How your application is replaced, analysis of App hijacking virus, and app hijacking

How your application is replaced, analysis of App hijacking virus, and app hijacking
1. Introduction to App hijacking

App hijacking refers to the redirection of the execution process, which can be divided into Activity hijacking, installation hijacking, traffic hijacking, and function execution hijacking. This article will analyze the recently used Acticity hijacking and installation hijacking viruses.

Ii. Activity hijacking virus analysis 2.1 Introduction to Activity hijacking Virus

Activity hijacking refers to the detection by malicious applications when a window component is started. If the window interface is an attack object preset by a malicious program, the malicious application will start its own counterfeit interface to overwrite the original interface, the user enters the login information without notice, and the malicious program returns the obtained data to the server.

 

Taking MazarBOT as an example, this type of Trojan has the following features:

 

• Deprecated as a system text message application. After the application is started, request to activate the device management permission and then hide the icon;
• Use Tor to communicate anonymously with the C & C control center to defend against traffic analysis;
• The C & C Control Center issues commands for mobile phone control, update html, and information collection;
• Use the server to dynamically obtain htmlData, and then implement interface hijacking to obtain user account information;

 

The command list of the C & C control center is as follows:

 

We found that the Trojan can accept and process a complete set of C & C control commands, and uses the Tor for anonymous network communication, so that the source and destination of the traffic data are directly connected instead of a path, this makes it more difficult to trace the identity of an attacker. The trojan hijacking process is analyzed in detail.

 

2.2 interface hijacking Process Analysis:

First, you can see the axml file. The WorkerService processes the "update html" command issued by the C & C control center and monitors the Activity running on the top layer in the background. If the application is to be hijacked, InjDialog Acticity will be started to hijack the page.

Figure axml

 

The Background Service monitors the top-layer Acticity. If the application is to be hijacked, InjDialog is started to hijack the application. The getTop function performs code compatibility. More than 5.0 of device Trojans can also obtain the package name of the top-layer Acticity.

Graph background monitoring

 

InjDialog Activity loads a forged html application interface through webView and calls webView. setWebChromeClient (new HookChromeClient () sets html pages to interact with Java, and CALLS prompt in forged Html pages to pass user input information in JS to Java. The HookChromeClient class overrides the onJsPrompt method, process user input information, and upload the hijacked user information anonymously to the specified domain name through Tor.

Figure hijacking user information

 

Figure upload hijacking Information

 

3. Analysis of application installation hijacking virus 3.1 Introduction to installation hijacking Virus

Install the hijacking Virus by listening to android. intent. action. PACKAGE_ADDED and android. intent. action. PACKAGE_REPLACED intent attacks include two methods: uninstall and delete the truly installed apk and replace it with the application forged by the attacker; and borrow the message that the user is installing, install other applications that you promote. This process is like the "Six walnuts" you usually drink. One day you actually drink "Seven walnuts ".

 

3.2 application-related information

This application is named "FlashLight". The package name is com. gouq. light. The application icons are as follows:

 

3.3 Main Component Analysis

. App Application class, load the encrypted jar package under the Assest directory, obtain the interface ExchangeImpl object, implement the interface functions onApplicationCreate, triggerReceiver, triggerTimerService in jar, and start the core service LightService;

. LightService core application service, which can be called externally to start LightTiService to replace the process name, and am to start the service to keep itself alive;

. LightTiService is started by LightService. This service calls the triggerTimerService interface method in the dynamic loading package to delete the application to be installed, upload the current device information, and download the application to be installed from the server;

. The AppReceiver broadcast receiver is implemented through the triggerReceiver interface method in the loaded jar package to process android. intent. action. PACKAGE_ADDED and android. intent. action. PACKAGE_REPLACED intent: Check whether the installation and new application are hijacked. If yes, execCmd is used for installation hijacking.

 

During the installation hijacking process, you can monitor the installation and update of applications to perform Silent Installation for other associated applications.

Figure installation hijacking

 

You can know that the malicious application uses the software to install or update the intent and install the preset associated application. After the installation is complete, the user does not know which application has just been installed, this increases the chance of clicking and running the promotion application.

 

4. How to effectively prevent App hijacking or security protection suggestions

For enterprise users:

As a mobile APP developer, to prevent the APP from being hijacked by the interface, the simplest method is to check whether the frontend Activity application is itself or a system application in the onPause method of key activities such as logon window.

Of course, there are specializations in the industry, and professional tasks are handed over to professional people. The security component SDK of Alibaba Cloud universal security provides functions such as security signature, security encryption, security storage, simulator detection, anti-debugging, anti-injection, and anti-Activity hijacking. Developers only need to integrate the security component SDK to effectively solve the problem of Trojan virus hijacking in the above logon window, thus helping users and enterprises reduce losses.

 

For individual users:

Install Alibaba money security to protect applications from the threat of App hijacking Trojans.

 

Author: niba @ Alibaba mobile security. For more technical articles, please click Alibaba Cloud universal security blog