Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Change the background wallpaper
- Access information about the WiFi state
- Allow access to low-level system logs
- Check the phone's current state
- Read and write to external storage devices
- Open network connections
- Read system settings
- Prevent processor from sleeping or screen from dimming
- Access information about networks
- Modify the current configuration
- Mount and unmount file systems for removable storage
- Modify audio settings
Once installed, the application will display an icon with Chinese text and an image of a character holding a bunch of red flowers.
Once opened, the application changes the icon to an close-up of a handshake with the text: Lycorisradiata. The application also changes the device's wallpaper to this image.
The application encrypts files stored on the device’s external storage. The application then asks the user to pay 20 to 40 Chinese yuan via Chinese payment providers QQ, Alipay, or WeChat in order to decrypt the files.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":