Since the May 1st movement, domestic mobile phones have been ravaged by cmtwg, nkvhu, qhsz and other malware.

Affected mobile phones include Meizu, China Mobile and other domestic mobile phones.

 

 

 

 

 

 

On May 12, some people began to ask cmtwg questions in Baidu, and on May 13, some people posted in mx bar.

I received the mobile phone with problems earlier, about after May 1st.

Some brands of domestic mobile phones with problems seem to have loopholes. The other side can use 4G network to automatically plug their software into your device.

com.wagd.qhsz dump of

 

 

 

 

 

  com.wg.cmtwg dump of

 

 

 

 

Automatically install point in time logs

 1  25**  26** I ActivityManager: Start proc 20763:com.android.defcontainer/u0a20 for service com.android.defcontainer/.DefaultContainerService
 2 20763 20780 D DefContainer: Copying /storage/emulated/0/.tm/882a3f6d5466518c3fb5290ada5f2a89 to base.apk
 3  25**  26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: /data/app/vmdl533505310.tmp/base.apk pkg=com.wg.cmtwg isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = /data/app/vmdl533505310.tmp/oat sharedLibraries=null
 4  25**  26** V BackupManagerService: restoreAtInstall pkg=com.wg.cmtwg token=d restoreSet=0
 5 20763 20780 D DefContainer: Copying /storage/emulated/0/.tm/60d9d7e3febaf4ba2e3ce177747d76cf to base.apk
 6  25**  26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: /data/app/vmdl722489780.tmp/base.apk pkg=com.wagd.qhsz isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = /data/app/vmdl722489780.tmp/oat sharedLibraries=null
 7  25**  32** I ActivityManager: Start proc 20812:com.wg.cmtwg/u0a1** for activity com.wg.cmtwg/com.hikd.nvkhu.MainActivity
 8  25**  26** I PackageManager.DexOptimizer: Running dexopt (dex2oat) on: /data/app/vmdl722489780.tmp/base.apk pkg=com.wagd.qhsz isa=arm64 vmSafeMode=false debuggable=false target-filter=interpret-only oatDir = /data/app/vmdl722489780.tmp/oat sharedLibraries=null
 9 20812 20812 W System  : ClassLoader referenced unknown path: /data/app/com.wg.cmtwg-1/lib/arm64
10 20812 20812 W Settings: Setting development_settings_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
11 20812 20812 W Settings: Setting adb_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
12 20812 20812 W art     : Class sdk.fkgh.hxx.x failed lock verification and will run slower.
13 20812 20812 W art     : Common causes for lock verification issues are non-optimized dex code
14 20812 20812 W art     : and incorrect proguard optimizations.
15 20812 20812 W art     : Class sdk.fkgh.hxx.K failed lock verification and will run slower.
16 20812 20812 W art     : Class sdk.fkgh.hxx.w failed lock verification and will run slower.
17 20812 20812 W Settings: Setting android_id has moved from android.provider.Settings.System to android.provider.Settings.Secure, returning read-only value.
18 20812 20919 W Settings: Setting android_id has moved from android.provider.Settings.System to android.provider.Settings.Secure, returning read-only value.
19 20812 20919 W art     : Class sdk.fkgh.hxx.G failed lock verification and will run slower.
20 20812 20812 D MyService: onStartCommand: 
21 20812 20812 W Settings: Setting development_settings_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
22 20812 20812 W Settings: Setting adb_enabled has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
23 20812 20962 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
24  25**  26** V BackupManagerService: restoreAtInstall pkg=com.wagd.qhsz token=e restoreSet=0
25 104** 10458 D Launcher.Model: mAllAppsList.addPackage com.wagd.qhsz
26  25**  32** I ActivityManager: START u0 {act=android.intent.action.MAIN flg=0x14800000 cmp=com.wagd.qhsz/com.wagd.gg.MainActivity} from uid 1000 on display 0
27  25**  32** I ActivityManager: Start proc 21086:com.wagd.qhsz/u0a1** for activity com.wagd.qhsz/com.wagd.gg.MainActivity
28 21086 21086 W System  : ClassLoader referenced unknown path: /data/app/com.wagd.qhsz-1/lib/arm64
29 21086 21100 W System  : ClassLoader referenced unknown path: /data/data/com.qihoo.shielder/files
30 21086 21086 D MyService: onStartCommand: 
31 21086 21129 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
32 21086 21104 W ResourceType: ResTable_typeSpec entry count inconsistent: given 1, previously 170
33 21086 21091 I art     : Compiler allocated 5MB to compile boolean com.qihoo360.mobilesafe.loaded.client.i.transact(int, android.os.Parcel, android.os.Parcel, int)
34 21086 21137 I System.out: true
35 21086 21091 I art     : Do partial code cache collection, code=20KB, data=30KB
36 21086 21091 I art     : After code cache collection, code=20KB, data=30KB
37 21086 21091 I art     : Increasing code cache capacity to 128KB
38  25**  36** I ActivityManager: Process com.wagd.qhsz (pid 21086) has died
39  25**  36** D ActivityManager: cleanUpApplicationRecord -- 21086
40  25**  36** W ActivityManager: Scheduling restart of crashed service com.wagd.qhsz/com.wagd.gg.MyService in 1000ms
41  25**  26** I ActivityManager: Start proc 22085:com.wagd.qhsz/u0a1** for service com.wagd.qhsz/com.wagd.gg.MyService
42 22085 22099 W System  : ClassLoader referenced unknown path: /data/data/com.qihoo.shielder/files
43 22085 22085 W System  : ClassLoader referenced unknown path: /data/app/com.wagd.qhsz-1/lib/arm64
44 22085 22085 D MyService: onStartCommand: 
45 22085 22144 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
46 22085 22110 W ResourceType: ResTable_typeSpec entry count inconsistent: given 1, previously 170
47 22085 22091 I art     : Compiler allocated 5MB to compile boolean com.qihoo360.mobilesafe.loaded.client.i.transact(int, android.os.Parcel, android.os.Parcel, int)

What happened to the log above?

0. The output of DpmTcmClient is within 1 minute before the log list. It may be downloading the installation package.

1. PackageManager is called, DefaultContainer is started, pid=20763

2. DefaultContainer starts a thread tid=20780, and then downloads the installation package in the directory / sdcard/.tm

882a3f6d5466518c3fb5290ada5f2a89,60d9d7e3febaf4ba2e3ce177747d76cf

Install, and BackupManager recovers the data.

3. AM called, start com.wg.cmtwg ,pid=20812

Four com.wg.cmtwg Modify settings development_settings_enabled and adb_enabled, and then open the http connection.

5. AM called, start com.wagd.qhsz ,pid=21086

6.  com.wagd.qhsz Modify settings development_settings_enabled and adb_enabled, and then open the http connection.

7. pid=21086, com.wagd.qhsz.Activity death

8. After 1 minute, AM is restarted com.wagd.qhsz/com.wagd.gg.MyService, pid=22085

9.  com.wagd.qhsz/com.wagd.gg.MyService Open the http connection.

These software are dynamic loading dex, only after the attack can we see more things, and task logic.

Here's the first cell phone I received. What happened.

The software will download SDKs that brush ads in all ways. After loading, it will start the thread to brush ads in a crazy way. The mobile phone is almost overloaded and moving, until it is restarted, and then repeatedly dead without electricity.

There should be the following directory in the mobile phone / sdcard directory

 

 /data/data/com.wagd.qhsz

 

 /data/data/com.wg.cmtwg

 

Here are some com.wagd.qhsz String found after decompilation of downloaded dex:

com.wagd.qhsz
"com.blankj.utilcode.util.PermissionUtils$PermissionActivity"
"http_stat12.guantouyouxi.com"
_235.do d.class "FULIYOUYICHENG"
35190476729276.apk net.task.InitTask "WG20200430143295" "yy2042901"
35190476729276.apk net.task.d "qtt://news_detail?from=And-juaiwan-19100503&id=1427705327", "17", "com.jifen.qukan"
35190476729276.apk net.task.e "com.android.browser" "com.eg.android.AlipayGphone" "mBasePackageName"
20*.dex com.api.a class: "http://sdktoapi.free-eyepro.com" "ad.vv.sdk"
20*.dex com.lo.ca.realtimeweb.kernel.web.ai class: "wzb api inject js next_script_order="
20*.dex com.lo.ca.realtimeweb.kernel.web.ak class: "qh api evaluateJavascript_qh---ua="
20*.dex h.e class: "--------------------canRunBeiYeSDK-start-----------ADID==>"
20*.dex h.i class: "beiyeAPI_" "com.yjl.sdk" "com.yjl.sdk.mango" "com.yjl.sdk.web" "com.yjl.sdk.xinyun" "com.yjl.sdk.baidu" "com.ext.sdk"

The general working principle is that the background webview brush advertising api injects js brush data brush traffic. All the SDKs are named anshuan.

All the downloaded dex files rename the suffix. do, and all the compiled oat files rename the suffix. dex. If you don't distinguish the file formats with xxd, it will be blocked during decompilation.

So I wrote a gui4smali demo Because they actually download too many odex.

cmtwg, qhsz, nvkhu automatically get all the permissions in the installation, including access to / sdcard, automatically join the inet user group, with the highest privacy risk. They seem to have all the useful permissions except root and seaandroid. You can let the mobile phones after deleting them download and install automatically in the background (or let your mobile phone download and install directly through 4G network), install and authorize everything at the same time. It's a piece of chicken when the equipment gets involved, and the privacy risk is the highest.

Tags: Android SDK Mobile OkHttp

Posted on Sun, 17 May 2020 22:15:58 -0700 by cneumann