五一以来,国产手机受到cmtwg, nkvhu, qhsz等几款恶意软件肆虐。
bbqz007 人气:1受影响手机包括魅族,中国移动等国产手机。
5月12日开始有人在百度知道提问cmtwg,5月13日mx吧也有人在发贴。
我接到有问题的手机时间更早,大约就是五一之后。
出现问题的几个牌子的国产手机,似乎存在漏洞,对方可以利用4G网络,自动安插它们的软件到你的设备上。
com.wagd.qhsz的dump
com.wg.cmtwg的dump
自动安装时间点的日志
1 25** 26** I ActivityManager: Start proc 20763:com.android.defcontainer/u0a20 for service com.android.defcontainer/.DefaultContainerService
2 20763 20780 D DefContainer: Copying /storage/emulated/0/.tm/882a3f6d5466518c3fb5290ada5f2a89 to base.apk
3 25** 26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: https://img.qb5200.com/download-x/data/app/vmdl533505310.tmp/base.apk pkg=com.wg.cmtwg isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = https://img.qb5200.com/download-x/data/app/vmdl533505310.tmp/oat sharedLibraries=null
4 25** 26** V BackupManagerService: restoreAtInstall pkg=com.wg.cmtwg token=d restoreSet=0
5 20763 20780 D DefContainer: Copying /storage/emulated/0/.tm/60d9d7e3febaf4ba2e3ce177747d76cf to base.apk
6 25** 26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: https://img.qb5200.com/download-x/data/app/vmdl722489780.tmp/base.apk pkg=com.wagd.qhsz isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = https://img.qb5200.com/download-x/data/app/vmdl722489780.tmp/oat sharedLibraries=null
7 25** 32** I ActivityManager: Start proc 20812:com.wg.cmtwg/u0a1** for activity com.wg.cmtwg/com.hikd.nvkhu.MainActivity
8 25** 26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: https://img.qb5200.com/download-x/data/app/vmdl722489780.tmp/base.apk pkg=com.wagd.qhsz isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = https://img.qb5200.com/download-x/data/app/vmdl722489780.tmp/oat sharedLibraries=null
9 20812 20812 W System : ClassLoader referenced unknown path: https://img.qb5200.com/download-x/data/app/com.wg.cmtwg-1/lib/arm64
10 20812 20812 W Settings: Setting development_settings_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
11 20812 20812 W Settings: Setting adb_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
12 20812 20812 W art : Class sdk.fkgh.hxx.x failed lock verification and will run slower.
13 20812 20812 W art : Common causes for lock verification issues are non-optimized dex code
14 20812 20812 W art : and incorrect proguard optimizations.
15 20812 20812 W art : Class sdk.fkgh.hxx.K failed lock verification and will run slower.
16 20812 20812 W art : Class sdk.fkgh.hxx.w failed lock verification and will run slower.
17 20812 20812 W Settings: Setting android_id has moved from android.provider.Settings.System to android.provider.Settings.Secure, returning read-only value.
18 20812 20919 W Settings: Setting android_id has moved from android.provider.Settings.System to android.provider.Settings.Secure, returning read-only value.
19 20812 20919 W art : Class sdk.fkgh.hxx.G failed lock verification and will run slower.
20 20812 20812 D MyService: onStartCommand:
21 20812 20812 W Settings: Setting development_settings_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
22 20812 20812 W Settings: Setting adb_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
23 20812 20962 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
24 25** 26** V BackupManagerService: restoreAtInstall pkg=com.wagd.qhsz token=e restoreSet=0
25 104** 10458 D Launcher.Model: mAllAppsList.addPackage com.wagd.qhsz
26 25** 32** I ActivityManager: START u0 {act=android.intent.action.MAIN flg=0x14800000 cmp=com.wagd.qhsz/com.wagd.gg.MainActivity} from uid 1000 on display 0
27 25** 32** I ActivityManager: Start proc 21086:com.wagd.qhsz/u0a1** for activity com.wagd.qhsz/com.wagd.gg.MainActivity
28 21086 21086 W System : ClassLoader referenced unknown path: https://img.qb5200.com/download-x/data/app/com.wagd.qhsz-1/lib/arm64
29 21086 21100 W System : ClassLoader referenced unknown path: https://img.qb5200.com/download-x/datahttps://img.qb5200.com/download-x/data/com.qihoo.shielder/files
30 21086 21086 D MyService: onStartCommand:
31 21086 21129 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
32 21086 21104 W ResourceType: ResTable_typeSpec entry count inconsistent: given 1, previously 170
33 21086 21091 I art : Compiler allocated 5MB to compile boolean com.qihoo360.mobilesafe.loaded.client.i.transact(int, android.os.Parcel, android.os.Parcel, int)
34 21086 21137 I System.out: true
35 21086 21091 I art : Do partial code cache collection, code=20KB, data=30KB
36 21086 21091 I art : After code cache collection, code=20KB, data=30KB
37 21086 21091 I art : Increasing code cache capacity to 128KB
38 25** 36** I ActivityManager: Process com.wagd.qhsz (pid 21086) has died
39 25** 36** D ActivityManager: cleanUpApplicationRecord -- 21086
40 25** 36** W ActivityManager: Scheduling restart of crashed service com.wagd.qhsz/com.wagd.gg.MyService in 1000ms
41 25** 26** I ActivityManager: Start proc 22085:com.wagd.qhsz/u0a1** for service com.wagd.qhsz/com.wagd.gg.MyService
42 22085 22099 W System : ClassLoader referenced unknown path: https://img.qb5200.com/download-x/datahttps://img.qb5200.com/download-x/data/com.qihoo.shielder/files
43 22085 22085 W System : ClassLoader referenced unknown path: https://img.qb5200.com/download-x/data/app/com.wagd.qhsz-1/lib/arm64
44 22085 22085 D MyService: onStartCommand:
45 22085 22144 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
46 22085 22110 W ResourceType: ResTable_typeSpec entry count inconsistent: given 1, previously 170
47 22085 22091 I art : Compiler allocated 5MB to compile boolean com.qihoo360.mobilesafe.loaded.client.i.transact(int, android.os.Parcel, android.os.Parcel, int)
上面日志发生了什么?
0. 日志清单之前1分钟内有DpmTcmClient的输出,可能是在下载安装包。
1. PackageManager被调用,启动了DefaultContainer,pid=20763
2. DefaultContainer启动一条线程tid=20780,先后将下载在/sdcard/.tm目录上的安装包
882a3f6d5466518c3fb5290ada5f2a89,60d9d7e3febaf4ba2e3ce177747d76cf
安装上,并且BackupManager恢复数据。
3. AM被调用,启动 com.wg.cmtwg,pid=20812
4. com.wg.cmtwg修改设置development_settings_enabled以及adb_enabled,然后开启http连接。
5. AM被调用,启动 com.wagd.qhsz,pid=21086
6. com.wagd.qhsz修改设置development_settings_enabled以及adb_enabled,然后开启http连接。
7. pid=21086,com.wagd.qhsz.Activity死亡
8. 1分钟后,AM重启com.wagd.qhsz/com.wagd.gg.MyService, pid=22085
9. com.wagd.qhsz/com.wagd.gg.MyService开启http连接。
这几款软件都是动态加载dex,只有发作后才能看到更多东西,和任务逻辑。
下面是我最初接到的手机,发作的情况。
软件会下载各路刷广告的sdk,加载后疯狂开线程刷广告,手机几乎超载运行发热感人激动,直至重启,然后反复无电累死。
发作的手机/sdcard目录下要有如下目录
https://img.qb5200.com/download-x/datahttps://img.qb5200.com/download-x/data/com.wagd.qhsz
https://img.qb5200.com/download-x/datahttps://img.qb5200.com/download-x/data/com.wg.cmtwg
下面列一些com.wagd.qhsz下载的dex反编译后找到的字串:
com.wagd.qhsz "com.blankj.utilcode.util.PermissionUtils$PermissionActivity" “http_stat12.guantouyouxi.com” _235.do d.class "FULIYOUYICHENG" 35190476729276.apk net.task.InitTask "WG20200430143295" "yy2042901" 35190476729276.apk net.task.d "qtt://news_detail?from=And-juaiwan-19100503&id=1427705327", "17", "com.jifen.qukan" 35190476729276.apk net.task.e "com.android.browser" "com.eg.android.AlipayGphone" "mBasePackageName" 20*.dex com.api.a class: "http://sdktoapi.free-eyepro.com" "ad.vv.sdk" 20*.dex com.lo.ca.realtimeweb.kernel.web.ai class: "wzb api inject js next_script_order=" 20*.dex com.lo.ca.realtimeweb.kernel.web.ak class: "qh api evaluateJavascript_qh---ua=" 20*.dex h.e class: "--------------------canRunBeiYeSDK-start-----------ADID==>" 20*.dex h.i class: "beiyeAPI_" "com.yjl.sdk" "com.yjl.sdk.mango" "com.yjl.sdk.web" "com.yjl.sdk.xinyun" "com.yjl.sdk.baidu" "com.ext.sdk"
大概的工作原理,就是后台webview刷广告api,注入js刷数据刷流量。sdk都注名为anshuan。
下载到的dex文件都重命名后缀.do,编译后oat文件都重命名后缀.dex,如果不会用xxd区分文件格式的话,就在反编译时受阻。
所以期间正好写了一个gui4smali的demo,因为它们实在下载了太多odex。
cmtwg,qhsz,nvkhu在安装自动获取到了所有的权限,包括访问/sdcard,自动加入inet用户组,隐私风险最高级。它们似乎拥有除root和SEandroid外一切有用的权限。可以让删除它们后的手机,后台自动去下载并安装(或者说直接通过4G网络让你的手机下载并安装),安装同时授权一切。设备惹上后扛扛是一块肉鸡,而且隐私风险最高。
加载全部内容