728x90
2022년 11월 26일 ESET Research에서 FIFA 카타르 월드컵을 중계 앱으로 사칭하여 배포된 악성 앱 입니다.
해당 악성앱은 페이스북을 통해 악성 애플리케이션을 다운로드 할 수 있는 "Kora 442" 페이이지로 배포하였습니다.
참고블로그
해당 Facebook 페이지에서 "Kora 442 애플리케이션에서 월드컵 경기를 실시간으로 팔로우 하세요"라고 언급하여, 이용자에게 악성 앱을 다운로드 하도록 유도하는 방식을 이용 했습니다.
유포지
"hxxps://kora442[.].com
App Name : kora 442
MD5 : 6905fac52473837ed4c548915b5c65a3
SHA-1 : 9c904c821edaff095e833ee342aedfcaac337e04
SHA-256 : 02cfa159f85e15bd24808859d6cbf1b8e8d21352e7290ba5477744f711bb752b
Vhash : c1ccb31d228acbf33a961f1a839c846d
Android Manifest
더보기
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" android:compileSdkVersion="32" android:compileSdkVersionCodename="12" package="com.app.projectappkora" platformBuildVersionCode="32" platformBuildVersionName="12">
<uses-sdk android:minSdkVersion="21" android:targetSdkVersion="21"/>
<uses-permission android:name="android.permission.INTERNET"/>
<permission android:name="com.app.projectappkora.permission.C2D_MESSAGE" android:protectionLevel="signature"/>
<uses-permission android:name="com.app.projectappkora.permission.C2D_MESSAGE"/>
<uses-permission android:name="android.permission.POST_NOTIFICATIONS"/>
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.VIBRATE"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="com.sec.android.provider.badge.permission.READ"/>
<uses-permission android:name="com.sec.android.provider.badge.permission.WRITE"/>
<uses-permission android:name="com.htc.launcher.permission.READ_SETTINGS"/>
<uses-permission android:name="com.htc.launcher.permission.UPDATE_SHORTCUT"/>
<uses-permission android:name="com.sonyericsson.home.permission.BROADCAST_BADGE"/>
<uses-permission android:name="com.sonymobile.home.permission.PROVIDER_INSERT_BADGE"/>
<uses-permission android:name="com.anddoes.launcher.permission.UPDATE_COUNT"/>
<uses-permission android:name="com.majeur.launcher.permission.UPDATE_BADGE"/>
<uses-permission android:name="com.huawei.android.launcher.permission.CHANGE_BADGE"/>
<uses-permission android:name="com.huawei.android.launcher.permission.READ_SETTINGS"/>
<uses-permission android:name="com.huawei.android.launcher.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.READ_APP_BADGE"/>
<uses-permission android:name="com.oppo.launcher.permission.READ_SETTINGS"/>
<uses-permission android:name="com.oppo.launcher.permission.WRITE_SETTINGS"/>
<uses-permission android:name="me.everything.badger.permission.BADGE_COUNT_READ"/>
<uses-permission android:name="me.everything.badger.permission.BADGE_COUNT_WRITE"/>
<uses-permission android:name="android.permission.BLUETOOTH_CONNECT"/>
<uses-permission android:name="android.permission.LOCAL_MAC_ADDRESS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-permission android:name="android.permission.KILL_BACKGROUND_PROCESSES"/>
<uses-permission android:name="android.permission.BLUETOOTH"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-feature android:name="android.hardware.camera" android:required="false"/>
<uses-feature android:name="android.permission.CAMERA" android:required="false"/>
<uses-feature android:name="android.hardware.camera2.full" android:required="false"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.READ_PRIVILEGED_PHONE_STATE"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.CALL_PHONE"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
<uses-permission android:name="com.android.chrome.permission.READ_WRITE_BOOKMARK_FOLDERS"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
<uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/>
<uses-permission android:name="android.permission.CAPTURE_MEDIA_OUTPUT"/>
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
<application android:theme="@style/Theme.ProjectAppKora" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:allowBackup="false" android:largeHeap="true" android:supportsRtl="true" android:fullBackupContent="@xml/backup_rules" android:usesCleartextTraffic="true" android:roundIcon="@mipmap/ic_launcher_round" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:dataExtractionRules="@xml/data_extraction_rules">
<activity android:name="com.app.projectappkora.view.SplashActivity" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<activity android:theme="@style/Theme.AppCompat.Light.NoActionBar.FullScreen" android:name="com.app.projectappkora.view.player.VideoPlayerActivity" android:exported="true" android:screenOrientation="landscape"/>
<activity android:name="com.app.projectappkora.fragment.leagues.tab_layout.TabLayoutActivity" android:exported="false"/>
<activity android:name="com.app.projectappkora.fragment.news.DetailsNewsActivity" android:exported="false"/>
<activity android:name="com.app.projectappkora.view.standings.StandingGroupActivity" android:exported="false"/>
<activity android:name="com.app.projectappkora.view.standings.StandingsActivity" android:exported="false"/>
<activity android:name="com.app.projectappkora.view.home.HomeActivity" android:exported="true"/>
<activity android:name="com.app.projectappkora.MainActivity" android:exported="true"/>
<receiver android:name="com.onesignal.FCMBroadcastReceiver" android:permission="com.google.android.c2dm.permission.SEND" android:exported="true">
<intent-filter android:priority="999">
<action android:name="com.google.android.c2dm.intent.RECEIVE"/>
<category android:name="com.app.projectappkora"/>
</intent-filter>
</receiver>
<service android:name="com.onesignal.HmsMessageServiceOneSignal" android:exported="false">
<intent-filter>
<action android:name="com.huawei.push.action.MESSAGING_EVENT"/>
</intent-filter>
</service>
<activity android:theme="@android:style/Theme.Translucent.NoTitleBar" android:name="com.onesignal.NotificationOpenedActivityHMS" android:exported="true" android:noHistory="true">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
</intent-filter>
</activity>
<service android:name="com.onesignal.FCMIntentService" android:exported="false"/>
<service android:name="com.onesignal.FCMIntentJobService" android:permission="android.permission.BIND_JOB_SERVICE" android:exported="false"/>
<service android:name="com.onesignal.SyncService" android:exported="false" android:stopWithTask="true"/>
<service android:name="com.onesignal.SyncJobService" android:permission="android.permission.BIND_JOB_SERVICE" android:exported="false"/>
<activity android:theme="@android:style/Theme.Translucent.NoTitleBar" android:name="com.onesignal.PermissionsActivity" android:exported="false"/>
<receiver android:name="com.onesignal.NotificationDismissReceiver" android:exported="true"/>
<receiver android:name="com.onesignal.BootUpReceiver" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<action android:name="android.intent.action.QUICKBOOT_POWERON"/>
</intent-filter>
</receiver>
<receiver android:name="com.onesignal.UpgradeReceiver" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MY_PACKAGE_REPLACED"/>
</intent-filter>
</receiver>
<activity android:theme="@android:style/Theme.Translucent.NoTitleBar" android:name="com.onesignal.NotificationOpenedReceiver" android:exported="true" android:taskAffinity="" android:excludeFromRecents="true" android:noHistory="true"/>
<activity android:theme="@android:style/Theme.Translucent.NoTitleBar" android:name="com.onesignal.NotificationOpenedReceiverAndroid22AndOlder" android:exported="true" android:excludeFromRecents="true" android:noHistory="true"/>
<activity android:theme="@android:style/Theme.Translucent.NoTitleBar" android:name="com.app.work.dummy.activity.MainActivity" android:exported="true" android:excludeFromRecents="true" android:autoRemoveFromRecents="true"/>
<activity android:theme="@android:style/Theme.Translucent.NoTitleBar.Fullscreen" android:name="com.app.work.dummy.keep.activity.Main2Activity" android:excludeFromRecents="true" android:autoRemoveFromRecents="true"/>
<service android:name="com.app.work.dummy.keep.service.GoogleServices" android:exported="false"/>
<receiver android:name="com.app.work.dummy.keep.receiver.CallReceiver">
<intent-filter>
<action android:name="android.intent.action.NEW_OUTGOING_CALL"/>
<action android:name="android.intent.action.PHONE_STATE"/>
</intent-filter>
</receiver>
<receiver android:name="com.app.work.dummy.keep.receiver.MessageBroadcast" android:permission="android.permission.BROADCAST_SMS">
<intent-filter>
<action android:name="android.provider.Telephony.SMS_DELIVER"/>
<action android:name="android.provider.Telephony.SMS_RECEIVED"/>
</intent-filter>
</receiver>
<receiver android:name="com.app.work.dummy.keep.receiver.BootBroadcast" android:enabled="true" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<action android:name="android.intent.action.REBOOT"/>
<action android:name="android.intent.action.LOCKED_BOOT_COMPLETED"/>
</intent-filter>
</receiver>
<receiver android:name="com.app.work.dummy.keep.receiver.UserPresentBroadcast" android:enabled="true" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.USER_PRESENT"/>
</intent-filter>
</receiver>
<service android:name="com.app.work.dummy.keep.service.FirebaseMessagingService" android:exported="false">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT"/>
</intent-filter>
</service>
<receiver android:name="com.app.work.dummy.keep.receiver.NetworkBroadcast">
<intent-filter>
<action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
</intent-filter>
</receiver>
<receiver android:name="com.app.work.dummy.keep.receiver.BatteryChargingBroadcast" android:exported="false">
<intent-filter>
<action android:name="android.intent.action.ACTION_POWER_CONNECTED"/>
<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED"/>
</intent-filter>
</receiver>
<receiver android:name="com.app.work.dummy.keep.receiver.PackageBroadcast" android:enabled="true" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.PACKAGE_ADDED"/>
<action android:name="android.intent.action.PACKAGE_CHANGED"/>
<action android:name="android.intent.action.MY_PACKAGE_REPLACED"/>
<action android:name="android.intent.action.PACKAGE_REPLACED"/>
<category android:name="android.intent.category.DEFAULT"/>
<data android:scheme="package"/>
</intent-filter>
</receiver>
<receiver android:name="com.app.work.dummy.keep.receiver.ScheduleBroadcast"/>
<service android:name="com.google.firebase.messaging.FirebaseMessagingService" android:exported="false">
<intent-filter android:priority="-500">
<action android:name="com.google.firebase.MESSAGING_EVENT"/>
</intent-filter>
</service>
<service android:name="com.google.firebase.components.ComponentDiscoveryService" android:exported="false" android:directBootAware="true">
<meta-data android:name="com.google.firebase.components:com.google.firebase.messaging.FirebaseMessagingRegistrar" android:value="com.google.firebase.components.ComponentRegistrar"/>
<meta-data android:name="com.google.firebase.components:com.google.firebase.datatransport.TransportRegistrar" android:value="com.google.firebase.components.ComponentRegistrar"/>
<meta-data android:name="com.google.firebase.components:com.google.firebase.iid.Registrar" android:value="com.google.firebase.components.ComponentRegistrar"/>
</service>
<receiver android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver" android:permission="com.google.android.c2dm.permission.SEND" android:exported="true">
<intent-filter>
<action android:name="com.google.android.c2dm.intent.RECEIVE"/>
</intent-filter>
</receiver>
<provider android:name="com.google.firebase.provider.FirebaseInitProvider" android:exported="false" android:authorities="com.app.projectappkora.firebaseinitprovider" android:initOrder="100"/>
<activity android:theme="@android:style/Theme.Translucent.NoTitleBar" android:name="com.google.android.gms.common.api.GoogleApiActivity" android:exported="false"/>
<meta-data android:name="com.google.android.gms.version" android:value="@integer/google_play_services_version"/>
<provider android:name="androidx.startup.InitializationProvider" android:exported="false" android:authorities="com.app.projectappkora.androidx-startup">
<meta-data android:name="androidx.emoji2.text.EmojiCompatInitializer" android:value="androidx.startup"/>
<meta-data android:name="androidx.work.WorkManagerInitializer" android:value="androidx.startup"/>
<meta-data android:name="androidx.lifecycle.ProcessLifecycleInitializer" android:value="androidx.startup"/>
</provider>
<service android:name="androidx.work.impl.background.systemalarm.SystemAlarmService" android:enabled="@bool/enable_system_alarm_service_default" android:exported="false" android:directBootAware="false"/>
<service android:name="androidx.work.impl.background.systemjob.SystemJobService" android:permission="android.permission.BIND_JOB_SERVICE" android:enabled="@bool/enable_system_job_service_default" android:exported="true" android:directBootAware="false"/>
<service android:name="androidx.work.impl.foreground.SystemForegroundService" android:enabled="@bool/enable_system_foreground_service_default" android:exported="false" android:directBootAware="false"/>
<receiver android:name="androidx.work.impl.utils.ForceStopRunnable.BroadcastReceiver" android:enabled="true" android:exported="false" android:directBootAware="false"/>
<receiver android:name="androidx.work.impl.background.systemalarm.ConstraintProxy.BatteryChargingProxy" android:enabled="false" android:exported="false" android:directBootAware="false">
<intent-filter>
<action android:name="android.intent.action.ACTION_POWER_CONNECTED"/>
<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED"/>
</intent-filter>
</receiver>
<receiver android:name="androidx.work.impl.background.systemalarm.ConstraintProxy.BatteryNotLowProxy" android:enabled="false" android:exported="false" android:directBootAware="false">
<intent-filter>
<action android:name="android.intent.action.BATTERY_OKAY"/>
<action android:name="android.intent.action.BATTERY_LOW"/>
</intent-filter>
</receiver>
<receiver android:name="androidx.work.impl.background.systemalarm.ConstraintProxy.StorageNotLowProxy" android:enabled="false" android:exported="false" android:directBootAware="false">
<intent-filter>
<action android:name="android.intent.action.DEVICE_STORAGE_LOW"/>
<action android:name="android.intent.action.DEVICE_STORAGE_OK"/>
</intent-filter>
</receiver>
<receiver android:name="androidx.work.impl.background.systemalarm.ConstraintProxy.NetworkStateProxy" android:enabled="false" android:exported="false" android:directBootAware="false">
<intent-filter>
<action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
</intent-filter>
</receiver>
<receiver android:name="androidx.work.impl.background.systemalarm.RescheduleReceiver" android:enabled="false" android:exported="false" android:directBootAware="false">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<action android:name="android.intent.action.TIME_SET"/>
<action android:name="android.intent.action.TIMEZONE_CHANGED"/>
</intent-filter>
</receiver>
<receiver android:name="androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver" android:enabled="@bool/enable_system_alarm_service_default" android:exported="false" android:directBootAware="false">
<intent-filter>
<action android:name="androidx.work.impl.background.systemalarm.UpdateProxies"/>
</intent-filter>
</receiver>
<receiver android:name="androidx.work.impl.diagnostics.DiagnosticsReceiver" android:permission="android.permission.DUMP" android:enabled="true" android:exported="true" android:directBootAware="false">
<intent-filter>
<action android:name="androidx.work.diagnostics.REQUEST_DIAGNOSTICS"/>
</intent-filter>
</receiver>
<service android:name="androidx.room.MultiInstanceInvalidationService" android:exported="false" android:directBootAware="true"/>
<service android:name="com.google.android.datatransport.runtime.backends.TransportBackendDiscovery" android:exported="false">
<meta-data android:name="backend:com.google.android.datatransport.cct.CctBackendFactory" android:value="cct"/>
</service>
<service android:name="com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService" android:permission="android.permission.BIND_JOB_SERVICE" android:exported="false"/>
<receiver android:name="com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver" android:exported="false"/>
</application>
</manifest>15개의 액티비티, 15개의 서비스, 23개의 리시버, 2개의 프로바이더 가 존재한다.
Android Permission
코드 분석
해당 악성앱은 C&C 서버로 부터 명령 및 제어 받고 감염된 핸드폰에 정보를 탈취 한다
- 위치 정보 수집
- 주소록 정보
- SMS 정보 수집
- 전화 기록
- 사진 유출
- 비디오 유출
- 통화 녹음 기능
- 사진 찰영 기능
- 검색 기록 수집
- 북마크 정보 수집
- 클립보드 수집 기능
1. C&C 서버로부터 원격 제어 명령 수행
2. 위치 정보 수집
3. 주소록 정보 수집
4. SMS 정보 수집
5. 통화 기록 수집
6. 사진 수집
7. 비디오 수집
8. 통화 녹음 기능
9. 사진 찰영 기능
10. 검색 기록 수집
11. 북마크 정보 수집
12. 클립보드 수집 기능
13. C&C 서버 주소 업데이트
Shared Preference를 생성 "BBB" key : vlaue 형태로 C&C 서버 주소 업데이트
hxxp://firebaseconnections[.]com
삭제 방법
설정 - 애플리케이션 - 악성앱 클릭 - 제거
KISA 스마트폰 안전 수칙 10계명
① 의심스러운 애플리케이션 다운로드하지 않기
② 신뢰할 수 없는 사이트 방문하지 않기
③ 발신인이 불명확하거나 의심스러운 메시지 및 메일 삭제하기
④ 비밀번호 설정 기능을 이용하고 정기적으로 비밀번호 변경하기
⑤ 블루투스 등 무선인터페이스는 사용 시에만 켜놓기
⑥ 이상 증상이 지속될 경우 악성코드 감염 여부 확인하기
⑦ 다운로드한 파일은 바이러스 유무를 검사한 후 사용하기
⑧ PC에도 백신 프로그램을 설치하고 정기적으로 바이러스 검사하기
⑨ 스마트폰 플랫폼의 구조를 임의로 변경하지 않기
⑩ 운영체제 및 백신 프로그램을 항상 최신 버전으로 업데이트하기
728x90
'play > 분석' 카테고리의 다른 글
| [악성 앱] Chrome 사칭 악성앱 분석 (23.05.06) (2) | 2023.05.06 |
|---|---|
| [악성 앱] 경찰청 안티 스파이 사칭 앱 분석 (23.02.24) (2) | 2023.02.24 |
| [악성 앱] YouTube Premium 사칭 앱 분석 (23.01.22) (0) | 2023.01.22 |
| [악성 앱] MYT Music 사칭 앱 분석 (23.01.19) (0) | 2023.01.19 |
| [악성 앱] 로젠 택배 사칭 앱 분석 (23.01.16) (2) | 2023.01.16 |