<span id="Label3"></p><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>The recent AVL Mobile security team first discovered a malicious app developed using mono for android, which, in addition to developing in the C # language, also joined the LUA environment to execute malicious LUA scripts. </strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>about Mono for Android</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>launched by novell, Mono for Android is the Industry's first solution to develop Microsoft.NET applications for the Android platform using Microsoft Visual Studio, which leverages C # The syntax can be developed for Android and Ios-based Apps. </strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Mono for Android consists of the mono core runtime, the original Android application interface bindings, the Visual Studio plug-in for developing Android applications, and a software development kit that contains the various tools required to build, debug, and deploy the Application.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The mono framework acts as a plug-in for visual studio, based on a virtual machine used to execute software written for the Framework. This virtual machine environment, called the CLR (Common Language runtime, The common language runtime), is primarily responsible for security, memory management, program execution, and Exception Handling.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The source code for an application written in The. NET framework, such as Visual Basic or C #, was initially compiled into an intermediate language called Msil. The initial compilation is performed by the language-specific command-line compiler (Visual Studio or other build tools). When you execute an application, you typically perform two compilations. Two compilations will acquire the intermediate language and compile it into executable code that can be run in the operating System. The two compilation is called JIT (just-in-time, Instant) compilation, and it will contain a mono runtime when it is Released.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Mono for Android is a runtime and development stack that enables. net developers to leverage their existing Visual Studio and C # knowledge to develop applications for android-based Devices.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>Run Time:</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The Mono for Android runtime is an application that runs on the Linux kernel of the Android Stack. It is responsible for interpreting the mono byte code and communicating with the Dlavik runtime to invoke the native Android API.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>Development Stack:</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Mono for Android is also a development stack that provides the tools you need to create and package Android device Applications.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>Lua on Android</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Prerequisites for writing and running LUA scripts on your Android phone:</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">1 Load Lua script parsing engine.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">2 invokes the engine interface in native API Mode.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">It is cumbersome to invoke the interface of the LUA parsing engine directly in JNI mode, and the Open source project androlua, luajava, encapsulates these JNI interfaces nicely.<br>Androlua is a LUA parser that contains the Luajava Android platform, which provides a series of Java interfaces mapped to Lua C implementation Functions. For more information, refer to the "android malware program that executes LUA scripts"</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>Mono for Android malware analysis</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>one, malicious apk file Analysis</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The main program structure is as Follows:</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The core code of the above four classes corresponds to the main function in the native method:</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong></strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong></strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>am Introduction</strong><br>The program mainly defines the following functions: SMS receiving, monitoring boot Status. Statement to read and write text messages, receive text Messages.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The mono plugin compiles the main code into a DLL file and encapsulates it into the so file, and then dynamically dumps through ida, in addition to the five files before the program encapsulation, in order "xamarin_mobile.dll", "z_vfs_android.dll", " Kopilua_android.dll "," nlua_android.dll "," Z-core.dll ", The first two files are the Mono Runtime library and two are LUA script dependent libraries, where the" z-core "file is the core program Code. The Z-core.dll file is analyzed in detail below.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>second, DLL File Analysis</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The Z-core.dll file tree looks like this:</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>detailed Analysis:</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>class Onboothandler->onreceive</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>overview: Network Download malicious LUA script files, and execute LUA script files, during and server communication upload user mobile phone number, IMEI and other device information, according to the server instructions to send text messages, intercept text messages, upload Bank text messages, upload inbox, user location Information. </strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The program performs the following behavior:</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">1 Create the Zcore.txt file on the SD card and write the "Set start date time" and the current timing information, also recorded in the "me" file in Sharedpreferences.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">2 Dynamic Registration SMS receiver Smsreciver.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">3 Register Scriptloader to load the Luascript script.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">4 when the Register function is executed, AES encrypts the phone IMEI and writes to the Bootscript.lua file according to the returned Data.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">5 and remote server communication to download/upload LUA file data operations.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Communicate with the server via the above URL and write data to the "bootscript.lua" file:</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>class smsreciever->-> Onreceiver</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">According to the instructions, the malware has the act of intercepting text messages, sending text messages, and uploading bank Messages.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The following is the "sms.lua" script file Onsms function, The program will first upload the received SMS through the Netclient.run method, and will also upload the specified number content, including "900″," alfa-bank "," TCS Bank "," Mts-bank "," 7494″, "000100″, Many of which are Russian banks, may cause a certain loss of property to Users.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>class Mainactivity->oncreate</strong><br>After starting the Runservice service, hide the icon and exit the program after 1 SECONDS.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>three, LUA Scripting Analysis</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The malware generates some Lua script files in the data/data corresponding directory:</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Lua scripts are hosted in C # code in this malware, where the program provides a Kopilua virtual machine, and LUA files are all running on This. The boot information in the Bootscript.lua file is as Follows:</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The above functions are loaded into the relevant LUA file via the LUA engine (loadscript function), which in turn calls taskprocessor.lua, sms.lua, echo.lua, teleinfo.lua, geo.lua, Functions in contacts.lua, Scripteval.lua.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>The following LUA files are analyzed in Turn:</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>1, Taskprocessor.lua</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The code does a network operation and writes the data to the log log File.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>2, Sms.lua</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">When executing the Ontask method, The program reads the data to callback the Sendsms function in C # to send the SMS operation, then sends the message to the server via the network and adds the specified number to the Blockedlist.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>3, Echo.lua</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">This file defines an abusive message.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>4, Teleinfo.lua</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Get device information for your phone, including Android version, IMEI, phone number, carrier, country, and More.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong></strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>5, Geo.lua</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Upload the User's location Information.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>6, Contacts.lua</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The main function of this file is to get the user contact information and upload it.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Call the Getcontacts function to upload the User's contact Information.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>7, Scripteval.lua</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">Upload the User's uuid Information.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">In fact, In addition to the Lua objects listed above, The program also downloads an additional Lua object file "chunk.lua" based on the remote communication release instruction, but the URL is currently Inactivated.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">In addition, The program also obtains user Inbox Information.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><strong>Safety Analysis Summary</strong></p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">The program will hide the icon after running, the background and the designated server to communicate, download the malicious LUA script file and use C # for callback operations, during the following malicious behavior: upload user mobile phone number, IMEI and other device information, according to the server instructions to send text messages, intercept text messages, upload Bank messages, upload inbox , user location information, causing more serious privacy leaks and property damage to Users.</p></p> <p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;"><p style="font-size:14px;color:#4E4E4E;font-family:‘Lucida Grande‘, ‘Hiragino sans GB‘, ‘Microsoft YaHei‘, sans-serif;background-color:#FFFFFF;">According to the website, bank information and other speculation that the program from the Russian hackers, and the program is not to write sensitive behavior directly into the C # code, but the important data using LUA script function callback operation, so as to achieve user privacy upload, So when not networked, the program will not be a threat</p></p><p><p>Using mono? for? Malware developed by Android</p></p></span>
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
