"Brush the list"--mobile phone Trojan Google Play malicious brush list

    At present, with the explosive growth of application in the market, app marketing and promotion is becoming more and more difficult, and the brush list is widely regarded as the best shortcut for application promotion, which can greatly increase the amount of downloads and users in the short term, and increase the exposure rate of the application. The increase in exposure has led to a spike in downloads, and the surge in downloads will guarantee a top-ranked growth. Domestic app Brush list market is gradually growing, and derived as a complete gray industrial chain: application developers, brush list service providers have formed a tight structure.
    Recently, Baidu Security Laboratory found a dedicated to the list of malicious brushes "brush the list of guest" mobile Zombie Trojan. The Trojan is embedded in the normal application, and when the user installs such an application, the user device becomes the "brush the leaderboard" zombie. The workflow of "swipe the guest" mobile Trojan is as follows:
 

 
1, "swipe the Guest" request control server to get Google account, password login information. The control server returns the Google login account name and password.
2, "swipe the guest" to get a login Google account and password, using the obtained account information, through the simulation of Google Play protocol to obtain login authorization.
3, after obtaining the Google sign-in authorization, "Brush the list Guest" requests the control server obtains the brush list instruction.
4, "Brush the list of customers" according to the brush list instructions, through Google Play download the specified application, to brush the list.
 
infected with "Brush the list" mobile Trojan users, will be "brush List Party" remote control implementation of malicious brush list, the process will consume a lot of data flow. From the control server information, the mobile Trojan was developed by domestic developers, due to domestic network restrictions, the Trojan is not targeted at Chinese users.

One, the control server related function analysis:

Access Command control server, you can go directly to the server management interface. The server provides a list of features as follows:

1, access to the "Delete and change the user Data" page, you can view, modify, delete the server's existing Google account information. Currently the server has tens of thousands of Google accounts, passwords used for the malicious brush list.



2, enter the "Add and delete to search task data" page, you can create a new brush list task.



3, into the "Import account" page, can be based on the country, the volume of Google accounts, password information upload.

Second, "Brush the list of customers" mobile Trojan analysis

1. Malicious code structure diagram

2. Malicious Code Analysis

Click on the icon to enter the program, call Task.init immediately start the relevant brush list code:

Task.inti Start Taskservice Service

Taskservice call dmaintask.dowork Invoke specific brush list logic

Dmaintask.dowork Complete Google account access, sign in to Google Play, get the swipe list instructions and download Google Play specific apps based on instructions. The brush list logic is as follows:

The normal app download request flow for Google play is described below:
(HTTPS://GITHUB.COM/EGIRAULT/GOOGLEPLAY-API/ISSUES/30)

"Brush the list of customers" mobile Trojan is through the Code protocol simulation of the above download process to achieve Google Play malicious brush list.

"Brush the list"--mobile phone Trojan Google Play malicious brush list