Android package file
The Trojan may arrive as a package with the following details:
When the Trojan is being installed, it requests permissions to write to external storage devices.
Once installed, the application will register the following service:
The threat will then attempt to gain root access on the device. If it is successful it will attempt to get the following embedded packages form /assets/logos.png:
It will also copy com.android.setting to /system/app/ComAndroidSetting.apk.
The Trojan will then gather the IMEI and IMSI numbers and send them to a remote server.
The Trojan also downloads other threats on to the device.
The Trojan also monitors SCREEN_ON and SCREEN_OFF status on the phone. If in the SCREEN_OFF status is active, it will launch the downloaded apps. If the SCREEN_ON status is active, the Trojan launches the device's home screen.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":