When installing the Trojan, it will ask for one or more of the following permissions:
- Open network connections.
- Access information about networks.
- Access information about the WiFi state.
- Check the phone's current state.
- Prevent processor for sleeping or screen from dimming.
- Injects user events into the event stream and delivers them to any window.
- Allow access to low-level system logs.
- Write to external storage devices.
- Gather debug logs.
- Gathers information about currently or recently run tasks.
When the Trojan is executed, it displays the log in page of a certain application. If a user enters a user name and password, the Trojan attempts to send those details to the following URL:
The Trojan then displays an error message and uninstalls itself from the compromised device.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":