Android package file
The Trojan may arrive as a package with the following name:
The Trojan does not create an application icon. However, it may appear in Manage Applications as an application named System.
When the Trojan is being installed, it requests permissions to perform the following actions:
- Check the phone's current state.
- Change the phone state, such as powering it on and off.
- Initiate a phone call without using the Phone UI or requiring confirmation from the user.
- Monitor, modify, or end outgoing calls.
- Use the device's mic to record audio.
- Access the camera
- Modify global audio settings.
- Read user's contacts data.
- Create new contact data.
- Start once the device has finished booting.
- Send, monitor, read, and create new SMS messages.
- Open network connections.
- Access location information, such as Cell-ID or WiFi.
- Access location information, such as GPS information.
- Allows an application to update device statistics.
- Prevent processor from sleeping or screen from dimming.
- Allow access to low-level power management.
- Read or write to the system settings.
- Allows applications to disable the keyguard.
- Write to external storage devices.
- Allow access to low-level system logs.
- End background processes.
- Access information about networks.
- Allows applications to write the APN settings.
- Connect to paired Bluetooth devices.
The Trojan then opens a back door on the compromised device and listens for specially crafted SMS messages, allowing an attacker to perform the following actions:
- Change network settings
- Stop and start processes and services
- Send the contact list to a remote location
- Reboot the compromised device
- Record incoming and outgoing call numbers
- Deactivate software
- Take screenshots
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":