Android package file
The Trojan may arrive as a package with the following characteristics:
Games 101 IN 1
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access information about WiFi networks
- Access the precise location of the device from sources such as GPS, cell towers, and WiFi
- Access the list of accounts in the Accounts Service
- Allow read-only access to the phone state
- Change the WiFi connectivity state
- Initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed
- Install a shortcut
- Make the device vibrate
- Open network sockets
- Read (but not write) the user's browsing history and bookmarks
- Read the user's contacts data
- Receive messages from a Cloud To Device Messaging (C2DM) server
- Receive the ACTION_BOOT_COMPLETED message that is broadcast after the system finishes booting
- Receive, read, write, and send SMS messages
- Request authtokens from the AccountManager
- Use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming
Once installed, the application will display an icon with the text "101 in - 1 GAMES".
When the Trojan is executed, it connects to the following location and displays a list of games:
Next, it uses the Gmail account of the device to register itself to a C2DM server.
If there is no Gmail account associated with the device, the Trojan displays a message requesting the user to apply for a Gmail account.
Next, the Trojan opens a back door on the device.
It may also steal the following information and send it to a remote location:
The Trojan may also block certain SMS messages or send SMS messages from the device.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":