Android package file
The Trojan may arrive as a package with one of the following name:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Open network connections.
- Make the phone vibrate.
- Write to external storage devices.
- Access information about networks.
- Change network connectivity state.
- Check the phone's current state.
- Access location information, such as Cell-ID or WiFi.
- Access location information, such as GPS information.
- Access information about the WiFi state.
- Allow access to low-level system logs.
- Start once the device has finished booting.
- Monitor incoming SMS messages.
- Send SMS messages
- Read SMS messages on the device.
- Create new SMS messages.
- Allows applications to write the APN settings.
- Allows access to the camera.
- Allows access to check for currently or recently running tasks.
- Allow an application to create location providers for testing purposes.
- Allow removable storage to be mounted or unmounted.
Once installed, the application will display an icon. The icon and text displayed may differ depending on the version of the Trojanized app used.
The package details and icon can be seen in the package browser after installation.
The following services are created after installation, these can be seen in the package summary:
The Trojan also creates a number of broadcast receivers which can also be seen in the package summary:
May monitor and filter out certain SMS messages to prevent the user from viewing them.
Downloads configuration files from the following remote location:
The Trojan may also download the following files:
It may also download additional apps onto the device as instructed by the configuration file contents.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":