SMS virus under the Android OS or "Hello :) You photo ..."
* Original picture, brazenly pulled from apk resources
[approx. apk - application installation file extension on Android OS]
Introduction
Unexpectedly, in the middle of the working day, my old Sony Ericsson K320i comes with the following text message:
hello [smiley] you photo https: // m ** o * an.ru / oujr / 380688086 * 6 *
As a sender, there was a person with whom I had not communicated for some time. After seeing the test message and dismissing the phone with the words “Regular spam”, I further plunged into work.
All would be fine, but after a couple of minutes a similar message arrived on the second phone (Samsung Galaxy Gio). The number of the sender is the same.
After 2 hours, a friend called and asked for advice. He received a similar SMS from his boss. Having calmed him with the phrase: “Do not cross the link and you will be happy,” I decided that I needed to understand the situation.
Arrangements
1) It is technically correct to call this “malware” not a virus, but a trojan . The author intentionally went to this trick to simplify. I apologize in advance for this.
2) The author in this article tried to put himself in the place of a regular user, to experience and experience all that he is experiencing. Therefore, specialized technical means are not used, and the methods of struggle are chosen primitive.
2) The author in this article tried to put himself in the place of a regular user, to experience and experience all that he is experiencing. Therefore, specialized technical means are not used, and the methods of struggle are chosen primitive.
1. Preparation
Superficially searching the Internet for information, it was found that the link in the SMS message is nothing more than an address to download the apk file. And the apk file is the virus “Trojan.SMSSend”, which infects mobile devices running Android OS. The main tasks of this “malware” are to intercept the control of the device and use it for their own purposes: blocking outgoing calls, sending messages with “hello” and other minor mischief.
Clicking on the link from the browser, I safely received the answer "403 Forbidden".
')
Clearly, it means, there is a filter on the browser. Well, I will check "on cats", as they say.
Without thinking twice, I decided to “put my Samsung Galaxy Tab 2 tablet on the altar of science.” After making a backup, with a clear conscience, I pressed the “General reset” button. Just in case, I made sure that there was no money on the sim card and proceeded to install.
2. Installation
I go to the settings in the menu item "Unknown devices", uncheck "Allow installation of applications from sources other than the Play Store."
Following the link from the SMS message, I received a browser warning of the following nature:
I agree and click "Continue". The application F0T0_ALB0M.apk was downloaded:
Install. I am terrified by the amount of permission. The operating system kindly warns:
This application may harm the device.But I'm not looking for easy ways, so, "reluctantly," I tick off "I understand that this application may be harmful."
Installation process
When an application requests administrator rights, I understand that this is the last stage. I click Cancel, but the dialog appears again. Eh, was not, I will go to the end, and click "Enable".
3. Virus application
The application itself consists of a single activation image with a doomed kitten. Probably in this way the developer tried to joke.
In this place, I run a little ahead (see p.6) and give the code AndroidManifest.xml for a better understanding of the article.
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?> <manifest android:versionCode="4" android:versionName="4.0" android:installLocation="internalOnly" package="com.android.systgec" xmlns:android="http://schemas.android.com/apk/res/android"> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.CALL_PHONE" /> <uses-permission android:name="android.permission.CALL_PRIVILEGED" /> <uses-permission android:name="android.permission.CHANGE_COMPONENT_ENABLED_STATE" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.WRITE_CONTACTS" /> <uses-permission android:name="android.permission.READ_PHONE_STATE" /> <uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS" /> <uses-permission android:name="android.permission.MODIFY_PHONE_STATE" /> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.SEND_SMS" /> <uses-permission android:name="android.permission.WAKE_LOCK" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" /> <uses-permission android:name="android.permission.GET_TASKS" /> <application android:label="@string/app_name" android:icon="@drawable/icon" android:manageSpaceActivity=".ClearActivity" android:allowClearUserData="false" android:allowBackup="true"> <activity android:label="@string/app_name" android:name=".AppActivity"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> <activity android:name=".ClearActivity" /> <receiver android:name=".SmsReceiver"> <intent-filter android:priority="1000"> <action android:name="android.provider.Telephony.SMS_RECEIVED" /> </intent-filter> </receiver> <receiver android:name=".OnBootReceiver"> <intent-filter> <action android:name="android.intent.action.BOOT_COMPLETED" /> <action android:name="android.intent.action.QUICKBOOT_POWERON" /> <action android:name="android.intent.action.USER_PRESENT" /> </intent-filter> </receiver> <receiver android:name=".IncomingCallReceiver"> <intent-filter android:priority="1000"> <action android:name="android.intent.action.PHONE_STATE" /> </intent-filter> </receiver> <receiver android:name=".OutCallReceiver"> <intent-filter android:priority="1000"> <action android:name="android.intent.action.NEW_OUTGOING_CALL" /> </intent-filter> </receiver> <receiver android:name=".NetworkReceiver"> <intent-filter> <action android:name="android.net.conn.CONNECTIVITY_CHANGE" /> <action android:name="android.net.wifi.WIFI_STATE_CHANGED" /> </intent-filter> </receiver> <receiver android:name=".AdminReceiver" android:permission="android.permission.BIND_DEVICE_ADMIN"> <meta-data android:name="android.app.device_admin" android:resource="@xml/policies" /> <intent-filter> <action android:name="android.app.action.ACTION_DEVICE_ADMIN_DISABLED" /> <action android:name="android.app.action.ACTION_DEVICE_ADMIN_DISABLE_REQUESTED" /> <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> </intent-filter> </receiver> <receiver android:name=".ServiceController" /> <service android:name=".SystemService" android:enabled="true" /> <service android:name=".DelService" android:enabled="true" /> </application> </manifest> In the application manager, our “malware” is proudly referred to as “Google Play”.
4. Removal?
Having safely infected the device, I turn to the treatment phase. First I try to delete the application. I go to the "Application Manager" and see that all the buttons are locked.
Understandably, it means that the application has administrative rights and it will not be possible to simply remove it. Do not worry, now I will remove them. I go to the menu item “Security” -> “Device Administrators” and uncheck the box next to the application.
But no, it was not there. The device safely enters the WiFi control settings and freezes. I had to "nail" the settings window.
Then I wanted to solve the question "on the vine", so to speak, and take advantage of the general system reset. Well, yes, it is easy for me to choose this option - my personal data is stored in the backup.
But what about ordinary users? Who "suddenly" favorite phone infected with a virus. After all, they will not even make an outgoing call to a familiar “tyzhprogrammist”. In general, this is cheating, I will not do that.
Bottom line: it was not possible to neutralize the threat by standard means. We connect the "heavy artillery".
Note to companies
The following sections use the description of actions associated with the use of free versions of products of some companies. The purpose of the narrative is not to complain about the company or the services they provide.
5. Dr Web against virus
Bearing in mind the good healing utility “Dr.Web CureIt!”, I decided to fight the malware with an Android counterpart. I go to the official website and download the free version of Dr.Web for Android Light 9 antivirus.
I install, update the signatures via WiFi.
I run a quick check - nothing.
I run a full scan - also nothing.
Check progress
I am disappointed! Sighing sadly, I delete the antivirus program.
UPD from 09/06/14. At the moment, the antivirus program successfully identifies this malware under the Android.SmsBot.origin.165 detector. The deletion algorithm is the same as when using Avast (see below).
5. Avast against the virus
Opinion of the author
Never really liked the antivirus of this company. Especially after the story about deleting the file responsible for the tcp / ip protocol in Windows XP . But, what the hell is not joking, let's install.
I download and install the Avast-Mobile-Security-v3-0-7700 version.
At the start, an express scan is launched, which does not find any viruses in the system.
Well, okay, the brain prompted another idea: here is some menu item "Application Management", but what if ...
Yes, the list of applications in the system really loaded.
There is no “Delete” item. Therefore, I try to stop the application. It stopped.
I wait for 2-3 seconds, the application is back in work.
Okay, I'll try the other side. I launch compulsory check of system. O_o, malware detected. Click "Remove All" [approx. somehow it sounds in the spirit of Darth Vader or the Daleks]. Avast says that the application can not delete, but you must first take away administrative rights from the application. The system dialog appears:
Delete all data from the device and return the factory settings? Click "Yes" if you agree, or "No" to cancel
And immediately, on top of this dialog box opens the "ill-fated" wi-fi settings window. I click "Return", the settings open again. Well, at least the settings window does not hang.
Again, on the path of cheating is pushing me. We will look for another solution ...
6. Reverse Engineering
Let's look at the source code of the application, the benefit on Android is not such a big problem. A lot of interesting things ...
For example, in the SystemService class, the url of the site lamour.byethost5.com (design studio) is specified.
But most of all I liked the AdminReceiver class, which is the successor of the system class DeviceAdminReceiver.
In this class, there is an overridden onDisableRequested method that is triggered when the administrative privileges for this application are disabled. It is impossible to completely block the buttons in the system dialog, so the virus developer went to the trick, he changed the text of the message to “Delete all data from the device and return the factory settings? Click "Yes" if you agree, or "No" to cancel "and copiously covered the top of the annoying settings window.
Bingo. So now I can safely click “Delete” in this dialog box and the tablet will be “healthy”.
Afterword
Thus, after re-performing point 5 of this publication (without stopping at the last step), virus version 4.0 (according to the manifest file) was defeated.
Why could not directly from the settings to remove the admin tick for the application, but only using Avast? Most likely, there is another trap with an overridden method.
findings
Virus developers are finding all new loopholes.
But, anyway, the browser and the operating system have become better protected users.
I needed to press 2 confirmations and tick the “Unknown devices” settings.
Cheers, you and your devices!
Source: https://habr.com/ru/post/235713/
All Articles