Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Open network connections
- Send SMS messages
- Check the phone's current state
- Access information about networks
- Write to external storage device
Once installed, the application will display a blue icon with a white letter "f", mimicking the appearance of the legitimate Facebook icon.
When the Trojan is executed, it displays a message telling the user to update the app.
When the user selects the update button, the Trojan sends the following SMS messages to 8738:
- SMS 1: KPAH 1 [FIVE DIGIT NUMBER] facebook
- SMS 2: KPAH 2 [FIVE DIGIT NUMBER] facebook
- SMS 3: MGO 2 [FIVE DIGIT NUMBER] facebook
The Trojan may then connect to the following remote location in order to update the body of the SMS messages or the premium phone number:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":