This threat has been injected into legitimate applications for the Android device. The author of the threat downloads an application from a marketplace, modifies the legitimate application, and then puts it back on the marketplace.
When the Trojan has been installed on a compromised device, it executes itself when one of the following conditions has been met:
- Twelve hours have passed since the OS started
- Network connectivity changed, e.g. the device lost connectivity to a network and it was re-established
- The device receives a phone call
The Trojan then attempts to steal the following information from the compromised device:
- Hardware information
- Network connectivity
Next, the Trojan encrypts the stolen information and may send it through a local proxy to one of the following remote locations:
It also receives search parameters from the above URLs. The Trojan then uses the obtained parameters to silently issue multiple HTTP search requests to the following location:
wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID]
The purpose of these search requests is to increase site rankings for a website.
It may download an updated version of itself and save it to the following location:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":