Silent installation｜APP promotion anti-cheating secrets series of articles

Silent installation is one of the means of traffic cheating, but it is not commonly used. This type of silent installation cheating method has two major characteristics: one is that "it is like a spring dream and leaves no trace" , that is, once you are cheated, it is very difficult to identify, almost impossible to identify, because this type of cheating leaves very few traces and is too far-fetched to use as evidence; the second characteristic is that the cost of cheating is relatively high , and it requires many conditions and coincidences. Therefore, people’s understanding of the silent installation cheating method is a bit like their understanding of big data:

BackDoor is like teenage sex: everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are doing it.

Restored to ancient Chinese: It means silent installation, as if performing the Zhougong ceremony before one reaches the age of twenty. Everyone talks about it, but no one understands it. If you let others do it, then you can do it yourself.

Definition of silent installation

Without the knowledge of smartphone users, the phone automatically completes the download, installation, activation, registration, and deletion of certain APPs in the background.

Technical principles of silent installation

The premise of silent installation cheating is to implant a Trojan horse , and there are three ways to implant a Trojan horse, which are:

1. Exploiting system vulnerabilities to escalate privileges

Hackers use system vulnerabilities to inject a replaced code into the running system program to elevate the privileges of their own applications. In this way, the host APP has root privileges. At this time, the host APP can do whatever it wants. Next, it can do a few things to show its strength:

1. Install a program

• Visit a download URL;
• Download the specified apk;
• Install apk in the background;
• Open the application and perform certain specified operations;
• Then delete the app;

2. Add a contact

• Add a number and name, such as Mom;
• Then I sent a text message through this number, saying that I was in the hospital and urgently needed money, and the account number was my friend's xxxx;

Yes, it's horrifying!

2. Exploiting Android signature vulnerabilities to escalate privileges

Hackers took advantage of a signature vulnerability in the Android system, replaced an application on the desktop with an illegal application, and granted it Root permissions. Once the highest authority is obtained, it can also perform several terrifying operations, such as automatically sending text messages, downloading APKs, etc. Please refer to the previous section for details.

Three self-created loopholes

Some companies install undying services on users' phones. These service ports can accept commands from the server, such as accessing a URL, downloading an APK, installing an APK, opening an application, etc.

Typically, these services are used by a company for internal business purposes. But this loophole is fatal. Because it is easy to be discovered and exploited by others. See the fourth for details.

4. Exploiting vulnerabilities in certain software

Hackers exploit some software vulnerabilities, usually some unethical vulnerabilities, or even deliberately set vulnerabilities. For example, some companies install Immortal Server on users' mobile phones, with port 40XX0/6XX9;

Commands are accepted through this port, such as:

1. Install a program

• Visit a download URL;
• Download the specified apk;
• Install apk in the background;
• Open the application and perform certain specified operations;
• Then delete the app;

2. Add a contact

• Add a number and name, such as Mom;
• Then I sent a text message through this number, saying that I was in the hospital and urgently needed money, and the account number was my friend's xxxx;

The cost structure of silent installation cheating

The cost of silent installation cheating is not easy to estimate. This is a secret of the black industry chain, and it is even the product of collusion between CP and the black industry. Therefore, the cost is not easy to estimate. However, this type of cheating method does not require hardware investment, only soft costs, such as "research and development costs".

use

Because the number of silent installations is easier to control, it is generally used for supplementary flow. Because of the purpose of mixing: silent installations can be mixed into natural traffic for supplementary flow, or they can be regarded as natural traffic.

Simulation

Regarding the degree of simulation, such a user is actually a real user's device, but the operation is not that of a real user, so the degree of simulation is extremely high. Moreover, even if there are some clues left, these clues are mixed in with the traffic, and these evidences are not strong enough to serve as strong evidence. The simulation can be done:

1. Activation Simulation : Activation can be completed

2. Simulation degree of key parameters

• Retention rate : can be controlled if necessary;
• Online time: can be controlled if necessary;

3. Hardware parameters

• IMEI number: perfect solution;
• MAC address: perfect solution;
• IMSI: Perfect solution;
• Other hardware parameters: perfect solution

Identification and prevention methods

The users created by silent installation are actually real users, not real operations , so the evidence left is not sufficient:

1) The retention rate and activation frequency may be normal, but the online time is abnormal;

2) The root permissions of the mobile phone system are abnormal.

But this evidence is insufficient.

Liangjianghu, due to long-term data accumulation and data cooperation, has established a set of methods to prevent Trojan implantation and silent installation with some partners. The core principle is:

1) A large number of Trojan-implanted feature codes are included ;

2) Cooperate with operators to conduct background tracking of some abnormal behavior data.

This method is not on the terminal side, but on the server side, thus breaking away from the original constraints.