Android package file
The Trojan may arrive as a package with the following characteristics:
Will vary and includes TubePlayer, MAMANAVI, and Infrared X-ray.
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access location information, such as GPS information.
- Access information about networks.
- Access the camera device.
- Check the phone's current state.
- Access to the list of accounts in the Accounts Service.
- Allows applications to disable the keyguard.
- Allows application to open windows on top of all other applications.
- Start once the device has finished booting.
- Read user's contacts data.
- Open network connections.
- Monitor incoming SMS messages.
- Read SMS messages on the device.
- Create new SMS messages.
- Send SMS messages.
- Change the background wallpaper.
- Make the phone vibrate.
- Write to external storage devices.
- Prevent processor from sleeping or screen from dimming.
- Allows application to make its activity persistent.
Once installed, the application may display various icons depicting the following:
- a pink background with Janaese text
- the Android robot with Japanese text
- a pink play button with "TubePlayer" text
- "mama NAVI" with text
- a book with gold star and Japanese text
- a camera lens with "Infrared X-ray" text
The application may display various main screens.
The Trojan collects contact names and email addresses from the compromised device and sends the information to one of the following remote locations:
The Trojan displays content from the following URLs to entice the user to pay money:
The Trojan also sends SMS messages to entice the user to pay money.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":