The Trojan must be downloaded and manually installed. It is bundled with a legitimate application in order to attempt to hide the infection.
When the Trojan is executed, it displays the interface of the legitimate application and loads the following malicious shared object:
The above shared object then drops an embedded object to the following location:
The Trojan may then modify the following file so that it executes whenever the device starts:
Next, the Trojan checks whether the device has been rooted.
If the phone is not rooted, the Trojan deletes the following file and exits:
If the phone is rooted, the Trojan attempts to modify the following properties by accessing the /system/bin/setprop file:
Next, the Trojan attempts to connect to the following command-and-control (C&C) server locations:
It may then download files onto the compromised device.
The Trojan may also perform the following actions on the device:
- Install and uninstall packages
- Start new processes and activities
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":