Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Monitor, read, write, and create new SMS messages
- Open network connections
- Prevent processor from sleeping or screen from dimming
- Check the phone's current state
- Read from external storage
- Make the phone vibrate
- Mount and unmount file systems for removable storage
- Access information about networks
- Initiate a phone call without using the phone UI or requiring confirmation from the user
- Change the phone state, such as powering it on and off
- Allow access to low-level power management
- Read user's contact data
- Create new contact data
- Access information about the WiFi state
- Write to external storage devices
- Install packages
- Access location information, such as Cell-ID or WiFi
- Access location information, such as GPS information
- Change WiFi connectivity state
Once installed, the application will display an icon with a green robot with a white cube on its chest.
The Trojan masquerades as Android security software.
When the Trojan is executed, it displays a page informing the user that the software is the latest version.
The Trojan then hides its icon from the application page.
Next, the Trojan connects to a command-and-control (C&C) server in order to receive a list of phone numbers. If the Trojan detects it is running in an emulator it will not connect to the C&C server.
The Trojan then monitors for calls and SMS messages coming from any of the numbers on the list. If a call or SMS message is received from one of the listed numbers, the Trojan suppresses device notifications and removes any trace of the message or call from the device logs.
Blocked SMS messages are logged in an internal database and sent to the C&C server.
The Trojan has the ability to update itself.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":