Hacking Book | Free Online Hacking Learning


depth: analysis and test of the powerful mobile trojan dendroid

Posted by verstraete at 2020-03-27

About the mobile phone Trojan named dendroid, freebuf once introduced "Symantec found the super mobile phone Trojan named dendroid", so today we will study the so-called $300 mobile phone remote control Trojan. At the end of this article, we will provide related tool kits, which can be downloaded by interested students.

Freebuf Science Popularization: Mobile Trojan

Symantec's researchers have found a new kind of Trojan named dendroid in the field of mobile phones, which can easily achieve remote malicious control of mobile phones. Before that, Symantec found an Android remote management software called Android rat, which is considered to be the first malicious binding software. However, the newly discovered dendroid, which runs on HTTP, is more powerful.

Dendroid can generate malicious APK with the following remote instruction functions:

1、 Server web console installation

The server is PHP + mysql. The server environment is easy to operate. Phpnow, xampp and other server packages can be completed quickly. The server is mainly used to record the relevant information of the controlled mobile phone and send relevant instructions to the mobile phone. The solution of the server package is as follows:

Set up the server environment (steps are omitted here), record the IP or domain name of the server, open reg.php, and modify the following:

After the modification, place the above PHP code of the server into the web root directory, and then directly visit the http: / / server address or domain name / setup /, you can start the installation and deployment:

Click begin setup to enter the server configuration phase,

As you can see, this page needs to set the relevant information of the database. Before the operation, we need to deploy the database. Here, we use phpMyAdmin to create the database dendroid:

Open the sql.sql in the package, copy it and import it to the dendroid:

You can see that the table was created successfully:

Then return to the server configuration page step1, enter the relevant information, and then complete the relevant deployment:

Click finish setup to enter the login interface of server management console. Enter the configured user name and password to log in to the console:

Note: dendroid calls the Google map API. To display normally, you need to use a proxy.

2、 Client APK compilation

Download the Android SDK development package and import the dendroidapk in the compressed package:

After importing, if you are prompted that the API package is missing, click window - > Android SDK manager to download the corresponding package:

Remember to use the proxy when updating, and set it in the tools option (who told us to Google the wall in China).

After importing, expand SRC to see the main function modules of the server:

From the perspective of naming, we can know the general function of each function module. Here, we only modify the parameter part of connecting to the server to ensure that the APK after programming can connect to our server just now, open myservice.java, and modify it as follows:

The above three parts are Base64 codes. Note that the encodepassword part defaults to the base64 code of 'password'. If it is modified, you need to modify the $_get 'password' part in the file get.php, get functions.php, new upload.php and upload pictures.php on the server side, as shown in the figure:

Export after modification:

Build successful:

3、 Upload mobile phone, install and execute

During the installation process, some necessary permissions should be given to the APK, such as the permission to enable the camera and positioning function, so as to facilitate the test. The program name and icon can be modified before compilation. Android version is 4.4.2.


Under the test environment, the console machine and mobile phone are in the same LAN (3G or 4G environment is recommended for mobile data). After executing the installed app, you will see that the location is called:


At this time, the mobile phone in the console is also online:

4、 Introduction to main control functions

Through the console, we can control whether the mobile phone is mute, bright screen, intercept SMS, automatically start background recording, photo taking, video recording, obtain SMS content, contact information, open the specified app and other functions.  

The execution diagram of the controlled mobile phone (client with malicious APK installed) and the server (WEB console) is as follows:

Next, we introduce the specific implementation of the above figure through the functions of mobile phone online and SMS interception (similar to other functions):

1. on-line

1) The client requests get.php of the console to realize the online and status refresh of the controlled host.

2) Get physical ID:

3) Construct the request URL to the server

4) Get.php processes the parameter values sent by get and processes them through updateslave (updateslave is defined in functions. PHP):

5) Functions.php determines whether to update or insert the phone property information by judging whether the phone has been recorded in the BOT table:

6) Control page display results:

2. SMS interception

1) Click the following button:

AddCommand function processing, the first value is command string 'intercept', the second value is true:

Request addcommand.php:

2) Insert the request command into the commands table:

3) The client requests get-funds.php to get the command to be executed:

4) After verifying the password, the server queries the action requested by the previous console interface (i.e. "intercept" inserted into the database) through the uid (Android phone physical ID code mentioned above), and finally passes it to the client in the following format:

5) Determine whether the returned content contains "intercept (", if so, set the value of key "intercept" to true:

6) Get SMS content:

7) Data obtained from urlpost request:

Urlpost is message.php

8) when message.php receives the request Data, it calls addMessage and inserts the messages database.

9) Refresh the control page to query the database to get the information:

Consistent with the message received by the mobile terminal:

3. Photo record

Just like the above execution process, it is not automatically uploaded to the server, but manually uploaded. It is estimated that this type of file transmission takes up a lot of bandwidth and does not prevent transmission failure. It can be uploaded multiple times:

1) Select front or rear camera:

2) Shooting complete

3) Upload type: select pictures:

The processing function is also addCommand

After the command is inserted into the database, wait for the client to obtain the command type to implement the upload operation.

4) Upload command execution display:

5) The uploaded photos appear in the file list:

6) Download Preview

If you want to modify the image size, you can modify the following parts in cameraview.java (marked in red box):

Five, annex

Here is the source code of dendroid, you can learn to modify or optimize the function.

Link: http://pan.baidu.com/s/1pjfqcov

Mr. rnq5

Mr. constrictor pass: Mr. 123456

[the author of this article, Liu z5069, is a reward program for original articles of freebuf hackers and geeks (freebuf. Com), which is prohibited to reprint without permission]