The Trojan arrives on the device as part of repackaged versions of legitimate applications.
The package is typically installed by the user without knowledge of the extra payload included in the package. The repackaged applications have been found in a variety of locations, including unofficial marketplaces offering Android applications, fileshare sites, and miscellaneous websites.
The Trojan attempts to establish contact with a command and control server for instructions. It uses HTTP to contact the following server:
The Trojan may change the list of servers used when instructed by the controller.
Once contact is established with the command and control server, the Trojan may be instructed to perform any of the following actions:
- Collect and send information pertaining to the device including the installed applications and its geographic location.
- Upload contact information to a remote server.
- Upload SMS data to a remote server.
- Call or send an SMS to a specified number.
- Install or uninstall software.
- Show a map or a Web page.
- Show a pop-up message.
- Change the device wall paper.
- Create a shortcut.
- Change list of C&C servers.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":