The Trojan is typically bundled with an application available on Android marketplaces.
When the compromised application is installed, it registers the main launcher so the Trojan will start when the application starts.
It then registers the following services:
It then uses the following Android kernel exploit tools to elevate privileges on the device, gaining root access to the device:
These publicly available exploit toolkits are known only to reliably work on Android versions 2.2 (Froyo) and 2.1 (Eclair).
It then downloads the following component:
The Trojan may then receive commands from the following command and control server:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":