When the Trojan is being installed, it requests permissions to perform the following actions:
- Open network connections.
- Access information about networks.
- Start once the device has finished booting.
The Trojan runs when the Android device starts. It then decrypts the file res\raw\data to obtain a command and control (C&C) server address.
Next, it connects to the C&C server and waits for a command that allows the remote attacker to use the compromised device as a proxy.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":