This threat typically arrives as one of several Trojanized games found on various third party markets.
Android package file
The Trojan may arrive as an APK package with one of the following names:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access information about networks.
- Check the phone's current state.
- Open network connections.
- Access information about the WiFi state.
- Write to external storage devices.
When the Trojan is executed, it runs the original app and sends personally identifiable information (PII) to the following location:
The above location is encrypted. The information that is sent includes the following:
- Package name and version code of the Trojanized app
- SIM serial number
- Phone number
- Device model
- OS version
- CPU type
- Root access availability
In return, it receives a command whether to install its payload or not, which consists of another package that is divided among the following files and embedded in the initial package:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":