Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.MobiDash.1.origin
Network activity:
Connecting to:
- che####.####.biz
HTTP GET requests:
- che####.####.biz/Version.txt
- che####.####.biz/CustomPatches.zip
Modified file system:
Creates the following files:
- <Package Folder>/shared_prefs/config.xml.bak
- <Package Folder>/databases/PackagesDB-journal
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/app_config/transfer_skip
- /data/lp/xposed
- <Package Folder>/code_cache/secondary-dexes/MultiDex.lock
- <Package Folder>/files/file
- /data/lp/lp_utils
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/files/reboot
- <Package Folder>/app_app_apk/LOCK.dat.jar
- <Package Folder>/files/p.apk
- <Package Folder>/code_cache/secondary-dexes/tmp-<Package>-1.apk.classes-2083522942.zip
- <Package Folder>/files/busybox
Miscellaneous:
Executes next shell scripts:
- getenforce
- app_process /system/bin com.android.commands.pm.Pm enable com.android.vending/com.google.android.finsky.billing.iab.InAppBillingService
- app_process /system/bin com.android.commands.pm.Pm enable com.android.vending/com.google.android.finsky.billing.iab.MarketBillingService
- chmod 06777 <Package Folder>/files/busybox
- app_process /system/bin com.android.commands.pm.Pm enable com.android.vending/com.google.android.finsky.services.LicensingService
- <Package Folder>/files/busybox chown 0:0 <Package Folder>/files/reboot
- chown 0:0 <Package Folder>/files/busybox
- toolbox chmod 777 <Package Folder>/files/busybox
- chown 0.0 <Package Folder>/files/reboot
- ls /system/framework/core-libart.jar.jex
- chmod 777 /data/lp/xposed
- <Package Folder>/files/busybox chown 0:0 <Package Folder>/files/p.apk
- chmod 777 <Package Folder>/files/reboot
- chown 0.0 <Package Folder>/files/busybox
- mkdir /data/lp
- /system/bin/dalvikvm -Xbootclasspath:/system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-com
- chmod 06777 <Package Folder>/files/p.apk
- <Package Folder>/files/busybox chmod 06777 <Package Folder>/files/busybox
- app_process /system/bin com.android.commands.pm.Pm enable com.android.vending/com.google.android.finsky.billing.iab.FirstPartyInAppBillingService
- <Package Folder>/files/busybox chown 0:0 <Package Folder>/files/busybox
- <Package Folder>/files/busybox chown 0.0 <Package Folder>/files/p.apk
- ls /system/bin/failsafe/toolbox
- app_process /system/bin com.android.commands.pm.Pm disable com.android.vending/com.google.android.finsky.services.LicensingService
- <su-internal:request>
- <su-internal:result>
- <Package Folder>/files/busybox chown 0.0 <Package Folder>/files/busybox
- ls /system/framework/services.jar.jex
- chown 0.0 <Package Folder>/files/p.apk
- ls /system/framework/core.jar.jex
- busybox chmod 777 <Package Folder>/files/busybox
- chown 0:0 <Package Folder>/files/reboot
- chown 0:0 <Package Folder>/files/p.apk
- <Package Folder>/files/busybox chmod 777 <Package Folder>/files/reboot
- su
- <Package Folder>/files/busybox chown 0.0 <Package Folder>/files/reboot
- sh
- chmod 777 /data/lp/lp_utils
- chmod 777 /data/lp
- <dexopt>
- <Package Folder>/files/busybox chmod 06777 <Package Folder>/files/p.apk
Uses elevated priveleges.
Contains functionality to send SMS messages automatically.
