When an infected application is installed, it attempts to exploit the udev Netlink Message Validation Local Privilege Escalation Vulnerability
(BID 34536) in order to obtain "root" privileges.
Once running with "root" privileges it drops its payload (stored as resource "res/raw/anserverb" in the original package) as "SMSApp.apk" and installs it.
The dropped "SMSApp.apk" file contains functionality to communicate with the following control server using HTTP protocol:
b3.8866.org on port 8080
The following information may be sent to the control server:
- Subscriber ID (e.g. IMSI for a GSM phone)
- Manufacturer and Model of the device
- Version of the Android operating system
Next, the Trojan periodically connects to the control server and may perform the following actions:
- Send SMS messages
- Remove SMS messages from the Inbox
- Dial phone numbers
The Trojan also contains functionality to monitor phone usage.
It may end the app 360 Mobile Safe (com.qihoo360.mobilesafe).
If the following SMS message arrives from China Mobile the Trojan may delete it:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":