I heard that plug-ins can also be used to steal train tickets? Don't tease me! | Focus on hackers and geeks

I heard that plug-ins can also be used to steal train tickets? Don't tease me! | Focus on hackers and geeks

On April 9, December 8, train tickets for the Spring Festival began to be pre-sold. A large number of "city migratory birds" flocked to 12306 ticket purchasing websites and clients, just to get the tickets to help them complete the Spring Festival migration. One vote is hard to find. The same scene is repeated every year.

 

 

However, unlike in previous years, the image Verification Code threshold designed by 12306 to prevent "scalpers" from snatching is also out of the door for some buyers. So, plug-ins are coming. Recently, an APP named "12306 Spring Festival express booking" appeared. It sounds like an artifact that can get tickets faster.

However, is it a real plug-in, or is it tricky?

Analysis shows that this application is a fake APP disguised as "railway 12306. After in-depth analysis of the camouflage program, security personnel found that a domain name contains a large number of malicious apps with the same type of disguised well-known applications. Through further association analysis, the security staff found that the domain name has spread November 2013 apps for advertising purposes since 2600, with a maximum of 75106 times. The batch of programs disguised as well-known applications and well-known game strategies. By embedding dianle, blue whale, and other advertising sdks into such applications, the advertisement function is realized, and the fake application is used to induce users to click on the advertisement. It is reported that the current camouflage applications also include Sina Weibo, sogou input method, magic man camera, handheld hero Alliance box and a series of well-known apps.

1. Camouflage Application Analysis

1. Dynamic Phenomena

This application disguised as "railway 12306" officially ordered train ticket software. When running, it pushes advertisements through the integral wall. When users click the advertisement, they will not be prompted to download the application. After the download is complete, the system installation interface prompts you to install. When you click the back button and background image of the application, a window pops up to induce the user to continue clicking get push application.

Shows the program icon and startup interface:

 

 

The startup interface is similar to a genuine application:

 

 

When the program runs, a dialog box is displayed automatically. When you click "earn points", the point wall advertisement is displayed. Click the point wall application to download and obtain points to activate the software function.

 

After the user downloads the credits from the credit wall advertisement application, the app activates the false train ticket query interface and quick ticket purchase strategy information.

 

 

2. Detailed Analysis

The package name of the application currently analyzed is "com. zlcysdp. model". The package structure is shown in. You can see the package structure related to the advertisement (dianle and lanke SDK.

 

 

When running the program, you can read the resource file, parse the keyword segment to obtain ad-related information, initialize it, and call the function module of the ad sdk to push ads.

2.1 decrypt and obtain key data information

Read the file adv. xml and parse the parameter value "APP_ID" related to the blue whale's SDK. Use the cha method to decrypt the key URL used when the program is running. It is the resource file and the original encrypted content information.

 

 

The decryption method cha and the core code for reading the key field data of the resource file adv. xml:

 

 

You can obtain the keyword segment information shown in the following table through decryption:

 

2.2 call the advertisement SDK for pushing

Parse the APP_ID value obtained by the dianle field to initialize the dianle advertisement SDK and start the advertisement integral wall interface "com. zlcysdp. model. myview and the service "com. zlcysdp. model. myService ".

 

Parse the APP_ID value obtained by the lc field to initialize the blue whale ad SDK and request advertisement information.

 

The call method of the AD parts in this type of application is the same as that in conventional applications, and the ad push function is mainly implemented through the ad parts SDK. The detailed push process of advertisements is limited by the length, so no detailed analysis is made here.

2.3 false INTERFACE ANALYSIS

After activation, the application is divided into five interfaces: "Homepage", "information", "Search", "strategy", and "more". These interfaces are implemented by reading the content in the resource file, there are no actual functions.

The home page is implemented by reading and parsing the xml and html file data in the application resources.

 

 

 

The carousel images on the homepage are implemented by loading the image files in the resource:

 

2.4 push malicious apps of the same type

Through analysis of similar programs, we found that some programs will obtain URLs through online access decryption, and obtain the field instruction information returned by the remote server, at the same time, the command information is parsed to obtain the command status information to control automatic updates, download Similar malicious applications, and call the system installation function to prompt users to install the command.

When the program is running, the Web site http://kg.plapk.com/html/zlcysdp.html is accessed to get the returned command field information, as shown in, the returned command contains two sections, separated by separators. The first field of the command is used to control whether updates are performed, and the second field is the update information that is prompted to the user.

 

When the command status is "true", the system prompts to update application-related content ("added function: & 1. add one-click Sharing to moments & 2. solve the Problem of Samsung mobile phone black screen & 3. solve the black screen problem of Xiaomi mobile phone & 4. added one-click Enable 360 security patch "). The program automatically downloads the updated application through the Web site http://kg.plapk.com/upload/zlcysdp.apk.

 

After the download is complete, call the system installation interface to prompt the user for installation.

 

We tried to download the application and found the same type of malicious program as the main program:

 

2.5 upload User device information

In some applications, we also find that when a user downloads the pushed APP and clicks the "Remove advertisement" button, the points change, when you open the integral wall advertisement will upload the user's mobile phone IMSI, IMEI, mobile phone model and IP address information in POST mode through the http://w154151.s114.chinaccnet.cn/ShowListAction&operType=.

 

Through the returned data of network packets, we found that the server is currently disabled and cannot be used properly to collect user privacy information.

 

2. Domain Name statistics

Through our internal system to search the promotional data of this domain name, we found that there are 16 related subdomains. The relevant domain name information is shown in the following table. From the table, we can see that the "kg.plapk.com" malicious subdomain name was the first domain name to spread malicious samples and spread the most frequently, followed by "www.plapk.com. Based on the relationship between the domain name and the IP address, the number of IP addresses is 5. Among these IP addresses, "61.164.140.79" can spread the most malicious samples, and "61.164.140.66" can spread the most malicious samples.

 

At the same time, we also observed that the homepage of the plapk.com domain name is "jiule 2.0 ". The website does not have the actual function. The home page is rotated with 6 fixed images, which is highly fake.

 

Through whois query, we found that the domain name was hosted in Wenzhou, Zhejiang Province, and the registrant was "zheng zeling" and the corresponding registration email was "[email protected]".

 

3. Application Statistics

This batch of sample camouflage apps are mainly well-known applications with a large number of users, well-known game strategies or commonly used tool applications. A package name starts with "com" and ends with a random English letter. Most applications use strongswan reinforcement. The following table shows the sample information.

 

 

Based on the above analysis, we can guess that malicious authors will push fake apps to apps that contain the dot music and blue whale ad sdks in batch to induce users to download and push apps, in addition, malicious programs of the same type are falsely pushed in the program to increase the user's click traffic, so as to obtain the benefits of a large amount of advertising traffic.

Iv. Summary:

It is a common phenomenon on the Android platform to induce users to install and push advertisements to obtain traffic benefits. In order to reap huge profits by gaining a large amount of advertising traffic, the backend server has become increasingly popular with malicious apps to push advertisements to websites without actual features. This domain name's camouflage application not only uses the name of a well-known application to spread the domain name, but also uses hot events to spread the breadth of the domain name. The AVL Mobile Security Team reminds you Not to download apps from unofficial sources. At present, AVL Pro can completely scan and kill this malicious application, effectively protecting the security of your mobile phone.