Android package file
The Trojan may arrive as a package with the following characteristics:
Adobe Flash Player
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access browser history
- Access information about and change WiFi connectivity state
- Access information about currently or recently running tasks
- Access information about networks
- Allow access to low-level system logs
- Broadcast a notification that an application package has been added, installed, or replaced
- Change network connectivity state
- Check the phone's current state
- Create new SMS messages
- Send SMS messages
- Monitor incoming SMS messages
- Disable the key guard
- Initiate a phone call without using the Phone UI or requiring confirmation from the user
- Kill background processes
- Monitor, read, and send SMS messages
- Monitor, modify, or end outgoing calls
- Open network connections
- Open windows that are shown on top of all other applications
- Prevent processor from sleeping or screen from dimming
- Read or write to the system settings
- Read user's contacts data
- Start once the device has finished booting
- Use the device's mic to record audio
- Write to external storage devices
Once installed, the application will display an icon with the a letter F on a red background.
The Trojan is a fake Flash application for Android devices and must be manually installed.
Once executed, the Trojan requests Device Administrator privileges.
If there is an attempt to disable Device Administrator privileges by accessing the device settings, the Trojan will restart device settings every 10 milliseconds.
Next, the Trojan opens a back door on the device and connects to the following command-and-control (C&C) server:
The Trojan then sends the following information to the above C&C server:
- Phone number
It may then receive commands from the above C&C server and perform malicious activities on the compromised device.
The Trojan may also display a lock screen asking for a code in order to delete the fake Flash plugin. The lock screen can be bypassed by pressing cancel.
The Trojan may also steal the user's login credentials for banking websites. It sends the stolen information to the following location:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":