在Android平台上发现新的恶意程序伪装成杀毒软件挟持设备
Android平台恶意程序:不支付$100隐私就泄漏】6月25日消息,安全公司赛门铁克发布报告,在Android平台上发现新的恶意程序伪装成杀毒软件挟持设备,消费者支付$100才能让设备正常运作。这些恶意程序抓住消费者寻求安全心态,误导消费者删除虚假或不存在木马恶意程序,进而控制整台设备来威胁机主。
另外这个软件不是通过Google play发布的,因此大家要谨慎选择来源选型。。不要安装未知来源,或者从正规电子商城下载啊!
软件入口,智能终端安全的最本质!!
其实以前就有这样的样本,逼着用户非得捐赠的。。。。比如下面的代码:
public boolean onKeyDown(int keyCode, KeyEvent event) {
return true;
}
super.onDestroy();
startService(new Intent(getApplicationContext(), RestartService.class));
}
super.onCreate();
startActivity(new Intent(getApplicationContext(), MaliciousActivity.class)
.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
}
上述代码仅供说明,切勿模拟实战。。。。
下面是这个勒索软件的界面:
把自己打扮成圣斗士了,一下子提示这么多危险,然后索要保护费。。。
Package name: com.android.defender.androiddefender
安装完的桌面图标是:
申请的权限:尼玛真多啊
- Access location information, such as Cell-ID or WiFi.
- Access location information, such as GPS information.
- Access information about networks.
- Access information about the WiFi state.
- Change network connectivity state.
- Change Wi-Fi connectivity state.
- Allows applications to disable the keyguard. 允许程序禁用键盘锁
- (Expand or collapse the status bar.
- Access to the list of accounts in the Accounts Service.
- Open network connections.
- Ends background processes. 结束进程
- Read user's contacts data.
- Check the phone's current state.
- Read SMS messages on the device.
- Start once the device has finished booting. 自启动
- Open windows.
- Make the phone vibrate.
- Prevent processor from sleeping or screen from dimming.
- Create new contact data.
- Write to external storage devices.
- Create new SMS messages.
- Install a shortcut
还**了设备管理。。。
删除这些目录的apk。。这是防止下载杀毒软件吗?
- [EXTERNAL STORAGE MEDIA]/Download
- /mnt/external_sd/Download
- /mnt/extSdCard/Download
创建SQLite 数据库: droidbackup.db ,窃取系统短信。
设备锁定时弹出这个界面。。。伪道士!!!
把其他的兄弟进程都干掉!
- com.rechild.advancedtaskkiller
- com.estrongs.android.pop
- com.metago.astro
- com.avast.android.mobilesecurity
- com.estrongs.android.taskmanager
- com.gau.go.launcherex.gowidget.taskmanagerex
- com.gau.go.launcherex
- com.rechild.advancedtaskkillerpro
- mobi.infolife.taskmanager
- com.rechild.advancedtaskkillerfroyo
- com.netqin.aotkiller
- com.arron.taskManagerFree
- com.rhythm.hexise.task
然后。。。尼玛,楼主中剧毒了,全世界最流行的都中了!
开始要钱了!!!
还是打折价格。。
卸载很困难,阻止别的应用启动,这个以前的恶意软件就有。这是以前一个软件的代码!
.method public static b(Landroid/content/Context;)Ljava/lang/String;
.locals 4
const/4 v2, 0x0
//the encrypted regular expression to match the package name of security software
//(^com\.qihoo360\.mobilesafe$)|(^com\.tencent\.qqpimsecure$)|(^com\.lbe\.security$)
const-string v0, "ZkBw8CLr9ek1HtMhfN7YKvBg8CF18t3N7xzRFvRAZkBw8CLr9eiR8I0R8eir9eksrtRgrC3wu
KFRFvRAZkBw8CLr9IsWz3YOrC3wuKF1uoDDZl__"
//decrypt this string
invoke-static v0, Lcom/sec/android/providers/drm/However;->d(Ljava/lang/String;)Ljava/lang/String;
move-result-object v0
invoke-virtual p0, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v1
invoke-virtual v1, v2, Landroid/content/pm/PackageManager;->getInstalledPackages(I)Ljava/util/List;
move-result-object v1
:goto_0
invoke-interface v1, Ljava/util/List;->size()I
move-result v3
//traverse the list of installed packages.
if-ge v2, v3, :cond_1
invoke-interface v1, v2, Ljava/util/List;->get(I)Ljava/lang/Object;
move-result-object p0
check-cast p0, Landroid/content/pm/PackageInfo;
iget-object v3, p0, Landroid/content/pm/PackageInfo;->packageName:Ljava/lang/String;
invoke-static v3, v0, Lcom/sec/android/providers/drm/However;->a
(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
move-result-object v3
if-eqz v3, :cond_0
iget-object v0, p0, Landroid/content/pm/PackageInfo;->packageName:Ljava/lang/String;
:goto_1
//find the security software. return its package name.
return-object v0
:cond_0
//otherwise, check next package.
add-int/lit8 v2, v2, 0x1
goto :goto_0
:cond_1
const/4 v0, 0x0
goto :goto_1
.end method
甚至修改了系统设置,连factory data reset 都不可以。后两者等我的源代码分析。