How has your app been replaced? Analysis of APP hijacking virus


1、 Introduction of APP hijacking virus

App hijacking refers to the redirection of execution process, which can be divided into activity hijacking, installation hijacking, traffic hijacking, function execution hijacking, etc. This paper will analyze the recent hijacking and installation hijacking viruses using activity.

2、 Analysis of activity hijacking virus

2.1 introduction to activity hijacking virus

Activity Hijacking means that when a window component is started, it is detected by the malicious application. If the window interface is the preset attack object of the malicious program, the malicious application will start its own fake interface and cover the original interface. The user inputs the login information without noticing, and the malicious program returns the obtained data to the server.
How has your app been replaced? Analysis of APP hijacking virus

Taking mazarbot spy Trojan as an example, this kind of Trojan has the following characteristics:

Disguised as a system SMS application, request to activate device management authority after startup, and then hide the icon;
Tor is used to communicate with C & C control center anonymously to resist traffic analysis;
The C & C control center issues commands for mobile phone control, update HTML, and information collection;
Htmldata is dynamically obtained by the server, and then the user account information is obtained by hijacking the interface;

The following is a list of C & C control center commands:
How has your app been replaced? Analysis of APP hijacking virus

We find that the Trojan can accept and process a complete set of C & C control instructions, and use tor for anonymous network communication, which makes the source and destination of traffic data not directly connected by a path, which increases the difficulty of tracing the attacker’s identity. Finally, we will analyze the hijacking process of Trojan interface in detail.

2.2 interface hijacking process analysis:

The first thing to see is the AXML file. The workerservice service processes the “update HTML” command issued by the C & C control center, and monitors the activity running at the top level in the background. If the application to be hijacked will start injdialog activity to hijack the page.
How has your app been replaced? Analysis of APP hijacking virus
Figure AXML information

The following figure shows the monitoring process of the top-level activity by the background service. If the application to be hijacked is to be hijacked, injdialog will be started for hijacking. The gettop function does code compatibility processing, and device Trojans above 5.0 can also obtain the top-level activity package name.
How has your app been replaced? Analysis of APP hijacking virus
Figure background monitoring

Injdialog activity loads a fake HTML application interface through WebView, call webView.setWebChromeClient (New hookchromeclient()) sets the HTML page to interact with Java, calls prompt in the forged HTML page to transfer the user input information in JS to Java, the hookchromeclient class rewrites the onjsprompt method to process the user input information, and finally uploads the hijacked user information to the specified domain name through tor anonymously.
How has your app been replaced? Analysis of APP hijacking virus
Figure hijacking user information

Figure upload hijacking information

3、 Application installation hijack virus analysis

3.1 introduction of installing hijacking virus

Install hijack virus by monitoring android.intent.action .PACKAGE_ Added and android.intent.action .PACKAGE_ The attack of replaced intent includes two means: one is to uninstall and delete the actual installed APK, and replace it with the application forged by the attacker; the other is to use the message that the user is installing to quietly install other applications promoted by themselves. This process is like the “six walnuts” you usually drink. One day, you actually drink “seven walnuts”.

3.2 application related information

This application is called “flashlight”, package name: com.gouq.light The application is as follows:
How has your app been replaced? Analysis of APP hijacking virus

3.3 analysis of main components

. app applies the application class, loads the encrypted jar package under the asset directory, obtains the interface exchangeimpl object, implements the interface functions onapplicationcreate, triggerreceiver, triggertimerservice in jar, and starts the core service lightservice;
. lightservice applies the core service, which can be called externally to start lighttiservice to replace the process name, and am starts the service to keep itself alive;
. lighttiservice is started by lightservice, which will call the triggertimerservice interface method in the dynamic loading package to delete the installed application, upload the current device information, and download the application to be installed from the server;
. appreceiver broadcast receiver is implemented through the triggerreceiver interface method in the loaded jar package android.intent.action .PACKAGE_ Added and android.intent.action .PACKAGE_ Replace intent to check whether the installation and new application are hijacking applications. If so, install hijacking through execcmd.

The following figure shows the installation hijacking process. By monitoring the installation and update of the application, the silent installation of other associated applications is implemented.
How has your app been replaced? Analysis of APP hijacking virus
Figure installation hijacking

The above figure shows that this malicious application borrows to install or update intent to install the preset associated application. In this way, after the installation, the user does not know which application has just been installed, which increases the probability of promoting the application to click to run.

4、 How to effectively prevent app hijacking or security protection suggestions

For enterprise users:

As a mobile application developer, the simplest way to prevent app from being hijacked by the interface is to detect whether the front-end activity application is itself or system application in the onpause method of key activities such as login window.
Of course, there is specialization in technology, and professional things are left to professional people. Aliju security’s product security component SDK has security signature, security encryption, secure storage, simulator detection, anti debugging, anti injection, anti activity hijacking and other functions. Developers only need to simply integrate the security component SDK to effectively solve the problem of login window being hijacked by trojan virus, so as to help users and enterprises reduce losses.

For individual users:

Install aliqiandun to protect the app from app hijacking Trojan threat.

Author: Niba @ Alibaba mobile security, for more technical articles, please click aliju security blog

Recommended Today

Let me also summarize the knowledge of nginx

Recently, I want to deeply study the related knowledge of nginx, so I summarize the following contents. Nginx configuration parameters Nginx common commands Nginx variable Virtual host configuration Nginx’s own module Fastcgi related configuration Common functions Load balancing configuration Static and dynamic separation configuration Anti theft chain What is nginx? Nginx is a free, open […]