这可能是史上最大规模Google Play恶意程序活动

近期,Check Point的安全研究专家在Google自家的官方App商城Google Play中发现了一种大规模恶意软件活动。这款恶意软件名叫“Judy”,这是一款自动点击型恶意软件,目前已经在Google Play上发现有41款App感染了这种恶意软件。

值得一提的是,这41款App均是由一家韩国公司开发的。“Judy”可以利用受感染设备生成大量的广告欺诈点击行为,而广告的点击量将给这种恶意活动背后的始作俑者带来丰厚的金钱回报。

bigsec

近期,Check Point的安全研究专家在Google自家的官方App商城Google Play中发现了一种大规模恶意软件活动。这款恶意软件名叫“Judy”,这是一款自动点击型恶意软件,目前已经在Google Play上发现有41款App感染了这种恶意软件。

值得一提的是,这41款App均是由一家韩国公司开发的。“Judy”可以利用受感染设备生成大量的广告欺诈点击行为,而广告的点击量将给这种恶意活动背后的始作俑者带来丰厚的金钱回报。

bigsec

这款恶意软件与之前渗透Google Play的恶意软件(例如FalseGuide和Skinner)十分相似,“Judy”同样依靠其背后的命令控制服务器(C&C)来控制其具体操作和恶意互动。目前Check Point已经将这一威胁告知了Google,受感染App也从Google Play应用商店迅速下架了。

“Judy”的运行机制

为了绕过Bouncer(Google Play的市场审核保护机制),攻击者需要创建一个看似无害的Bridgehead App,然后将它上传至应用商店并用它来与目标用户的设备建立链接。

当用户下载了恶意App之后,它便会在用户设备上悄悄注册接收器并与恶意C&C服务器建立通信链接。此时,服务器会返回实际的恶意Payload,其中包含有恶意JavaScript代码、用户代理信息(user-agent String)和恶意软件开发者控制的URL地址。恶意软件首先会通过用户代理打开URL地址(模仿PC浏览器打开隐藏网页),然后会接收到指向其他网站的重定向链接。当用户被重定向到了目标网站之后,恶意软件便会开始利用其中的JavaScript代码来定位并点击页面中的广告内容。点击了广告之后,恶意软件作者便会收到网站开发者支付的广告点击和流量奖励了。

恶意软件中的JavaScript代码通过搜索页面中的iFrame来定位广告所在的位置,具体如下图所示:

bigsec

欺诈点击可以给攻击者带来丰厚的回报,再加上目前这款恶意软件的传播范围和规模如此之大,攻击者想必早已赚得盆满钵满了。

“Judy”背后的始作俑者到底是谁?

绝大部分受“Judy”感染的App都是由一家名叫Kiniwini的韩国公司开发的,该公司在Google Play上的注册信息显示为ENISTUDIO集团。据了解,该公司一直都在为Android和iOS平台开发移动端App。我们很少能够见到这种实际的组织来开发移动端恶意软件,因为绝大多数恶意软件都是由一些黑客自己开发出来的。

除了点击广告以外,“Judy”还会在受感染设备上显示大量的广告,而且某些情况下用户只能选择去点击并查看广告才可以让广告消失。虽然大部分受感染App的用户评分还算好,但也有很多用户报告了“Judy”的可疑行为。具体如下图所示:

bigsec

从我们所得出的经验来看(例如之前发现的恶意软件DressCode),开发者的信誉度高并不意味着这款App就足够的安全。攻击者不仅可以隐藏App的真实意图,而且甚至还可以控制用户让他们在毫不知情的情况下给这款App好评。

实际上,用户不能仅凭App的来源去判断其是否安全,哪怕是官方应用商店提供的App也同样是如此。因此,研究人员建议移动端用户尽快部署能够检测并阻止恶意软件的先进安全防护方案。

附表1-韩国公司Kiniwini开发的恶意App

bigsec bigsec

附表2-其他开发者开发的恶意App

bigsec

附表3-相关SHA256

a7e2030649cca0651730d4bea6f9c03200aaa3a0da56f112bf7c5691c172fcde
a649293a9420afdd9c034f74bc501eef645af1ca940346a59d0fc7aef9028dc9
407e92a8c83a1fc9797c7047a5084ffc3ca8616779bd7eb829c1a0210a731356
3803ca279b007f10b9ca1eb5fa329bd87e5b40670805d57031971d7bd6d5fb77
0aba0b966df39f8e0bf5f93955827ea223c1bda4c167232f9805958aa6e66ec0
0f883861ce387f2e6336f68f040a6bb635fe8358b9eb6efe1398f887000a9351
11dc1c54f1c0f08bbc335c22e43f1d27e6ed05261c98facffd0a1c084021caf4
15d34a094515d7044194762650c0b0f77ec546025d555b09dd03c9e2d67532fd
1a652e3d37e6d5a67efff547de111d161c396a5619136244d7f0846558037674
1cd233cfedd87e15953138f82d78140ca4890161271542627e033f11225df181
1db8c76ead84322407d4d112c8ab855f4b4ea414c6e7379fcd1ad03e56fa975c
2117a776609b249436e448def0e6e0bfc5a6b3c176f101ff3f4411f4e2e14584
28785f3acd5f3b75ce9b919cb0549b41e24cf38f729b60f720d989f83406bcc0
37ae2e88dee816d7ed4036dced7b404c98d321de89faaedbbabd00fadfde65fa
3e96f9ff46708e5a70977dfbcfb5e90d3c5b1b6caeee36303c179b724c708be5
4d1503ef789d31047d39efe28e7abae3104e0b7d0ded9bf899fd92f814246718
5e086c84836ed931dd2650f29f27e8b43eaef67bf29b63d0c508fee04e4c339d
5fc2853fc986b1d6c41a99238ada777c188a1f204720760441f577a19d9030b6
71196796b8cc06d1fe563b18d94043905db92bf87309bc2690522198a7795203
744b6d454f70524b0962843551fb05bed8926fcb7e59e19b23fe63cdaf39b78f
79f43d95e7b90b21b6d00ed942327493c54d492103dcb815979d73593c14d14d
92965cb6e0ea88db6603f485dfdfe454ace7e23beda8e598f60b42179e12a926
97b82001836238d74505b83dac900029338ecc66008827ec62de18f6912e0007
99fb35fdcce4f4834780e29196df6e7d27cfa5d5a2d03ea16a4aae6aaec3541c
9c6ca77794bdd03a9ba76cbe8418a83c50261063b47fbd2d51e7c777f74492f1
9e8b51a18c0032fbb2ff84056dc353cafb03335253cf3864735f2b6231f9bcf9
b1629184416c15e00b446a533b552901a871ef923427042f6aa7f5509579c1a8
b8f3493cb2f37d7dca678e675edca280aac388baad8407b596202b2cdfb7d0f2
c2217f8324394c28b49a34f5012e59a6bd2f98c2d036678692c0d12c418ff593
c23cccc0e5b92c0a0971e6e93ee0652e4cc49996d08f9a389090a43620b2d529
d4d5ad8e8457b006c624f1163cd9a6839ff033ee05722eb2fa4693f6ea20ce1b
dcc4d9a47b9a09c705aed50062f99d0a498e62f10a7e615f9c541383bae72515
e2950cee820ee6fe3d879c0d3dfa43fa803475056e09f27f351713bb1630412b
e992e87b56b088a5d3a594388eada8c2573c974c85412bbf863e45027156fe0a
f3cca64c3c38307c013758a764e1001065dbd1a75e0b3b36f4997556740c1303
faedac8eb47265709f58cc6c91e939d149512fbf81f5eddd618dd9a9351d4e8f
4517d503c3d86e3fd25a929c7af705ed729981b900cd96603a36bb1e20abee3f
4c5f2897403fc3e4d2e0028e9becfece17b2613c8a0ec6b84c56ac2bf6baf0b4
d08dd9fd31862fad3e2a19333f74e9bc8dbc5eac0714f3a32c575329c82e3e4b
459e5fdef42d7007524d1ff2856ea5f218303c88d1cd83d00d38f5cf9645ba0f
5258f84d9f8cc4c1dc018e0ea4fbc8a56c1ec49eb934347b76f8d7bbe91f29cc
040e6d65749ab02446bbd012419cb6e00427201b261128df313daa87cea64abb
d5640bb77ed417bbfcd9e409b8653cac29eb78b0f86981fe4662893fd7b4be7c
32262e708e0467f91bbb86ee3c5955a04b942be4fb5561ea1d92332adc0cb79c
210f88eeb00fd3437cbb6de8da01ed6a027bcd5a4cd8865760baf65d4083f252
4d307d5e2783131eae8c8fba619054cdbe683c5cb6cc3401bf04b08d5b68e036
d08f63456fdd97e3b025bd9d0f41a2369fccc8303f3011d86aadde3d38a7caf8
a52a11928075e12de58794e05fd8d6ecafe49358f74b0734d2f1bb214125493f
a6e2e92d02572698b83f083d6b2c9d22073659644b91ca825b5c95cb3a3b892f
90b1ab2cce2cccd1a65b8242c39f778f723adf632122e26a0c10a970cffc73c3
dbb976d4880010e2d267cccda6d3ed745c35ce1c3310d65fe4cc5dab830fe03b
e9c22cfee3b9161c8677fc5f3e4808af845a7251c340ae226057d070551902e1
7968d34cd539d7e947315da9f39f42ccbfb782498a7362346ce83d5e9cacd374
dca641a91aa5600752c2d8f6cd8b751e655e714cd6ea0c8b247cf23bb9e671de
c70f268d549be552832722824c8150b62e0c9f32e08d11442a2c061a97bda131
b6e745d2f947ce521b425047739ecf206be862f5b8cef6118024084996c1ff38
79c574c4a628b8be8f29fd41f76007e303bbf02d609d1e3a62ca6c2ae7083e1d
564fe11fad80ef31ef067f02904d8db8afe636160fb00803537b275eea15bb67
35888a5fc383316c7ad504bf49653d18965aec49eb7cb8dcf2c27a52d4b0e292
f6628943a994b3a654cc2c04dce979a772c312d30cc9b57e7e87ebe355d88d47
2d78f8bc7a3fcf3f45efe96ca136e33ec74678da80d716e3c2c0c5e9fe61219f
24c96ae798113b454b352e672fd3188361edeecde0bdd78ec69abbfe2510c543
c350a7a3d3c9d142fa0f2f7ef7e8a0aeeb937ba684e2c4a14b363b4e3fb2dc44
406469b7d7c061a14dd3ee959d27ff2de7609ffee27556614f9ada55c9b4c105
887da9c7e2a2c5a86f531e8bb3a0a10d77829c6321ba26ab89398212e0516517
82b0441b97597cee80dcdf373bc77f7dd0ea51aca8268135baf31aef83ede4a9
42f03ce06e47ee7562707b666e3780fc260b211bf4b23021761f54598d731fff
4293c15a61b194cbf98c2cbb413e514931ada1a3b241a34e4cfda1b30c191c8a
37a7e7b390014fa314533cff462e733d2491ef50c18834e06ce8df0a2e7cf354
42e2f82baa67172643a0e285eaddc61e0190bee98cb6d11dfa6dc93ad4780d29
d5c0911a90ce75378065af7790ae94a49462b55c57ae71f49b3d1b3ec4a46bed
3974f21d025ff41edc5161b6b115a389509a607a51d47867d7f4bd8eb16a0506
45f3fbc9dea31761d3b0a7ceae28e1858495f5e0f2dd5fef3c1ab9954f2cbc5d
48b36f59091697e8053ec2b7a1b7e1d8ae41a1cd8fe0ebb30ef4cb32aa64cdd6
496445f3b2966b01edfd40458d27e6ecb85737aa035552958d83188069fc6533
3fa06d06ae072af0877bb8f52ff80d26e74153d1cd1b96b0bc0a428491af59d8
30b201ac258b70b9facd77f565c6704c8b99cee000afd2877ac88ffb8e424094
1fad3833e49aee029fad5089deb28301fbf8640fa97fa58452716bdab4f8c610cd68e747b5f0c143ee006dbd4e545bd80540cfac03290d46416acb756ba2d986
c9aaefb6b3fb1c03b3a41afccc37561537146eefb51f7d498fbdad55bf2a8ff1
d180f55c5f9f8b6557d485ae8d09a31a52a6f827e8b41551fea9d07ff6b17739
6a26e97cf849e8631e2f6cf92f1c8839755a213cdd2b6ee500b640e38d73fc5c
434382ae159c0080dbd7dbb8c20a1ad842ab127c3f09f58bf6ef5547497dbca7
a76633d89e8dd4833c12be91175ee4af5744e9a4edc873a1349dd5be39bbac2d
83d97489848532aaad58df7d74a5ffc36ae0aad89196be99c4d6b0dcb350ed1a
bd45a96672a5dbd35a99ee3c9e12bacb99715771c59dc7071a0eaa1fcbdb379f
f9f1fbe3b68c1c465c781c33dd7b155f491444cdfa337b7f472bc03b86878361
b7121de02f2a5fe031988382ccad0a277f50fac7e27c006f1ca15e91973f6a78
39d54257f158b9b47f6d82e9e6f2427cfa4b629f355623930fa0627f59409ca3
501e81f133aedd99a8499182b5823efbbc3d5865f83c4c1de4fdbfa085924fc6
adca05fded0f8203fb79a3aaf7d33b6dbf80936f32c676f8f8bfef55103f6d6c
3c8caaee546077f1f477caa4492dd136c4c7b1884903a2065406b39877617689
f94022043e53ae7f89294a572fb66fe11ede2327547e5bcfdbec776e96fbef89
0cd304c9ff806002d9a763e0351e37e81493e723166e471c6bb8ff2acde29f43
4e62e6a4193ab91ce6630307fb62dd5d021251d206f09138aef4cb028b5aa0c8
adfc6449c4b7035b0a22d92d21dbdffde70b1eda0bf04b755a84ec47bc3965b7
fe571038b3457bc79669b5ade54223a03ab8bc85380f18f162f8df2ba83d08b2
fcbcfb6b2c31062008f7ec5efd363b532295790aa2c22220dfb21ab1e1db32f7
5600a01296c01d0059bc2db6eccf7b0079fdfb094cd8b1065d261f7a67e51b78
1f3a6a5e2a56ec8ad1afe22b5909e052b6085084b0a97076cf0697b9f854459b
5bf386540b73f41b76e68058f410094a7721d4cb1012cbeff0a49d96907a2c8f
f60eea8b71c6d95488b1a7ae93524471b7f8d5eeb7f14431be42d1956cd3338c
205ec303d5c7b2377ebef257cbfc0f21c8066e6b789f4cdf5eb3a97021586d5d
841a1950bea9acad0a6871026fb8e003b7eeecd3a8b73f2ca1e51aaec814fb2d
9488ea858098e67f7a70afca4c0aeb68e165f3db5fe1431bfd14cdd943620899
ce890aa7ff83d3b05ccb2b4cfc411d73fad7552d616d5ed950bb53072a7a4e62
1a8814ab87718639dd6603795b0155132e4b60117a9b310c1b85a548116ff446
51b650cb4160bf78637acc6b22c0996bbe1068688f20994bb8a9c7e1c4462a37
037bbd9f907338e0db3872a8ea5ba79b900368790b92885ddd8a350cc2b275a9
be7759dcb501880c63b45c61578dfd67d4014589581f2f43d1666ba38c1e63dd
92a72f36c1fce30fcf1b14e14ba868c4848b9f78d68c33ff8033f32f5f5f96fcbcc39545c42276594a78c517e452befc5438ec93c92abc568c426677da0c684a
0b07e6dc9b5855833630bf45533320c8a2a8fdd685e9f3e0ebe62d502a391980
4ded00a4d12c4a045b681823182274a93b706b3c72f9905716b94cf03e954d02
ad56d33051d3ed4068c95e2033a3630504f3feb8bf96d3424785e697e57c0eb5
959b8403e989cd0a6d994906a09d9d210914c46d9ee10c8ee03c1fc2c6657e06
26f4ff8969543cac41b0c9a63c15f90fd4697a1f110a8df90c5f1fd9d1860d0e
0efd2d97dbe61bd9b5951180ae8979c01ef2e3bd0184dcdf850e11781531e5a4
15e5bf87fe854b3a1ecf0e8446cd39ceda429d6b6e7d78f2f78fbfea7eb5959c

Alpha_h4ck编译,转载请注明来自FreeBuf.COM 参考来源:http://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

反爬虫 来源:www.bigsec.com