近期安全专家发现了一个名为myhawk的Android应用程序,该应用程序基于一个名为Hawkshaw的GitHub项目。下图显示成功安装后设备屏幕上的应用程序图标和名称视图。
在用户设备上成功执行应用程序后,它会从Android设备上窃取联系人、短信、通话日志、设备位置等。通过窃取这些信息,黑客可以通过OTP服务登录重要账户,通过短信进行包括金融在内的各种欺诈,并通过向被盗联系人发送短信来扩大他们的传播范围。我们认为这种恶意软件被用来执行有针对性的攻击
技术分析
APK Metadata Information
• App Name: System Settings
• Package Name: me.hawkshaw
• SHA256 Hash:
805309668d4dd73ff39e6c1407df346fe0e18beb7a5efe24a9660f990770b 224
恶意软件向用户请求38种不同的权限,其中至少有18种被滥用。下面列出了这些危险的权限
Permissions | Description |
ACCESS_NETWORK_STATE | Allows the app to view information about network connections |
READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device |
READ_SMS | Access phone messages |
WRITE_SMS | Allows the app to modify or delete SMS |
READ_CONTACTS | Access phone contacts |
PROCESS_OUTGOING_CALLS | Allows the app to process outgoing calls and modify the dialing number |
READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device's external storage. |
WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
READ_CALL_LOG | Access phone call logs |
RECORD_AUDIO | Allows the app to record audio with the microphone, which can be misused by attackers |
ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources, such as cell towers and Wi-Fi |
ACCESS_FINE_LOCATION | Allows the app to get the precise location of the device using the Global Positioning System (GPS) |
CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call. |
SEND_SMS | Allows an application to send SMS messages. |
RECEIVE_SMS | Allows an application to receive SMS messages. |
GET_ACCOUNTS | Allows the app to get the list of accounts used by the phone. |
RECEIVE_SMS | Allows an application to receive SMS messages. |
READ_HISTORY_BOOKMARKS | Allows the app to read the browser history and bookmarks. |
恶意代码分析
应用程序通过下面显示的代码从受害者的设备收集通话日志。
恶意应用程序使用下面代码片段中显示的代码记录受害者设备上正在进行的呼叫。
下面显示的代码片段描述了恶意软件从受害者的设备收集保存的联系人的能力。
恶意软件从设备上收集短信并上传到服务器。通过获取短信,可以获得一些敏感信息,如一次性密码(OTP)账户余额等。
通过下面显示的代码,恶意应用程序可以向黑客指定的号码发送文本短信
总结
黑客一直在寻找更容易的方法来获取受害者的敏感信息,以实现他们的恶意意图。在这种情况下他们使用了一个开源项目来构建恶意的android有效载荷,以攻击android设备。
根据以往经验,这种类型的恶意软件通过谷歌Play Store以外的第三方安卓市场来传播应用。因此,在移动设备上做好安全防护,拒绝安装不可信的应用是防止此类恶意软件危害您的设备的有效方法
Indicators | Type | Description |
37ad402c42249e7813b3533164139c6c | MD5 | Malicious APK |
9f0c6af78f443c9500fa2f17a9ed7098cc00ea4e | SHA1 | Malicious APK |
805309668d4dd73ff39e6c1407df346fe0e18beb7a 5efe24a9660f990770b224 | SHA256 | Malicious APK |
页面更新:2024-03-07
本站资料均由网友自行发布提供,仅用于学习交流。如有版权问题,请与我联系,QQ:4156828
© CopyRight 2008-2024 All Rights Reserved. Powered By bs178.com 闽ICP备11008920号-3
闽公网安备35020302034844号