The threat arrives bundled inside a legitimate application.
When the Trojan is executed, it collects the following information and saves it in the file [INSTALLATION PATH]/.hide/upload.xml:
- Phone Number
- SMS Center
- Install Time
- System Version
It then uploads the collected information to the following remote site using the HTTP POST method:
Next, it receives commands from the reply to the POST and saves the commands in the following file:
This allows the remote attacker to send SMS messages from the compromised device.
The threat also has the capability to block incoming SMS messages.
The threat may change the access port name (APN) to the following WAP network:Name:
[EXISTING SIM OPERATOR NUMBER]
It then downloads a list of links from a remote site listed in the serverInfo.xml file and saves it as the following file:
It also downloads a file from a URL listed in the vedio.xml file and saves it as the following file:
It then restores the APN to its original settings.
The Trojan logs its activities in the following file for debugging purposes:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":