Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Start once the device has finished booting.
- Open network connections.
- Access information about networks.
- Check the phone's current state.
- Write to external storage devices.
- Prevent processor from sleeping or screen from dimming.
Once installed, the application will display an icon with an image of a black haired girl with pink lingerie.
The Trojan poses as an app that contains adult content.
The Trojan then attempts to trick the user into downloading another malicious APK from the following URL:
The downloaded APK may then perform the following actions:
- Send SMS messages
- Update the app by downloading a new APK
- Intercept incoming SMS messages according to a black list of phone numbers
- Try to run itself in device administrator mode to make it more difficult to uninstall
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":