Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Open network connections.
- Send SMS messages.
- Initiate a phone call without using the Phone UI or requiring confirmation from the user.
- Monitor incoming SMS messages.
- Check the phone's current state.
- Start once the device has finished booting.
Once installed, the application displays an icon that appears to be a padlock on a computer monitor.
It also appears in the application menu as the name Certificate and displays fake messages when run.
The Trojan opens a back door and attempts to connect to a command-and-control server. Once contact is established, the Trojan may be instructed to perform any of the following actions:
- Start and stop forwarding SMS messages
- Send SMS messages
- Run an Unstructured Supplementary Service Data (USSD) command
- Stop running apps
- Display messages
- Configure URLs
- Send pings
- Configure SMS numbers
It also checks whether it's being run in an emulator by checking the IMEI, phone number, operator, and phone model.
The Trojan then steals the phone number, IMEI, and OS version from the compromised device.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":