, it does not trigger malicious behaviors, thus avoiding the detection of the dynamic analysis system.

 

The malicious behavior of the virus is as follows:

1. Send a specific text message to a specific number or all contacts.

2. Uninstall the official financial client.

3. automatically download the shanzhai finance client and prompt the user to install it.

4. Intercept received messages, upload them to the server, and receive SMS commands sent by attackers.

5. Upload the contact information of the device to the server.

 

The following is a simple analysis of the virus sample:

Sample MD5: c11e00312ef66a74559933bc77c3f027

Application Package name: com. google. game. store

 

1. First, the virus registers a large number of systems in AndroidManifest. xml files to broadcast frequently so that malicious components can run smoothly.

 

 

 

 

Structure of malicious program code:

 

 

2. functions and interaction diagrams of malicious virus Components

 

The basic idea of the virus to steal bank information is:

1. The virus downloads the corresponding shanzhai Bank client based on the banking client type installed by the device.

2. prompt the user to upgrade the Bank client, trick the user into uninstalling the genuine bank client, and install the shanzhai Bank client.

2. Steal the account information such as the bank card number and password entered by the user through the shanzhai Bank client.

3. The virus intercepts the SMS transaction verification code sent by the bank and sends it to the server.

In this way, attackers can obtain all login and verification information such as the user's bank card number, password, and transaction verification code. Serious Consequences !!!

 

 

 

 

3. malicious code snippets

 

(1) Upload device contact information

 

 

 

(2) send text messages to all contacts and feature numbers

 

 

 

 

(3) intercept and upload Short Messages

 

(4) uninstall the official financial client and download and install the shanzhai financial client (used to obtain the user's financial account, password, and other information)

The correspondence between the official package and the shanzhai client package name:

 

 

 

Download the corresponding shanzhai client based on the finance client installed on the device.

 
Article: http://blog.csdn.net/jiazhijun/article/details/12112733

By Jack_Jia mail: 309zhijun@163.com