五一以來,國產手機受到cmtwg, nkvhu, qhsz等幾款惡意軟體肆虐。

bbqz007發表於2020-05-17

受影響手機包括魅族,中國移動等國產手機。

 

 

 

 

 

 

 5月12日開始有人在百度知道提問cmtwg,5月13日mx吧也有人在發貼。

我接到有問題的手機時間更早,大約就是五一之後。

 出現問題的幾個牌子的國產手機,似乎存在漏洞,對方可以利用4G網路,自動安插它們的軟體到你的裝置上。

com.wagd.qhsz的dump

 

 

 

 

 

 com.wg.cmtwg的dump

 

 

 

 

 自動安裝時間點的日誌

 1  25**  26** I ActivityManager: Start proc 20763:com.android.defcontainer/u0a20 for service com.android.defcontainer/.DefaultContainerService
 2 20763 20780 D DefContainer: Copying /storage/emulated/0/.tm/882a3f6d5466518c3fb5290ada5f2a89 to base.apk
 3  25**  26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: /data/app/vmdl533505310.tmp/base.apk pkg=com.wg.cmtwg isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = /data/app/vmdl533505310.tmp/oat sharedLibraries=null
 4  25**  26** V BackupManagerService: restoreAtInstall pkg=com.wg.cmtwg token=d restoreSet=0
 5 20763 20780 D DefContainer: Copying /storage/emulated/0/.tm/60d9d7e3febaf4ba2e3ce177747d76cf to base.apk
 6  25**  26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: /data/app/vmdl722489780.tmp/base.apk pkg=com.wagd.qhsz isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = /data/app/vmdl722489780.tmp/oat sharedLibraries=null
 7  25**  32** I ActivityManager: Start proc 20812:com.wg.cmtwg/u0a1** for activity com.wg.cmtwg/com.hikd.nvkhu.MainActivity
 8  25**  26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: /data/app/vmdl722489780.tmp/base.apk pkg=com.wagd.qhsz isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = /data/app/vmdl722489780.tmp/oat sharedLibraries=null
 9 20812 20812 W System  : ClassLoader referenced unknown path: /data/app/com.wg.cmtwg-1/lib/arm64
10 20812 20812 W Settings: Setting development_settings_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
11 20812 20812 W Settings: Setting adb_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
12 20812 20812 W art     : Class sdk.fkgh.hxx.x failed lock verification and will run slower.
13 20812 20812 W art     : Common causes for lock verification issues are non-optimized dex code
14 20812 20812 W art     : and incorrect proguard optimizations.
15 20812 20812 W art     : Class sdk.fkgh.hxx.K failed lock verification and will run slower.
16 20812 20812 W art     : Class sdk.fkgh.hxx.w failed lock verification and will run slower.
17 20812 20812 W Settings: Setting android_id has moved from android.provider.Settings.System to android.provider.Settings.Secure, returning read-only value.
18 20812 20919 W Settings: Setting android_id has moved from android.provider.Settings.System to android.provider.Settings.Secure, returning read-only value.
19 20812 20919 W art     : Class sdk.fkgh.hxx.G failed lock verification and will run slower.
20 20812 20812 D MyService: onStartCommand: 
21 20812 20812 W Settings: Setting development_settings_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
22 20812 20812 W Settings: Setting adb_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
23 20812 20962 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
24  25**  26** V BackupManagerService: restoreAtInstall pkg=com.wagd.qhsz token=e restoreSet=0
25 104** 10458 D Launcher.Model: mAllAppsList.addPackage com.wagd.qhsz
26  25**  32** I ActivityManager: START u0 {act=android.intent.action.MAIN flg=0x14800000 cmp=com.wagd.qhsz/com.wagd.gg.MainActivity} from uid 1000 on display 0
27  25**  32** I ActivityManager: Start proc 21086:com.wagd.qhsz/u0a1** for activity com.wagd.qhsz/com.wagd.gg.MainActivity
28 21086 21086 W System  : ClassLoader referenced unknown path: /data/app/com.wagd.qhsz-1/lib/arm64
29 21086 21100 W System  : ClassLoader referenced unknown path: /data/data/com.qihoo.shielder/files
30 21086 21086 D MyService: onStartCommand: 
31 21086 21129 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
32 21086 21104 W ResourceType: ResTable_typeSpec entry count inconsistent: given 1, previously 170
33 21086 21091 I art     : Compiler allocated 5MB to compile boolean com.qihoo360.mobilesafe.loaded.client.i.transact(int, android.os.Parcel, android.os.Parcel, int)
34 21086 21137 I System.out: true
35 21086 21091 I art     : Do partial code cache collection, code=20KB, data=30KB
36 21086 21091 I art     : After code cache collection, code=20KB, data=30KB
37 21086 21091 I art     : Increasing code cache capacity to 128KB
38  25**  36** I ActivityManager: Process com.wagd.qhsz (pid 21086) has died
39  25**  36** D ActivityManager: cleanUpApplicationRecord -- 21086
40  25**  36** W ActivityManager: Scheduling restart of crashed service com.wagd.qhsz/com.wagd.gg.MyService in 1000ms
41  25**  26** I ActivityManager: Start proc 22085:com.wagd.qhsz/u0a1** for service com.wagd.qhsz/com.wagd.gg.MyService
42 22085 22099 W System  : ClassLoader referenced unknown path: /data/data/com.qihoo.shielder/files
43 22085 22085 W System  : ClassLoader referenced unknown path: /data/app/com.wagd.qhsz-1/lib/arm64
44 22085 22085 D MyService: onStartCommand: 
45 22085 22144 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
46 22085 22110 W ResourceType: ResTable_typeSpec entry count inconsistent: given 1, previously 170
47 22085 22091 I art     : Compiler allocated 5MB to compile boolean com.qihoo360.mobilesafe.loaded.client.i.transact(int, android.os.Parcel, android.os.Parcel, int)

上面日誌發生了什麼?

0. 日誌清單之前1分鐘內有DpmTcmClient的輸出,可能是在下載安裝包。

1. PackageManager被呼叫,啟動了DefaultContainer,pid=20763

2. DefaultContainer啟動一條執行緒tid=20780,先後將下載在/sdcard/.tm目錄上的安裝包

882a3f6d5466518c3fb5290ada5f2a89,60d9d7e3febaf4ba2e3ce177747d76cf

安裝上,並且BackupManager恢復資料。

3. AM被呼叫,啟動 com.wg.cmtwg,pid=20812

4. com.wg.cmtwg修改設定development_settings_enabled以及adb_enabled,然後開啟http連線。

5. AM被呼叫,啟動 com.wagd.qhsz,pid=21086

6. com.wagd.qhsz修改設定development_settings_enabled以及adb_enabled,然後開啟http連線。

7. pid=21086,com.wagd.qhsz.Activity死亡

8. 1分鐘後,AM重啟com.wagd.qhsz/com.wagd.gg.MyService, pid=22085

9. com.wagd.qhsz/com.wagd.gg.MyService開啟http連線。

這幾款軟體都是動態載入dex,只有發作後才能看到更多東西,和任務邏輯。

下面是我最初接到的手機,發作的情況。

軟體會下載各路刷廣告的sdk,載入後瘋狂開執行緒刷廣告,手機幾乎超載執行發熱感人激動,直至重啟,然後反覆無電累死。

發作的手機/sdcard目錄下要有如下目錄 

 

 /data/data/com.wagd.qhsz

 

 /data/data/com.wg.cmtwg

 

 下面列一些com.wagd.qhsz下載的dex反編譯後找到的字串:

com.wagd.qhsz
"com.blankj.utilcode.util.PermissionUtils$PermissionActivity"
“http_stat12.guantouyouxi.com”
_235.do d.class "FULIYOUYICHENG"
35190476729276.apk net.task.InitTask "WG20200430143295" "yy2042901"
35190476729276.apk net.task.d "qtt://news_detail?from=And-juaiwan-19100503&id=1427705327", "17", "com.jifen.qukan"
35190476729276.apk net.task.e "com.android.browser" "com.eg.android.AlipayGphone" "mBasePackageName"
20*.dex com.api.a class: "http://sdktoapi.free-eyepro.com" "ad.vv.sdk"
20*.dex com.lo.ca.realtimeweb.kernel.web.ai class: "wzb api inject js next_script_order="
20*.dex com.lo.ca.realtimeweb.kernel.web.ak class: "qh api evaluateJavascript_qh---ua="
20*.dex h.e class: "--------------------canRunBeiYeSDK-start-----------ADID==>"
20*.dex h.i class: "beiyeAPI_" "com.yjl.sdk" "com.yjl.sdk.mango" "com.yjl.sdk.web" "com.yjl.sdk.xinyun" "com.yjl.sdk.baidu" "com.ext.sdk"

大概的工作原理,就是後臺webview刷廣告api,注入js刷資料刷流量。sdk都註名為anshuan。

下載到的dex檔案都重新命名字尾.do,編譯後oat檔案都重新命名字尾.dex,如果不會用xxd區分檔案格式的話,就在反編譯時受阻。

所以期間正好寫了一個gui4smali的demo,因為它們實在下載了太多odex。

cmtwg,qhsz,nvkhu在安裝自動獲取到了所有的許可權,包括訪問/sdcard,自動加入inet使用者組,隱私風險最高階。它們似乎擁有除root和SEandroid外一切有用的許可權。可以讓刪除它們後的手機,後臺自動去下載並安裝(或者說直接通過4G網路讓你的手機下載並安裝),安裝同時授權一切。裝置惹上後扛扛是一塊肉雞,而且隱私風險最高。

相關文章