This threat must be manually downloaded.
Android package file
The Trojan may arrive as the following APK package:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access information about networks, including Wi-Fi networks
- Allows read-only access to phone state
- Change network connectivity state
- Monitor incoming SMS messages to record or perform processing on them
- Open network sockets
- Read SMS messages
- Read and write to the user's contacts data
- Receive the ACTION_BOOT_COMPLETED message that is broadcast after the system finishes booting
- Send SMS messages
- Use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming
- Write SMS messages
- Write the APN settings
- Write to an external storage device
When the Trojan is executed, it creates the following service:
The Trojan then disables Wi-Fi and uses CMWAP/CMNET instead.
Next, the Trojan connects to one of the following HTTP servers to download a configuration file:
This server is down at the time of analysis.
The Trojan then sends an SMS message to a predetermined number contained within the configuration file so that a remote attacker can obtain the phone number of the device.
It then monitors any SMS messages that arrive from the following number, which is the MM (Mobile Market):
If a message contains the following message, the Trojan then obtains the login authentication code of the device:
Welcome to MM mobile application download service
This allows the Trojan to subscribe to and download applications on to the device.
It then blocks all SMS messages that come from 10658800 so that the user is unaware of any applications downloaded by the Trojan.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":