Shulou(Shulou.com)05/31 Report--

This article will explain in detail about the Clicker Trojan horse in the new family of Haken Trojans, the content of the article is of high quality, so the editor will share it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

I. Overview

Clicker Trojans are a wide range of malicious programs designed to increase website visits and make money online. They simulate the user operation on the web page by clicking links and other interactive elements, silently simulate the interaction with advertising sites, and automatically subscribe to paid services. The Trojan is a malicious module built into common applications such as dictionaries, online maps, audio players, bar code scanners and other software.

Recently, Shadow Lab discovered a new Clicker malware family Haken Trojan on Google Play. The app is an application that provides location-oriented services. Unlike Clicker Trojans and Joker Trojans, which use the creation and loading of invisible Web views to perform malicious click functions, Haken Trojans simulate user click ads by injecting native code into the libraries of Facebook and Google advertising SDK. Increase the number of visits to the site and make money by clicking on ads.

Figure 1-Application Information on 1Google Play

Users complain that the app will play ads and suggest that they download it carefully.

Figure 1-2 user comments on the application

II. Technical analysis

The first entry to the program is the BaseReceiver broadcast receiver. A number of action are registered, making the broadcast easy to trigger.

Figure 2-1 registering BaseReceiver broadcasts

The lib library file is loaded in this receiver. Call the "clm" mode in the local com / google / android / gms / internal / JHandler "class by calling the startTicks function in the native layer.

Figure 2-2 loading library file reflection calls local methods

Two worker threads and a timer are registered in this method. The wdt thread communicates with the ClearC server to get the latest configuration information. The w thread, on the other hand, is triggered by a timer to check the configuration information and inject code into the advertisement-related Activity classes of advertising SDK, such as Google's AdMob and Facebook.

Figure 2-3 registering two worker threads

Worker thread one:

Interact with the server in the wdt thread to get the latest configuration information. The server address is encoded: http://13.***.34.16.

Figure 2-4 Server interaction

The configuration information issued by the server, including the address used to update the server interaction.

Figure 2-5 get configuration information from the server

Worker thread 2:

The w thread starts the activity when the device is networked and the application has regularly started the 60000ms. By generating random numbers between 1 and 4 to match which activity to start, these four activities are used to inject code into the Facebook and Google advertising classes to load ads and simulate click ads.

Figure 2-6 injection of Facebook and Google

Figure 2-7 loading ads

Simulated user clicks, clicks on the ads received from the advertising SDK, these functions are achieved through the reflection mechanism.

Figure 2-8 Click on the ad received from the ad SDK

Server backend:

We enter the server background of the application through the address where the application interacts with the server, and find that the developer of the application has built a personal website and server using the XAMPP platform.

Figure 2-9 Haken Trojan personal website

The server background contains 2 js files. The Js file is used for code injection to simulate the click function.

Figure 2-10 Haken Trojan server backend

Third, sample information application name Sha256Compasscom.haken.compass30bf493c79824a255f9b56db74a04e711a59257802f215187faffae9c6c2f8dcQrcodecom.haken.qrcode62d192ff53a851855ac349ee9e6b71c1dee8fb6ed00502ff3bf00b3d367f9f38Coloring Bookcom.faber.kids.coloring381620b5fc7c3a2d73e0135c6b4ebd91e117882f804a4794f3a583b3b0c19bc5Fruits Coloring Bookcom.vimotech.fruits.coloring.bookf4da643b2b9a310fdc1cc7a3cbaee83e106a0d654119fddc608a4***7c5552a3Soccer Coloring Bookcom.vimotech.soccer.coloring.booka4295a2120fc6b75b6a86a55e8c6b380f0dfede3b9824fe5323e139d3bee6f5cFruit Helix Jumpmobi.game.fruit.jump.towere811f04491b9a7859602f8fad9165d1df7127696cc03418ffb5c8ca0914c64daNumber Shootermobi.game.ball.number.shooterd3f13dd1d35c604f26fecf7cb8b871a28aa8dab343c2488d748a35b0fa28349a IV, intelligence expansion

The "Joker" malware family was first discovered on Google Play in September 2019, and Shadow Lab issued a risk warning to users through a counterespionage trip-Analog subscription Advanced Services on September 28, 2019.

The malware is used to subscribe to advanced services to users, silently simulating automatic interactions with advertising sites, including simulating clicks and entering authorization codes for advanced service subscriptions. Joker has been appearing in Google Play stores over the past few months.

We recently found four other Joker samples on Google Play, which have been downloaded 1300000 + times. The following is the sample information.

Application name Sha256com.app.reyflow.phote08f53bbb959132d4769c4cb7ea6023bae557dd841786643ae3d297e280c2ae08com.race.mely.wpaper44102fc646501f1785dcadd591092a81365b86de5c83949c75c380ab8111e4e8com.landscape.camera.plus9c713db272ee6cc507863ed73d8017d07bea5f1414d231cf0c9788e6ca4ff769com.vailsmsplus1194433043679ef2f324592220dcd6a146b28689c15582f2d3f5f38ce950d2a8 on the new family of Clicker Trojans in the Haken Trojan horse is shared here, I hope that the above content can be of some help to everyone, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.