Tencent Computer Manager · 2016/02/26 12:39
0 x00 background
Recently, the android market there was a man named “suddenly turn hostile” Trojan virus, the virus by inserting malicious in normal android application fee code, entice users to download after installation, the program starts up, pull up malicious code execution, the user use the software at the same time, malicious deduction, mysterious means of concealment, had no knowledge of the user. The applications that have been implanted with malicious code tend to be heavily downloaded and used, so the attack surface is very wide.
0x01 Virus Behavior
- The virus runs with the normal application at the same time, the virus code is implanted in the normal application, when the application is executed, will be accompanied by pulling up malicious code, malicious code decrypts a section of its own encrypted URL, after decrypting access to the url link.
- The web site is a cloud control server, through the Trojan to issue control instructions, inform the Trojan whether to send the deduction fee SMS, and the deduction fee SMS number is also delivered to the toxic mobile phone through the cloud. Therefore, from the Trojan horse can not be obtained to send the key content such as the information and number of the fee, with concealment.
- Trojan also registered the intercept short message service, the service will intercept the message content, to determine whether the number of SMS sender begin with 10, if it is, is to block the SMS, lead to poisoning of the mobile phone fee service operators send SMS receipt can’t received, the user is Trojan deduction service opened quietly.
Startup icon after Trojan installed in mobile phone:
When the user clicks the program, the program starts:
The program starts the code entry, you can see that the game starts at the same time, also pulled up the malicious code to execute:
Trojan horse first through xOR operation decryption cloud control server url:
Decrypted server domain name:
Connect to the server and get control commands from the cloud:
Parse the string information obtained from the cloud to find the characteristics of the instruction content:
If the format is correct, the number and content will be parsed out and the message will be sent:
Trojan registered SMS interception service:
The service blocks short message numbers starting with “10”, so that the infected mobile phone cannot receive the receipt of short message sent by the service provider, and the fee is deducted without the user’s knowledge.
0x02 Kill and Prevent
At present computer butler, mobile phone butler and Hubble analysis system has been able to analyze and kill.
According to statistics: from last July to the beginning of this year, Tencent anti-virus laboratory can capture about 22 Trojan viruses of the same type every month on average. The number of mobile phones infected by Trojan horse is estimated to be more than 5300, and the fees deducted by Trojan horse service messages are more than 50,000 yuan in total for poisoned users.
0x03 Security Suggestion
At present there are a lot of the android market application software for users to download for free use, hacking through the downloads application software and embedded malicious code in the game, to the market for users to download, the application of the embedded malicious code from and there was no difference on the appearance, and no abnormal behavior after execution, but in the application being used at the same time, Malicious code and viruses have also been quietly pull up and perform, they by sending text messages, customization service methods such as deduction, in the case of user knowledge, the user is fee, it is difficult to detect, would be a serious threat to the user’s account information privacy and property safety, advice must download the APP from the formal market, and use anti-virus software to scan and then install and use, If you encounter a suspicious file, you can scan it using the computer manager or upload it to the Hubble File Analysis system for analysis.