Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.SmsSend.21305
- Android.Spy.398.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) hpd.b####.com:80
- TCP(TLS/1.0) ti####.jom####.com:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) wap.n.sh####.com:443
- TCP(TLS/1.0) box.jom####.com:443
- TCP(TLS/1.0) hpd.b####.com:443
DNS requests:
- a####.xctr####.com
- api.lik####.com
- f####.b####.com
- g####.bdst####.com
- hpd.b####.com
- m.b####.com
- mt####.go####.com
- pay.lik####.com
- s.bdst####.com
- sm.b####.com
- ss0.b####.com
- ss1.b####.com
- ss2.b####.com
- ti####.b####.com
- timg####.b####.com
- timg####.b####.com
- timg####.b####.com
- www.b####.com
HTTP GET requests:
- hpd.b####.com/v.gif?logid=0479589229&ssid=0&sid=120065_114551_119746_102...
- hpd.b####.com/v.gif?tid=####&ct=####&cst=####&logFrom=####&logInfo=####&...
- hpd.b####.com/v.gif?tid=####&funcSta=####&sourceSta=####&actionSta=####&...
Modified file system:
Creates the following files:
- <Package Folder>/Plugin/####/Signature_0.key
- <Package Folder>/Plugin/####/base-1.apk
- <Package Folder>/Plugin/####/base-1.dex
- <Package Folder>/Plugin/####/tmp.KW2070
- <Package Folder>/app_payload_lib/done
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/0fbe2c48.apk
- <Package Folder>/files/692db8c981851e7e155142e3bb74d004.apk
- <Package Folder>/files/dp.apk
- <Package Folder>/files/net.tt.plugin.damai.apk
- <Package Folder>/files/net.tt.plugin.taiku.apk
- <Package Folder>/files/net.tt.plugin.yufeng.apk
- <Package Folder>/files/net.tt.plugin.zhongzhi.apk
- <SD-Card>/com.zckj.files/u.apk
Miscellaneous:
Executes next shell scripts:
- /system/bin/netcfg
- chmod -R 755 <Package Folder>/Plugin
Loads the following dynamic libraries:
- aflnjedk
- srevxzdh
Gains access to geolocation.
Gains access to telephone information (number, imei, etc.).
Displays its own windows over windows of other applications.
Gains access to information about sent/received SMS messages.
