Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Allow read-only access to the phone state
- Monitor incoming SMS messages, to record or perform processing on them
- Open network sockets
- Read the user's contacts data
- Receive the ACTION_BOOT_COMPLETED message that is broadcast after the system finishes booting
- Send SMS messages
- Write to an external storage device
Once installed, the application will display an icon with the text "System Service".
When the Trojan is executed, it collects information from the device, including:
- Operating system information
- Phone book contacts
The above information is then sent to the following command-and-control (C&C) server:
Next, the Trojan receives a list of premium-rate phone numbers from the above C&C server and sends SMS messages to them.
The Trojan is also able to filter all SMS messages in order to prevent the user from being aware of any premium-rate messages being sent or received.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":