Wishful thinking about Android Trojans"

Android has become more and more widely used. Compared with traditional PC operating systems, Android has its own characteristics. On the one hand, Android runs on mobile terminals. Mobile phones are carried by people, and mobile phones are also the main means of communication. Therefore, more personal privacy can be obtained through mobile phones. On the other hand, Android does not run on the server, and Android devices can connect to the Internet through 3G. The traditional IDS has a much lower impact on Android Trojans.

This article describes the future Android Trojan Horse technology from different perspectives from the traditional Trojan Horse perspective.

1. Infection:

Android does not run on the server, which means that Android does not have to have an independent IP address. Therefore, direct attacks to Android can only be applied to the LAN, and Android devices only connect to wireless routes, external routing is invisible, so direct attacks (remote overflow, spoofing, etc.) on Android devices are unlikely.

However, with the popularity of Android, the network traffic of Android is increasing, that is to say, users are more and more likely to access the Internet through Android. Therefore, in the future, attacks against Android should be more inclined to webpage Trojans. Another important factor for webpage Trojans is the vulnerability. If the browser does not have any vulnerabilities, the trojan cannot be implemented. In the aspect of Android vulnerability mining, various technologies are not mature yet, the security of Android virtual machines is also good, and the possibility of vulnerabilities in Android browsers is small. Of course, another aspect is to trick users into security Trojans. The software market on the Android platform is currently chaotic and security reviews are not strict, at present, most Android Trojans are spread in the market or forum to induce users to install them manually.

2. Elevation of Privilege:

Applications of Android and other mobile terminal operating systems have low permissions. Although many Android devices are jailbroken to obtain root permissions, in order to gain a larger coverage area, trojan Horses still need to be equipped with the Elevation of Privilege function, which greatly relies on the emergence of Elevation of Privilege vulnerabilities. Elevation of Privilege vulnerabilities are as precious and powerful as jailbreak vulnerabilities on iOS.

3. Running Mode

In my previous article, I have discussed that Android security software can run at three levels: java, nativeC, and Kernel, the same malicious code can also run on these three layers. Currently, most Android Trojans run on the Java layer. They are similar to common apps, but implement malicious features such as mobile user privacy. However, Android BootKit, which appeared some time ago, is indeed eye-catching. This BootKit should be running at the NativeC level. However, after obtaining the root permission, you do not have to re-obtain the root permission after restarting. These will be discussed later.

4. self-starting

Auto-start plays a major role in Trojans. If you enable auto-start, you can not only automatically run the code each time, but also have root permissions and eliminate other security software if the startup time is very early.

Hijack NativeC-level applications, such. so, the Android BootKit mentioned above is self-starting in this way. When the system is not fully started, the BootKit has obtained the CPU because it is a hijacking system. so, so you already have the root permission during the runtime. At this time, you can execute binary to complete malicious functions.

In addition, you can boldly think of another more powerful BootKit. In fact, mobile phones also have Bootloader, which corresponds to the Bios of an ordinary PC. Currently, the Bootloader of a few mobile phones has been cracked, such as HTC HD2, it initially runs the Windows Mobile system. After cracking Bootloader, it can boot Android, WP7, WM, megoo, or even linux. If bootloader is infected with the self-starting code, malicious code can be run before Android is started, and Android itself can be further infected in advance, and the rootkit will eventually run on the Kernel layer. Another better reason is that malicious code will not be erased even if the user flushed the machine. Unless the user flushed bootloader, the malicious code will always exist. A similar technique has been used in a common PC to implement BootKit, such as infecting the BIOS and other code that can be executed before the operating system is loaded.

5. Hide

Java-layer Trojan horse hiding can be achieved by only using itself as a Service and self-starting through BroadcastReciver, which should also be the implementation method of most Android Trojans.

The hidden Kernel Trojan can be achieved through the hidden technology of the existing Linux Trojan.

6. Communication

Currently, Trojans on PCs communicate in a variety of ways. The reason for this is to escape the IDS review. Most of the ideas are disguised as another normal communication protocol, it is not even disguised as a communication protocol, such as ICMP.

The implementation of communication on the Android platform should be similar to that on the PC platform.

The above is my "delusion" in the Android Trojan. The level of the monks is limited. There are many imperfections. It is inevitable that I will be naive and hope to understand.

For more information about Android, see Android topics page http://www.bkjia.com/topicnews.aspx? Tid = 11