This Trojan must be manually installed.
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access information about networks
- Initiate a phone call without going through the dialer user interface for the user to confirm the call being placed
- Open network sockets
- Receive the ACTION_BOOT_COMPLETED message that is broadcast after the system finishes booting
- Write to external storage device
When the Trojan is created, it injects its malicious code into a legitimate application so that the Trojan executes along with the legitimate application.
When the compromised device starts, the Trojan searches the following folder:
If the Trojan finds any files with a .JPG extension, it modifies the .JPG files by placing another image onto the original image.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":