Android package file
The Trojan may arrive as the following APK package:
Android Security Suite Premium
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access information about networks.
- Access information about the WiFi state.
- Add a system service.
- Broadcast an SMS receipt notification.
- Broadcast sticky intents.
- Broadcast a WAP PUSH receipt notification.
- Modify the current configuration.
- Change network connectivity state.
- Allow access to low-level power management.
- Disable the keyguard.
- Open windows that are for use by parts of the system user interface.
- Open network connections.
- Change the phone state, such as powering it on and off.
- Monitor, modify, or end outgoing calls.
- Check the phone's current state.
- Read SMS messages on the device.
- Start once the device has finished booting.
- Monitor incoming SMS messages.
- Change the Z-order of tasks.
- Send SMS messages.
- Open, close, or disable the status bar and its icons.
- Open windows using the type TYPE_SYSTEM_ALERT.
- Update device statistics.
- Make the phone vibrate.
- Prevent processor from sleeping or screen from dimming.
- Allows applications to write the apn settings.
- Write to external storage devices.
- Read or write to the secure system settings.
- Read or write to the system settings.
- Create new SMS messages.
When the Trojan is executed, it displays an "Activation Code", which is generated from the device ID.
Next, the Trojan steals SMS messages and posts them to the following location:
A remote attacker may then send a command to the compromised device to perform the following actions:
- Disable the application
- Enable the application
- Uninstall itself
- Send the phone number of the remote attacker
- Change the phone number of the remote attacker in the device's Contacts
- Sends system information to the remote attacker, such as device model, device manufacturer, OS version, bank account activation code, and current version of the Trojan
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":