Android惡意代碼分析

Android惡意代碼分析之前都是在分析PE文件的，這個是找工作時的一個筆試題分析一個android惡意。用了一個星期熟悉java和android的東西然后寫了這個分析有什么不對的地方還請大家見諒1.基本信息病毒名稱：未知病毒類型：含惡意廣告樣本MD5：4360c2c29ed03898b925e07f4d648b4e樣本大?。?.43MB2.概述惡意代碼部分先于程序啟動加載自己的頁面，用戶只有點擊“獲取積分“，下載一個它提供的應用才獲取積分能開始游戲，同時惡意代碼獲取手機的手機型號系統(tǒng)版本IMSIicd等信息到發(fā)送到20/22。

3.靜態(tài)分析惡意代碼在正常應用上進行綁定，惡意代碼部分主要在下圖標紅部分。manifest.xml分析

權(quán)限列表

<uses-permissionandroid:name="android.permission.VIBRATE"/>允許設備振動

<uses-permissionandroid:name="android.permission.WRITE_EXTERNAL_STORAGE"/>操作外部存儲設備

<uses-permissionandroid:name="android.permission.INTERNET"/>允許打開網(wǎng)絡套接字

AppConnect.getInstance(this);

}privatevoidbujuset()

{

LinearLayoutlocalLinearLayout=newLinearLayout(this);

localLinearLayout.setGravity(17);

localLinearLayout.setOrientation(1);

TextViewlocalTextView1=newTextView(this);

TextViewlocalTextView2=newTextView(this);

localTextView2.setId(1);

localTextView1.setWidth(-2);

localTextView2.setWidth(-2);

localTextView1.setGravity(17);

localTextView2.setGravity(17);

ButtonlocalButton1=newButton(this);

ButtonlocalButton2=newButton(this);

localButton1.setHeight(90);

localButton2.setHeight(90);

ImageViewlocalImageView=newImageView(this);

localImageView.setImageResource(2130837504);

localTextView1.setText("積分大于0即可永久免費無廣告全屏運行");

localTextView2.setText("積分加載中...");

localButton1.setText("開始游戲");

localButton2.setText("免費獲取積分");

localLinearLayout.addView(localImageView);

localLinearLayout.addView(localTextView1);

localLinearLayout.addView(localTextView2);

localLinearLayout.addView(localButton1);

localLinearLayout.addView(localButton2);

setContentView(localLinearLayout);

localButton1.setOnClickListener(newView.OnClickListener()//點擊開始游戲

{

publicvoidonClick(ViewparamView)

{

if(LogOut.this.point>0)//如果幾分大于0那么進入游戲

{

com.trendy.pokemontk.Captain.PN.isGame=true;

IntentlocalIntent=LogOut.this.getBaseContext().getPackageManager().getLaunchIntentForPackage(LogOut.this.getBaseContext().getPackageName());

localIntent.addFlags(67108864);

LogOut.this.startActivity(localIntent);//開啟游戲的activitycom.trendy.pokemontk.Alarmreceiver

LogOut.this.finish();

}

while(true)

{

return;

com.trendy.pokemontk.Captain.PN.isGame=false;

Toast.makeText(LogOut.this.getApplicationContext(),"積分不足,請點擊免費獲取積分的按鈕",1).show();

}

}

});

localButton2.setOnClickListener(newView.OnClickListener()//點擊獲取積分

{

publicvoidonClick(ViewparamView)

{

AppConnect.getInstance(paramView.getContext()).showOffers(paramView.getContext());

}

});

}

publicvoidshowOffers(ContextparamContext)

{a(paramContext,b,y.e+this.H);paramContext,b,http://app./action/account/offerlist?

}privatevoida(ContextparamContext,StringparamString1,StringparamString2)

{

try

{

IntentlocalIntent=newIntent(paramContext,h(paramContext));//參數(shù)二：com.androidemu.gba.gba.Mym

//另：publicclassMymextendsOffersWebView

localIntent.setFlags(268435456);

localIntent.putExtra("Offers_URL",paramString2);//http://app./action/account/offerlist?廣告應用列表地址

localIntent.putExtra("USER_ID",paramString1);

localIntent.putExtra("URL_PARAMS",c);

localIntent.putExtra("CLIENT_PACKAGE",this.J);

localIntent.putExtra("offers_webview_tag","OffersWebView");

paramContext.startActivity(localIntent);//啟動activitycom.androidemu.gba.gba.Mym顯示廣告發(fā)送手機型號系統(tǒng)版本IMSIicd等信息到20

return;

}

catch(ExceptionlocalException)

{

while(true)

localException.printStackTrace();

}

}分析com.androidemu.gba.gba.Mymcom.androidemu.gba.gba.Mym的解析出現(xiàn)錯誤但是根據(jù)開啟activity的intentlocalIntent.putExtra("USER_ID",paramString1);

localIntent.putExtra("URL_PARAMS",c);

localIntent.putExtra("CLIENT_PACKAGE",this.J);

localIntent.putExtra("offers_webview_tag","OffersWebView");可以推斷這個部分是顯示應用列表上傳手機的相關信息。如下圖waps/SDKUtils包含的api以及抓包的分析也可以可推斷。抓包

1510

249.394056000

5120

HTTP

607

GET/action/connect/active?app_id=a5a4c7af109259db240c3a6917409553&udid=250824171159829&imsi=310260371538173&net=wifi&base=&app_version=1.3.8&sdk_version=1.7.1&device_name=GT-N7000&device_brand=samsung&y=5ab68cc24a4025769552c1aec9cc36d7&device_type=androi