Technical information
Malicious functions:
Removes app icon from the screen.
Threat detection based on machine learning.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(TLS/1.0) rr1---s####.g####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) rr2---s####.g####.com:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.2) 1####.250.150.94:443
- TCP(TLS/1.2) 1####.194.222.139:443
- TCP(TLS/1.2) gmscomp####.google####.com:443
- UDP rr2---s####.g####.com:443
- UDP p####.google####.com:443
- UDP rr1---s####.g####.com:443
- UDP gmscomp####.google####.com:443
DNS requests:
- and####.a####.go####.com
- and####.google####.com
- gmscomp####.google####.com
- m####.go####.com
- p####.google####.com
- rr1---s####.g####.com
- rr2---s####.g####.com
File system changes:
Creates the following files:
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex.flo...leted)
- /data/data/####/CallLogs.txt
- /data/data/####/Dname-journal
- /data/data/####/Tree.txt
- /data/data/####/accounts.txt
- /data/data/####/contacts.txt
- /data/data/####/netinfo.txt
- /data/data/####/pkinfo.txt
- /data/data/####/sense.system.android.updater_preferences.xml
- /data/data/####/sms.txt
- /data/data/####/sp.xml
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/log -p d -t su /dev/com.android.settings/.socket3390
- /system/bin/log -p d -t su 10065 /system/bin/app_process64 executing 0 /system/bin/sh using binary /system/bin/sh : sh
- /system/bin/log -p d -t su child exited
- /system/bin/log -p d -t su client exited 1
- /system/bin/log -p d -t su connecting client 3377
- /system/bin/log -p d -t su connecting client 3523
- /system/bin/log -p d -t su connecting client 3725
- /system/bin/log -p d -t su db allowed
- /system/bin/log -p d -t su remote args: 1
- /system/bin/log -p d -t su remote pid: 3377
- /system/bin/log -p d -t su remote pid: 3523
- /system/bin/log -p d -t su remote pid: 3725
- /system/bin/log -p d -t su remote pts_slave:
- /system/bin/log -p d -t su remote req pid: 3349
- /system/bin/log -p d -t su remote req pid: 3488
- /system/bin/log -p d -t su remote uid: 10065
- /system/bin/log -p d -t su sending code
- /system/bin/log -p d -t su starting daemon client 10065 10065
- /system/bin/log -p d -t su su invoked.
- /system/bin/log -p d -t su waiting for child exit
- /system/bin/log -p d -t su waiting for user
- /system/bin/log -p e -t su sqlite3 open /data/user_de/0/com.android.settings/databases/su.sqlite failure: 14
- sh
- su
Uses elevated priveleges.
Accesses the ITelephony private interface.
Gets information about location.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
Parses information from SMS.
