Android package file
The Trojan may arrive as the following .apk file:
When the APK is being installed, it requests permissions:
- Write to external storage devices.
- Gather information about recently running tasks.
- Open network connections.
- Allow access to low-level system logs.
- Make the phone vibrate.
- Access information about networks.
- Monitor, modify, or end outgoing calls.
- Check the phone's current state.
- Prevent processor from sleeping or screen from dimming.
- End all background processes associated with the package.
The threat contains the following malicious class files inside classes.dex:
When the APK is executed, it registers UpdateCheck.class as a service, which loads the following native Android file used to carry out further actions:
It then attempts to gain super user privileges. If it is unsuccessful, the Trojan will exit.
The Trojan also sets the following system property to 0, so that only one instance of the threat runs at a time:
The Trojan then drops the following file and then executes it:
It then overwrites the following files with copies of itself:
The Trojan modifies the following file in order to launch itself at startup:
It also modifies the following file with configuration information:
It then copies itself to the following file, which attempts to prevent the Trojan from being removed from the device:
The Trojan connects to the following command-and-control servers, where it can receive additional commands:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":