Android package file
The Trojan may arrive as a package with the following characteristics:
Google App Store
When the Trojan is being installed, it requests permissions to perform the following actions:
- Write to external storage devices
- Mount and unmount file systems for removable storage
- Monitor, read, and send SMS messages on the device
- Check the phone's current status
- Install shortcuts
- Open network connections
- Read user's contacts data
Once installed, the application will display an icon of a white shopping bag with a multicolored triangle.
The Trojan poses as the Google app store application.
When the Trojan is executed, it starts the following services:
The Trojan may then send SMS messages to numbers in the compromised device's contacts list and send the device phone number to the following remote location:
Next, the Trojan checks to see if any of the following online banking applications are installed on the compromised device:
If any of the above applications are installed, the Trojan prompts the user to delete it and install a malicious version.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":