1. Home > Virus prevention >

The gambling software is waiting for the opportunity

1. Background
Replacement of flowers and trees refers to the secret use of clever tricks to deceive others by changing people or things in the course of things.
Recently, Tencent Security Anti-fraud Lab discovered an online gambling virus DownloadGambling. The virus uses the technology of transferring flowers and trees to download gambling software through a "safe" parent package, thereby achieving the purpose of deceiving major application stores and security systems. The virus will first determine whether the user is a Chinese user, if it is a Chinese user, it will download and install the designated gambling software privately. The gambling software is downloaded and installed from the cloud, and there is no need to put on the major application markets to avoid security agencies; if not, Chinese users run the functional interface of the software itself to perform super disguise.
Features of the virus:
The software itself is safe as a carrier, and it can easily bypass the security detection mechanism of major application markets, making it easy for the software to be put on the shelf;
download online gambling software from the cloud through the carrier, users It is not easy for monitoring agencies to find that increasing the survival time of gambling software;
activating the safe carrier software will activate the gambling software, increasing the chance of contact with users, and indirectly increasing the number of users of gambling software, which may increase the number of users of gambling software. Used by users;
List of main application infections affected by Migration:


Virus operation flowchart:

Screenshot of virus operation:

2. The scope of virus impact
The Trend of DownloadGambling Virus Infecting Users:
As the crackdown increases, the number of infected users is declining

DownloadGambling virus infection user distribution map:
The provinces and cities with the most infected users are: Yunnan Province, Guangdong Province, and Sichuan, accounting for 8.5%, 7.8% and 5.5% respectively

3. Detailed analysis of the virus
Sample information as a gambling software carrier:

Network Gambling software sample information:

1. After the software is started, obtain the network IP address information by visiting the website and send Message information

Get IP address information URL: http://p******.com/c*****n?ie=utf- 8

Send Message

2, in the main interface SplashUpdateActivity to the Message information Perform judgment processing. When the IP address is satisfied, replace the software background image and download gambling software privately; when the conditions are not met, start MainActivity and run the software's own functional interface to achieve the purpose of deceiving users.

When the conditions are met, call the initNewNetWork method to replace the software background picture and download the specified gambling software privately

When the conditions are not met, start Activity that conforms to the function of the software

Replace the software background image by downloadLayout method
Background image download link: https://img.x** ****ver.com/u****9/201908/p****2.jpg


3. In the initJumpStateJudge method, judge whether the gambling software has been installed. If it is installed, then
start the gambling software directly, if not installed, download the gambling software and install it


The name of the gambling package stored in the local SharedPreferences

4. Download gambling software through the autoUpdate method

Download gambling software

Install the downloaded gambling software

Fourth, suggestions and screenshots of mobile phone butler killing
Tencent security counter Fraud Lab Recommendations:
1. Do not install apps from unknown sources, which may endanger the security of your phone;
2. Installing Tencent Mobile Manager can accurately and effectively protect your phone’s security;
3. Download and install the required applications from regular channels, which can effectively avoid virus software;

MD5 list of infected applications:
7704c9f96faf4dda339b7f9bc4028c58
47fe89e3d936f47cc8e73de6269de4b2
560d5f491fb817d26181e76b84974fae
d5561bc8a3f4dd90792069f5cad3fc67
9898cf3a588a9546092c036ee81b56ac

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Virus prevention/20294.html

Contact Us

Online consultation:click here to give a message