Yesterday my colleague Tim Armstrong wrote about the malware outbreak in the Android Market. In short, a number of legal apps were trojanized and uploaded to the Android Market. Let’s take a closer look into one of them.
As it was mentioned earlier, all the malicious apps we’ve seen so far were using the same exploits which are detected by Kaspersky as Exploit.AndroidOS.Lotoor.g and Exploit.AndroidOS.Lotoor.j. Both are well-known and work on all Android OS versions less than 2.3. This means that anyone who uses Gingerbread (Android 2.3) should be protected from these exploits.
So what exactly do these Trojans steal? Apparently, the attacker was keen on obtaining IMSI and IMEI numbers. Besides these, they are also harvesting information about the operating system and device type.
Here’s how the theft happens: inside the code, there is encrypted data block which is exactly 45 bytes in size. This block is encrypted using a simple XOR algorithm with a special key, which is stored in another data block called “KEYVALUE”. If you are curious, here’s how the decryption subroutine looks:
public static void crypt(byte abyte0[ ]) �����{ �����int i = 0; �����int j = 0; �����do ����������{ ����������int k = abyte0.length; ����������if(j >= k) ���������������return; ����������byte byte0 = abyte0[j]; ����������byte byte1 = KEYVALUE[i]; ����������byte byte2 = (byte)(byte0 ^ byte1); ����������abyte0[j] = byte2; ����������i++; ����������int l = keylen; ����������if(i == l) ���������������i = 0; ���������������j++; ����������} �����while(true); �����}
没有评论:
发表评论