Apk explorer2

1

恶意软件Apk Explorer Series .2

2

恶意软件@Android

3

Nduo

N多做的

ApkApkNduo Apk

4

如何实现

.apk

• Unzip

.dex

• Decompile• ApkTool[1]

• Dex2Jar[2]

.smali

• Modify• Smali[4]

new.apk

• Repack• ApkTool

5

Wet feet

AlertDialog alertDialog = new AlertDialog.Builder(this).create();alertDialog.setTitle("LALALA");alertDialog.setMessage("You should see me!!!!!!!");alertDialog.show();

AlertDialog Java Code

6

Wet feet cont.

new-instance v1, Landroid/app/AlertDialog$Builder;

#v1=(UninitRef);

invoke-direct {v1, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V #v1=(Reference);

invoke-virtual {v1}, Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog; move-result-object v0

.local v0, alertDialog:Landroid/app/AlertDialog; #v0=(Reference);

const-string v1, "LALALA" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setTitle(Ljava/lang/CharSequence;)V

const-string v1, "You should see me!!!!!!!" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setMessage(Ljava/lang/CharSequence;)V

invoke-virtual {v0}, Landroid/app/AlertDialog;->show()V

new-instance v1, Landroid/app/AlertDialog$Builder; #v1=(UninitRef); invoke-direct {v1, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V #v1=(Reference); invoke-virtual {v1}, Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog; move-result-object v0

.local v0, alertDialog:Landroid/app/AlertDialog; #v0=(Reference); const-string v1, "LALALA" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setTitle(Ljava/lang/CharSequence;)V const-string v1, "You should see me!!!!!!!" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setMessage(Ljava/lang/CharSequence;)V

invoke-virtual {v0}, Landroid/app/AlertDialog;->show()V

AlertDialog Op-code

7

Wet feet cont..method public onCreate(Landroid/os/Bundle;)V .locals 12 .parameter "savedInstanceState" .prologue const/16 v11, 0x400

Yingyonghui Java code

SplashActivity.java

#v11=(PosShort); const/4 v10, 0x0

#v10=(Null); const/4 v9, 0x1

#v9=(One); invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

AlertDialog Op-code

8

HideFile Java code

HideFiles.java

Wet feet cont.getPackageInfo("com.nduoa.market", 0);

(“使用N多市场， \n帮助维护「%s」的更

新？” , …)

localBuilder2.setPositiveButton("安装 ",

locald);

a.a("http://market.nduoa.com/update/nDuoaMarket.apk", str2);

i.a("KAWAHAeBUBLBaBBAMAPBRAEAIAWAMBdAKBbALAUABBCABBOAABdAQANAeABBaANAaABAOBPBTAGACBOATBDBAB");

9

Geinimi[6]

10

Geinimi cont.

www.widifu.comwww.udaore.com

www.frijd.comwww.islpast.comwww.piajesj.comwww.qoewsl.comwww.weolir.comwww.uisoa.comwww.riusdu.comwww.aiucr.com

117.135.134.185180.168.68.34

Geinimi

Access the user's geo-location based on coordinates given by the GPSSend or receive SMS messagesAccess the user's mailboxRead and modify the user's phonebook contactsRead and modify the user's browsing historyCheck running processes in memoryTerminate legitimate running process in the deviceInstall shortcutsPerform web queriesChange the wallpaper of the device

BoardBrandCPIDCPU ABIDeviceDIDDisplayFingerprintHostLine1 NumberManufacturerModelNetwork Country ISONetwork OperatorNetwork Operator NameNetwork TypePhone TypeProduct

PTIDSALESIDSDK versionShellSIM Country ISOSIM OperatorSIM Operator NameSIM Serial NumberSIM StateSoftware VersionSubscriber IDTagsTimeTypeUserVoice mail Number

11

PJApp 泡椒 [3][5]

"content://browser/bookmarks"

MEEG

O91.C

OM

渠道激活

IMEI / SIM / IMSI / ICCIDPdus……

Default Browser

SEND ALL Bookmarks

ADDandroid.paojiao.cnct2.paojiao.cng3g3.cn

com.uc.browsercom.tencent.mttcom.opera.mini.androidmobi.mgeek.TunnyBrowsercom.skyfire.browsercom.kolbysoft.steelcom.android.browser

12

MEEGO91.COMRegistrant:nduo deminanchang jiangxi sicA501nanchang, jiangxi 444001China

Registered through: GoDaddy.comCreated on: 05-Sep-10Expires on: 05-Sep-11

Administrative Contact:demi, nduo wangluoxing@163.comnanchang jiangxi sicA501nanchang, jiangxi 444001China+86.861363345678

13

Reference1. http://code.google.com/p/android-apktool/2. http://code.google.com/p/dex2jar/3. http://www.itnews.tk/archives/47614. http://code.google.com/p/smali/5. http://globalthreatcenter.com/?cat=186. http://blog.mylookout.com/_media/Geinimi_Trojan

_Teardown.pdf

14

Question ?