Security issues after android mobile phone root (2)

360 and Kingsoft mobile guard both have a feature that makes android Developers suffer: Check advertisement notifications!
When there is an advertisement in the notification bar, run 360 to perform a check, which will tell you which application the advertisement is (of course, this is not limited to advertising, they get all notifications, then filter), and then he will let the user choose: Do not process; disable the notification (in fact, kill the process, the entire software stops running); uninstall the software.
 
Although I have never released an android Application, I know that, if you make money by using software, your income is already embarrassing. In addition, these fucking software provide these fucking functions ...... Ah
If you don't like paid software, we will be free of charge. If you click a little advertisement to support the head office, you will put it there. (Of course, some software can launch advertisements without any play)
 
After talking so much nonsense, let's take a look at how the so-called anti-virus software handles everyone.
At the key point, there is actually a line of code ...... And let everyone down...
Shell code
Adb shell dumpsys notification
For example, the output result is
Log Code
Current Notification Manager state:
Notification List:
Icationicationrecord {41453c70 pkg = com. zdworks. android. toolbox id = 7f090092 tag = null pri = 0}
Icon = 0x0/<name unknown>
ContentIntent = null
DeleteIntent = null
TickerText = null
ContentView = null
Defaults = 0x0
Flags = 0x62
Sound = null
Vibrate = null
LedARGB = 0x0 ledOnMS = 0 ledOffMS = 0
Icationicationrecord {export F48E8 pkg = com. zdworks. android. toolbox id = 7f090080 tag = null pri = 100}
Icon = 0x7f0200fd/com. zdworks. android. toolbox: drawable/barttery_policy_icon
ContentIntent = PendingIntent {41949028: PendingIntentRecord {412e3c20 com. zdworks. android. toolbox startActivity }}
DeleteIntent = null
TickerText = power prompt
ContentView = android. widget. RemoteViews @ 416e7b90
Defaults = 0x0
Flags = 0x22
Sound = null
Vibrate = null
LedARGB = 0x0 ledOnMS = 0 ledOffMS = 0
Icationicationrecord {416db3e0 pkg = android id = 1040414 tag = null pri = 100}
Icon = 0x10804f5/android: drawable/stat_sys_adb
ContentIntent = PendingIntent {41275de8: PendingIntentRecord {416dade8 android startActivity }}
DeleteIntent = null
TickerText = USB debugging connected
ContentView = android. widget. RemoteViews @ 416daf40
Defaults = 0x0
Flags = 0x2
Sound = null
Vibrate = null
LedARGB = 0x0 ledOnMS = 0 ledOffMS = 0
Icationicationrecord {export 90de8 pkg = com. htc. android. psclient id = 7f020010 tag = null pri = 100}
Icon = 0x7f020010/com. htc. android. psclient: drawable/usb_to_pc_policy
ContentIntent = PendingIntent {416c3e38: PendingIntentRecord {rjbc968 com. htc. android. psclient startActivity }}
DeleteIntent = null
TickerText = null
ContentView = android. widget. RemoteViews @ 4169d128
Defaults = 0x0
Flags = 0x2
Sound = null
Vibrate = null
LedARGB = 0x0 ledOnMS = 0 ledOffMS = 0

MSoundNotification = null
MSound = com. android. server. icationicationplayer @ 413e73b8
MVibrateNotification = null
Mdisabledconfigurications = 0x0
MSystemReady = true
Now everyone knows. It's so easy to handle.
The following is simple:
1. Find a way to obtain this log
2. extract package name
3. process the whitelist according to the blacklist whitelist in the database.
4. Your application is probably in the blacklist, and the final result is that the process is killed.
(Here we will not describe part 3 or Part 4. We will only describe part 1 and part 2)
 
Java code
TestButton = (button#findviewbyid(r.id.exe c );
TestButton. setOnClickListener (new View. OnClickListener (){
Public void onClick (View v ){
String [] commands = {"dumpsys notification "};
Process process = null;
DataOutputStream dataOutputStream = null;
 
Try {
Process = runtime.getruntime(cmd.exe c ("su ");
DataOutputStream = new DataOutputStream (process. getOutputStream ());
Int length = commands. length;
For (int I = 0; I <length; I ++ ){
Log. e (TAG, "commands [" + I + "]:" + commands [I]);
DataOutputStream. writeBytes (commands [I] + "\ n ");
}
DataOutputStream. writeBytes ("exit \ n ");
DataOutputStream. flush ();

Process. waitFor ();

BufferedReader reader = null;
Reader = new BufferedReader (new InputStreamReader (process. getInputStream ()));
String line = "";
List <String> lineList = new ArrayList <String> ();
Final StringBuilder log = new StringBuilder ();
String separator = System. getProperty ("line. separator ");
Pattern pattern = Pattern. compile ("pkg = [^ \ s] + ");
While (line = reader. readLine ())! = Null ){
If (line! = Null & line. trim (). startsWith ("icationicationrecord ")){
Matcher matcher = pattern. matcher (line );
If (matcher. find ()){
LineList. add (matcher. group ());
} Else {
Log. e (TAG, "what's this ?! ");
}
}

Log. append (line );
Log. append (separator );
}
Log. v (TAG, "log:" + log. toString ());

Int size = lineList. size ();
For (int I = 0; I <size; I ++ ){
Log. I (TAG, "app:" + lineList. get (I ));
}
} Catch (Exception e ){
Log. e (TAG, "copy fail", e );
} Finally {
Try {
If (dataOutputStream! = Null ){
DataOutputStream. close ();
}
Process. destroy ();
} Catch (Exception e ){
}
}
Log. v (TAG, "finish ");
}
});
}
The above Code has no technical content, so it is a joke for a netizen.
Explain in order
First, run the dumpsys notification command, which is already available in the previous code.
Then, the output is read by row through process. getInputStream (). Here we only care about the log
Log Code
Icationicationrecord {40dacad8 pkg = com. htc. android. psclient id = 7f020010 tag = null pri = 100}
Then extract the package name.
Here, the regular expression is used to extract the package name. If you want to know the regular expression, you can refer to my regular expression tutorial.
Getting started with regular expressions (java)
 
The execution result here is (it seems that two notifications are prompted for one application)
Java code
App: pkg = com. zdworks. android. toolbox
App: pkg = com. zdworks. android. toolbox
App: pkg = android
App: pkg = com. htc. android. psclient
The subsequent work is to display the list to the user and let the user select
Since 360 can do this, why can't viruses? Virus fake.apkyou can install the application real.apkin the middle of the night. Several seconds later, fake.apk will perform the above operations, get 360, and kill it! Great!
If you are interested, you can decompile Jinshan and 360. They basically do this. I found that 360 is poor. As for why, let's discover it by yourself.