Android package file
The Trojan may arrive as a package with the following name:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Send SMS messages
- Read SMS messages
- Monitor incoming SMS messages
Once installed, the application will display an icon with a picture of a lock and the text "Zertifikat".
When the Trojan is executed it opens a back door on the compromised device.
The Trojan performs the following actions after receiving SMS messages from the attacker:
- Monitor incoming and outgoing SMS messages
- Change the phone number that the attacker uses to send commands and receive stolen SMS messages
The Trojan receives commands from and sends stolen SMS messages to the following number:
Variants of this threat use a different phone number.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":