Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.433.origin
- Android.DownLoader.482.origin
Downloads the following detected threats from the Web:
- Android.Backdoor.433.origin
Network activity:
Connecting to:
- a####.####.cn
- c####.####.com
- n####.####.com
- n####.####.com:8066
HTTP GET requests:
- a####.####.cn/request/cappredirect?ckey=####
- c####.####.com/m/AC046D1A6FB640A4B62BB6CF9E6F6F7B6C
- c####.####.com/s?z####
- n####.####.com/c/1501141122778
HTTP POST requests:
- n####.####.com:8066/s/
Modified file system:
Creates the following files:
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/30A90D56A017CCCC8870EED02AF96E3E
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/ddexe
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/debuggerd
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/install-recovery.sh
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/pidof
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/su
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/supolicy
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/toolbox
- <Package Folder>/app_cflzqo/91136795B48C4DBB87E8FC43D8829089.jar
- <Package Folder>/app_dex/encrypt
- <Package Folder>/app_dex/test.dex
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/cyzzzt
- <SD-Card>/Android/####/pid
- <SD-Card>/tencent/####/30A90D56A017CCCC8870EED02AF96E3E
- <SD-Card>/tencent/####/adv
- <SD-Card>/tencent/####/config
- <SD-Card>/tencent/####/deviceId
- <SD-Card>/tencent/####/master
- <SD-Card>/tencent/####/master.lock
- <SD-Card>/tencent/####/rpk_db
- <SD-Card>/tencent/####/sys_install
Miscellaneous:
Executes next shell scripts:
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -n <Package>/com.android.println.MonitorService
- ls -l /system/bin/su
Loads the following dynamic libraries:
- helper
- test
Uses the following algorithms to encrypt data:
- DES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- DES-CBC-PKCS5Padding
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
