Misuse Accessibility service to automatically install applications

Misuse Accessibility service to automatically install applications

0x00 malicious application Overview

In recent years, many android markets have implemented root-free installation applications, that is, the download is completed and automatically installed immediately. The black industry also uses this technology for malicious promotion and Silent Installation. Recently, a large number of malicious applications have been intercepted to use the system AccessibilityService to silently install the application. Once a malicious Accessibility service is activated, an advertisement will pop up for a malicious application. Even if the user closes the pop-up advertisement, the application will be downloaded in the background, and then the promotion malicious application will be automatically installed.

0x01 AccessibilityService introduction:

AccessibilityService:

Android Accessibility is used for users who are unable to conveniently use Android smartphones due to vision, hearing or other physical reasons. Android provides the Accessibility function and service to help these users operate devices more easily. Developers can build their own Accessibility services, which can enhance the availability of applications. After the AccessibilityService is enabled, the application can obtain the information of the window elements of the current operation application in real time and perform bidirectional interaction to obtain user input and operate window elements, for example, click the button.

Use Cases of AccessibilityService:

The Android app market uses android Accessibility to install applications without root; recently, popular red packet snatching apps also use AccessibilityService to automatically grab red packets.

0x02 malicious Application Analysis

We have detected the misuse of AccessibilityService for an app named "WiFi password Viewer (enhanced edition. After the application is started, the user is induced to enable the "WIFI signal enhancement server", which is actually to enable the AccessibilityService of the malicious application. The user can view the WIFI password to give the malicious application root permission, all of this paves the way for the malicious automatic installation. Is the application runtime Diagram

Figure application startup and boot enable wifi signal enhancement page

After the application is started, the user is guided to enable the Wi-Fi signal enhancement service. The application jumps to the ACCESSIBILITY_SETTINGS interface, prompting you to enable the Wi-Fi signal enhancement service to increase the Wi-Fi signal strength. After a user enables the service of a malicious application, the mobile phone will download the application package prepared by the application on the cloud and automatically install and run it on the mobile phone.

Figure start the Accessibilty Service Interface

The following describes how to run malicious code:

Figure malicious code cloud mail process

Flowchart analysis

In the Wifi_list module, malicious applications use wifi signal enhancement to induce users to enable the Accessiblity Service. view the Wifi password to induce users to grant Root permissions to the application. PushDownLoad module, which consists of PushCoreService and ChapingCoreService. They use the background service to upload device information, obtain the application package to be pushed, and download the application package. Install the module, resolve the downloaded package to malicious applications, and then pop up the DialogPushActivity advertisement box. Non-Root uses AccessilbityService for installation, and root uses pm install to silently install the daemon module, daemon is an elf file stored in the raw directory. It is a daemon to protect applications from being killed. Daemon works as a fork sub-process to make the sub-process become the lead process of the new session and disassociate it from the session group and Process Group of its parent process, the next step is to regularly start the java layer configuration task in the sub-process. Here it ensures that PushCoreService and ChapingCoreService are always running in the background.

Follow-up analysis on core service PushCoreService

First, Post the imei, wifimac, and SerialNumber information of the device to the target server. The server returns the uuid and records the "uuid" field in the defasharsharedpreference file.

Figure request server to obtain uuid

Finally, call this. m_context.handler.sendEmptyMessage (1) to start the GetPushThread thread. This thread is directed to the http://api.findzhibo.com/ad/open? AppCode = 1 & appVersion = appVerion request to obtain the "open_status" Field of the current application. The cloud server continues to run only when the "open_status" field is True. Otherwise, the cloud is disabled for the current application version. Turn on

Figure push_json of malicious app promotion on the cloud

Figure cloud request for malicious promotion Application

Finally, call this. m_context.handler.sendEmptyMessage (2), parse the push_json field to fill the intent, and start PushDownloadService to download the application and pop up the malicious advertisement page. PushDownloadService parses appJson, obtains the download information, and then downloads and installs the application through the handler message.

Figure parse appJson to download and install

Handler has four msg. value: '3' failed to process download; '4' download succeeded; '5' pop-up DialogPushActivity advertisement box. If Accessiblity Service is enabled, WifiZengQiangService is started; '6' pop-up DialogPushActivity advertisement box, launch malicious apps. First, send "4" to start background download, and then start the download and installation thread. This thread checks whether the pushed application has been downloaded to the specified directory. sdcard/. wifi_ckq saves the downloaded application package and advertisement image, and the appName is encrypted by md5.

Figure sdcard directory stores the downloaded promotional application package

Malicious application promotion by image download

After the download is complete, send the Silent Installation to the application. If the device is not the root user, send '5'. root uses pm install to install the application and then send '6' to start the application.

Figure send handler to install the application

Both handler '5' and '6' start DialogPushActivity,

Figure launching DialogPushActivity

DialogPushActivity is actually an ImageView. Applications pushed by the user after touching the interface will be automatically installed.

Figure DialogPushActivity

Start WifiZengQiongService to automatically install the service. Previous virus families, such as Ghosh Push and Kemoge, first root the device and then implant the promotion application. Once the AccessibilityService of the malicious application is started, the application will pop up the malicious advertisement interface. Even if the victim closes the pop-up advertisement, the application will be automatically downloaded and then installed successfully. In this process, packageinstaller of the system is called to obtain the button location of the installation interface. Accessibility provides the simulated user click function, instead of automatically clicking Next, until the installation is complete. Is a pop-up advertisement diagram. After you touch it, you can download and install the promotion application. Call the installation interface in AccessibilityService

Figure packageInstaller

The onaccessibilityservice onAccessibilityEvent method not only processes 'com. android. the packageinstaller event also processes some security software, so that the malicious application will completely control the security software behavior, which means that the application can be automatically installed, start any app, and uninstall any application, in addition, the AccessibilityService is used to control the security software for no-kill.

Figure AccessibilityService controls the specified application package

After the application is successfully installed, the system sends a "android. intent. action. PACKAGE_ADDED" broadcast message. The AppListenerReceiver class accepts the broadcast and starts the application.

0x03 summary and Suggestions

The AccessibilityService process has been analyzed. The app has enhanced the WIFI signal to entice users to enable Accessibility, and viewing the WIFI password is the app's root permission. Users are reminded to carefully enable AccessibilityService for untrusted applications to avoid malicious application control. Recently, popular red packet snatching applications will also use AccessibilityService to implement automatic snatching, we have found that hackers use 'automatic snatching hongba' to induce users to enable AccessibilityService to control their mobile phones. We recommend that users download the software from security channels to avoid unnecessary losses.