Android package file
The Trojan may arrive as a package with the following characteristics:
When the application is being installed, it requests permissions to perform the following actions:
- Monitor incoming SMS messages.
- Monitor incoming MMS messages.
- Read SMS messages on the device.
- Check the phone's current state.
- Start once the device has finished booting.
- Allows cloud messaging (C2DM).
- Open network connections.
- Access list of accounts in Accounts Service.
- Prevent processor from sleeping or screen from dimming.
- Access information about the WiFi state.
- Change WiFi state.
Once installed, the application will display an icon of a green robot with a white cube on its chest:
The Trojan may remove the icon in the application list.
The application will run in the background, gathering SMS activity and periodically send it to a proxy email address.
Once executed, the Trojan requests Device Administrator privileges.
The Trojan then monitors incoming SMS messages and sends them to the following proxy email addresses:
These email addresses may be changed by SMS command.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":