Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Monitor,read, and send SMS messages on the device
- Open network connections
- Prevent processor from sleeping or screen from dimming
- Start once the device has finished booting
- Read or write to the system settings
- Check the phone's current state
- Initiate a phone call without using the Phone UI or requiring confirmation from the user
- Allow access to low-level system logs
Once installed, the application will display a dark green circle with check marks surrounded by a bright green square with the text "Sberbank certificate...".
The Trojan claims to be a certificate installation from Sberbank.
Once executed, the Trojan gathers the following information from the compromised device:
- IMEI number
- Network operator
- Sim country ISO
It then encrypts the above information and sends it to a fixed phone number.
The Trojan also send the information to the following remote location:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":