Shulou(Shulou.com)06/01 Report--

Overview

Game guess is high, suddenly prompt the system to exist security loopholes, scared me to death, online and so on do you want to repair? Do not click when your partner encounters this kind of prompt, this is deceiving you to install a malicious program.

Recently, Tencent Mobile security lab and Tencent Anti-fraud lab found a malicious game application named "guess your sister" lurking in the major application market, waiting for an opportunity to trick users to install malicious programs under specific conditions.

According to the analysis of Tencent Mobile security lab and Tencent Anti-fraud lab security engineers, the malicious game app usually disguises itself as a variety of guessing apps, such as crazy guessing star, crazy guessing star 2, guessing Xiehouyu, guessing song TFboys and so on.

The app developed by the virus family is particularly fond of letting users guess, and its own behavior is so capricious that it seems to commit a crime at intervals.

(1) developers update samples quickly.

The normal version is mixed with a malicious version to fight "guerrilla warfare" in an attempt to deceive the application market.

Start security-transform virus-restore security-continue to poison-restore security:

(2) the malicious behavior of the virus triggers a deep path, full of tricks.

Faced with the encirclement and interception of security manufacturers, the creepy wisdom of developers will continue to evolve. The virus sample "rewards" a malicious advertising program only when the user reaches a specific level at a specific time.

1. Analysis of sample behavior.

The malicious sample file com.*r6.guess360.apk is a game application for guessing stars. The running interface is as follows:

In order to combat the detection of anti-virus software, the trigger of the malicious behavior of the sample needs to comprehensively judge multiple conditions, the code is as follows:

Trigger condition:

(1), this.e = = 13 to determine whether the current number of levels-1 is 13

(2),! g.b (), judge whether the current time meets the trigger condition according to the time information

(3) to determine whether the application to be installed has been installed

After the trigger condition is met, the sample performs malicious behavior, prompts the user that there is a security vulnerability in the system, and releases the installation of the application in the assets directory. The code is as follows:

The screenshot of malicious behavior is as follows:

The installed malicious application is disguised as a system application, the software name is Android, and the package name is cvoo.wa.a. The main malicious acts are downloading root subpackages in the cloud, root users' mobile phones, and including malicious advertising plug-ins, anonymous pop-up windows on the mobile phone screen, push floating window ads, seriously affecting users' use of mobile phones.

(1) download the root subpackage from the cloud and decrypt the load. Download link: http://52.52.***.56/checker

Root subpackage dex structure

Root subpackage downloads root solution from the cloud, and performs root operation. Download link for root scheme:

Http:\\ cdn.gam***.org\ strategy\ dev_root2

Http:\\ cdn.gam***..org\ strategy\ dev_root

Http:\\ cdn.gam***..org\ strategy\ UnknownDev

Downloaded root scheme:

(2) malicious applications pop up anonymously on the mobile phone screen and push floating window advertisements, which seriously affect users' use of mobile phones.

2. Sample iterative change trend analysis.

Tencent Mobile security lab and Tencent Security Anti-fraud lab used their own security analysis big data platform to analyze the malicious sample from multiple dimensions, such as package name, developer certificate, sample hash value and transmission channel. It was found that the malicious sample began to spread in domestic application markets since March 2015, and by June 17, the sample had iterated from version 1.0.1 to 1.6.4. Every few days, new samples are uploaded to the application market, in which the malicious version of the sample is mixed to bypass the security testing carried out by the application market.

Trends related to this package name and the application under the developer certificate:

In December, Tencent Anti-fraud lab found a malicious version of this sample. At runtime, the malicious version decrypted and loaded Root subpackages from the assets directory of the resource file, uploaded the user's device information to the remote server, obtained the corresponding Root scheme and carried out Root rights enhancement. After the rights were successfully granted, the malicious version frequently downloaded and pushed applications, which affected the normal use of mobile phones by users. The recently discovered new malicious version adopts a new way of doing evil, which has been described in detail in the previous section.

3. Sample influence surface and related developer certificate MD5

According to the analysis, the software names of such samples are: crazy guess Star, Crazy guess Star 2, guess Xiehouyu, guess song TFboys and so on. They have been put on the shelves in several major domestic application markets, and the number of downloads and installations has reached hundreds of thousands of times, among which the infected users of malicious samples have reached tens of thousands of times.

4. Background tracing

(1) "guess xx" game developer information

This sample is mainly spread in the domestic application market. by comparing the information on the shelves of the sample in the application market, we can see that the development company of this kind of application is mainly Shenzhen * Technology Co., Ltd., and its main legal person is Hu Moujun.

(2) Information related to malicious subpackages

Traceability analysis is carried out according to the decrypted url links in the ROOT module. The main URL is: http://cdn.game***.org, which is queried according to the contacts registered by the domain name. The relevant enterprise information is sorted out as follows:

The main products are counterfeit popular game software, and all have rogue advertising and malicious promotion functions.

5. Safety recommendations

(1) each domestic application market should improve its own application security detection mechanism and check the application security regularly.

(2) the application market should standardize the management of application developers, and some management measures should be taken for malicious application developers.

(3) Mobile phone users should form the habit of using security software such as Tencent Mobile Manager, check and kill malicious viruses carried by some mobile applications, and protect the security of mobile phones.

6. About Tencent Mobile Manager and Tencent Anti-fraud lab

Tencent Mobile Manager is a permanent free mobile phone security and management software owned by Tencent. Features include virus detection, harassment and interception, payment protection, privacy protection, mobile phone anti-theft and other security protection. In addition, it also supports high-end intelligent functions such as user traffic monitoring, garbage cleaning, mobile phone acceleration, mobile phone slimming, free WiFi, software management, photo album management, call show, mobile phone backup, reminder assistant, etc., which is not only a security expert, but also a close butler of users.

Tencent Mobile security lab and Tencent Security Anti-fraud lab bring together the world's top white hat and several Tencent expert big data talents to focus on anti-fraud technology and security system research. Anti-fraud lab has the world's largest secure cloud database and serves 99% of Chinese netizens.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.