Virus analysis report of "eavesdropping on ghosts"
I. Introduction
Baidu's security lab has found a "eavesdropping ghost" virus. This virus is a eavesdropping spyware that monitors user privacy in the following ways: Obtain the initial password through the QQ space; install the virus software on the mobile phone of the monitored party, use the initial password to log on to the software and run it in the background. The monitoring Party sends various text message commands, and the spyware sends a text message to reply to the geographic location, text message, and call records, and forces the monitoring party to call back, remotely take photos and send emails to the monitoring party, causing privacy leakage.
Ii. Detailed virus analysis
1. malicious behaviors
The initial password is bound to the IMEI number of the mobile phone, and the IMEI number of the mobile phone is replied to the space with the QQ number 115099935. The QQ member calculates and replies to the initial password Based on the IMEI; install the virus software on the monitored mobile phone and log on to the software based on the initial password. After logging on, you can modify the initial password and the email address for receiving the photo; send various text message commands to the recipient's mobile phone. The virus software parses the commands after receiving the commands, sends a text message to reply to the geographic location, text message and call records based on the command content, and forces the monitoring party to call back, remotely take a photo and send it to your mailbox.
2. Register mobile phone sensitive permissions with Manifest
Figure 1
3. malicious code structure
Figure 2
4. Detailed analysis of malicious behaviors
(1) obtain the initial password and install the virus software:
Obtain the initial password from the QQ user's 115099935 space and install the virus software. The initial password of the logon interface is bound to the IMEI number of the mobile phone. You can obtain the initial password returned by QQ user 115099935 by replying to the IMEI number in the space with the QQ number 115099935; the QQ Log also shows the network disk of the virus APK.
Install the virus APK on your mobile phone, and use the initial password to log on after startup. The Code also contains the algorithm of the initial password. you can log on only after the verification is correct.
The following is the initial password obtained from the QQ space:
Figure 3 obtain the initial password in the QQ space
Figure 4 logon page
(2) Change the initial password and email address of the photo recipient after logon.
Figure 5 modify email address and Dynamic Password
(3) Description of the malicious functions implemented by the virus and the corresponding code
For example, mobile phone A is an android mobile phone installed with the virus APK, and mobile phone B is another mobile phone (you can send A text message ).
SMS command function analysis:
The text message command corresponds to the corresponding privacy type. Mobile phone B sends different text message commands to mobile phone A. After receiving the commands, mobile phone A parses them, based on the instruction content, different similar privacy information is stolen. Mobile phone A sends A text message to mobile phone B to reply to the corresponding privacy or send it online to emails.
Function1: Send "bgdxxxxx" to A (where xxxx is the user's password in the software and can be modified by yourself). A will automatically send the last seven messages, including the sending and receiving number, time, and content sent to B
Figure 6 text message filtering instructions
Send a privacy text message to the monitoring party. At the same time, it can also send a privacy message to the mobile phone number specified by the virus developer, resulting in privacy leakage to the monitoring party and virus software developers.
Figure 7 send a short message to the monitor via SMS
Steal privacy and send text messages to the monitoring party
Figure 8 send a text message to the monitoring party
Function2: A sends "bgthxxxx" (where xxxx is the user's password in the software and can be modified by itself). A will automatically record the last seven calls, including the number and time when the number is received and sent to B
Figure 9 call record command Filtering
Figure 10 send a call record to the monitor via text message
Function3: Send "bgwzxxxx" to A (where xxxx is the user's password in the software and can be modified by yourself) A will automatically send the google Map Link of its geographical longitude and latitude and its location to B
Figure 11 instructions for filtering Location Information
Figure 12 send location information to the monitor via SMS
Function4: B sends "dwdhxxxx" to A (where xxxx is the user's password in the software, which can be modified by itself). A will automatically send A call back to B.
Figure 13 filter dialing commands
Figure 14 call back to the monitoring party
Function5: When A is on the software login interface (this interface can ensure that the mobile phone is not locked), B sends "gwpzxxxx" to A (where xxxx is the user's password in the software, which can be modified on its own ), A automatically takes A photo and sends the photo to the user's email address.
Figure 15 filter photo instructions
Figure 16. Take a photo
Figure 17 upload a photo to a specified email
Email Address: The androidghost001@gmail.com sends a photo to the email address specified by the monitor to receive the photo:
Figure 18 email address for sending a photo
The attacker displays the stolen photos:
Figure 19 Sending details