Shou Jiao Dance. 2015/09/22 15:27
Wooden horse use SMS to feel the victim’s contacts in the book friends. Use “look what you’re doing “,” Look what you’re doing” and so on to induce users to install.
Start analyzing the Trojan by looking at its Manifest file. From its application for SMS/contact/networking permissions can be basically confirmed that this is a SMS interception horse, seems to be nothing new but you can find some details that haven’t been found before. It feels like this horse has a lot of heart.
The first is setting the installLocation property.
android:installLocation="internalOnly"
Copy the code
The purpose of setting this property is to prevent Trojan app from being installed in sdcard. Because if the APP is installed in THE SDcard instead of the built-in storage of the phone, the following features will be lost, resulting in the imperfect functions of the Trojan horse
- The system will send the ACTION_BOOT_COMPLETED broadcast before loading the external storage, so the program will not accept the boot broadcast.
- DeviceAdminReceiver failure (unable to activate device manager to prevent uninstallation)
- The Service does not work properly, will be killed and cannot be restarted (cannot continue running in the background)
- Alarm Service The Alarm Service will be cancelled (one less entry point)
The second interesting point, excludeFromRecents, is set in the Activity tag.
android:excludeFromRecents="false"
Copy the code
The purpose of this setting is not to make the Trojan app in the list of recent programs less likely to be found by ordinary users. Similarly, disable the Activity in code
The third feature is the random string package name
package="tjkxyfmjhvdg.oprbrvvgeevv.uxqjjuqxympd"
Copy the code
After grabbing a few samples, the package name is a random string, but the code aid and signature are the same. Should be automatically generated through the program, guess the purpose is to avoid some kill soft.
1. The main Activity will be disabled after the user clicks it once
<activity android:excludeFromRecents="false" android:label="@string/app_name" android:name="com.phone.stop.activity.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
Copy the code
Functions:
- Disable the hidden icon of the Main Activity component
- Activate device Manager to prevent uninstallation
- SMS communication Trojan user chicken has been online.
- Asynchronously emailing victim logs and text messages
- Start the background service to monitor SMS messages in real time
The main functions of Sevice are
- Dynamic register SMS broadcast receiver and watch this
- Automatically start after destory
- Determine whether the Trojan horse is expired.(this obviously shows that the Trojan horse is purchased from the Trojan horse, and there is an expiration date)
Other entry points: 2. Power-on broadcast 3. Network switching broadcast 4.
<receiver android:name="com.phone.stop.receiver.BootReceiver">
<intent-filter android:priority="2147483647">
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
<action android:name="android.provider.Telephony.GSM_SMS_RECEIVED" />
<action android:name="android.provider.Telephony.SMS_RECEIVED_2" />
<action android:name="android.provider.Telephony.SMS_DELIVER" />
</intent-filter>
</receiver>
Copy the code
The code for the receiver and observer of the message is removed, and the message is sent like this:
So this Trojan is how to store mail account Trojan, found that these SMS horses like to use 163.
This Trojan chooses to encrypt the email account password using DES. There are three ways to crack this:
- Decryption using DES script according to key
- Javax.mail. Service#connect(java.lang.String host, int port, java.lang.String user, java.lang.String password)
- View the configuration file in the program private directory
There have been thousands of victims in less than two days. Some of the data are as follows:
contacts
Message record
Summary of Trojan horse functions:
- SMS command control
- The victim’s address book and SMS record are sent through SMTP
- SMS is monitored in real time through the SMS broadcast receiver and the Observer
Among these SMS trojans that use SMTP to upload victim information, some trojans are hard coded directly in Java code, some choose encryption like the one above, and some migrate to the bottom layer
Trojan horse transmission route:
1. Fake base station, fishing, targeted mass
2. Victim infects contacts
Trojan Phone number:
15168430384
13894651855
13660414800
13430222795
Has been verified as a black card, not real name authentication.
Dissemination site:
118.193.170.149:2100
118.193.157.132:1123
http://www.shunlilao.com/hyl/xiangni.apk
http://wusha66.net/erw2fs.apk
Mainly from VPS in Hong Kong.