From the "Korean Express" Payment virus: SMS Trojans started to attack South Korea

From the "Korean Express" Payment virus: SMS Trojans started to attack South Korea

OX00 Preface

Recently, it was found that the virus disguised as a well-known Korean software-"Korean express delivery" after a second package. It is analyzed that the software is a payment software, and the virus uploads the user account password to the specified server, resulting in loss of user property. These samples are displayed in Korean, which is easy to mislead users and is highly risky.

OX01 virus Principle

 

 

Software name: CJ ??????. (Cj Dahan Express .)

Virus name: a. privacy. emial. d

OX02 virus details

0X21 virus description

After the virus is started, it intercepts user text messages and forwards them to a specified number. Leaking the account or password in the text message may pose a threat to mobile phone security.

0X22 virus Behavior

(1) Upload the mobile phone contact information, the sender and receiver, the address book, and the incoming call number to the specified server.

(2) activate the Device Manager, hide the icon, broadcast the messages received by the listener, and upload them to the server.

(3) download malicious sub-packages by enabling service threads to steal user privacy and consume fees

0X23 Number of infected samples and number of infected users

 

0X24 Code

1) code tree

 

2) start the program in the main function, activate the Device Manager after running the program, hide the desktop icon, obtain the number of incoming calls in the Config class, and start the program core service CoreService class.

 

 

3) Enable the sub-thread in CoreService to upload the address book and connect the network to the specified server, obtain the incoming call number, imsi object, and register the broadcast receiver, and download the sub-package through broadcast acceptance.

 

4) the upload address is http: // 1 **. 10. ***. */kbs. php? * ** I &**

 

5) Registering broadcast and uploading Network Connection Methods in threads

 

6) Delete the installation package after downloading the sub-package, resulting in traffic loss.

 

 

7) in the receiver

 

When a text message is sent to a mobile phone:

SMSReceiver broadcasts the text message box content and uploads the text message, phone number, and content to the specified server. It is extremely easy to steal the user account password and verification code information, resulting in irreparable property loss.

 

OX03 virus package Analysis

OX31 this virus downloads and installs four sub-packages:

"Com. korea. kr_nhbank"-NH speed bank

"Com. example. kr_hnbank"-N-bank

"Com. example. kr_shbank"-Bank of Singapore

"Com. example. kr_wrbank"-youli bank

All of them hit a. privacy. nhtwoabc. Therefore, we analyze one of the packages and unpack them to obtain their virus behavior.

OX32 sub-package code

Software name :????? (Personal touch Han Yuan .)

Package name: com. example. kr_wrbank

Virus name: a. privacy. nhtwoabc.

OX33 virus description

After the virus is installed, it monitors users' text message records and photo files in the background and uploads them to the specified server, causing privacy leakage.

OX34 related Code

1) code tree

 

 

 

2) Get the incoming call number

 

 

3) upload the incoming call number to the server http: // 174. ***. 122. ***/bank *******

 

 

OX04 Summary

There are a variety of payment-type viruses, and the intelligence level is improved. The famous Korean apps and bank apps are counterfeited. once clicked, the user's personal information and account password are easily leaked, this may cause privacy leaks and irreparable property losses. Nowadays, mobile Internet is on the rise. The security of software in various small and medium-sized electronic markets is uneven, and the virus infection rate is also gradually rising. Mobile phone security has been paid more attention by the country.