Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access information about networks, including WiFi
- Allow read-only access to phone state
- Change network connectivity state, including WiFi
- Monitor incoming SMS messages, to record or perform processing on them
- Mount and unmount file systems for removable storage devices
- Open network sockets
- Send SMS messages
- Use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming
- Write the APN settings
- Write to external storage devices
Once installed, the application will display an icon with Chinese characters.
When the Trojan is executed, it registers the following SMS receiver:
The Trojan then intercepts and blocks all incoming SMS messages.
All SMS messages that are blocked by the Trojan are sent to a remote location.
The Trojan may also subscribe to services without the user's consent.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":