Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.RemoteCode.8232

Added to the Dr.Web virus database: 2024-01-01

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Android.RemoteCode.251.origin
Network activity:
Connects to:
  • UDP(DNS) <Google DNS>
  • TCP(HTTP/1.1) a####.u####.com:80
  • TCP(HTTP/1.1) hw-o####.a.yx####.####.com:80
  • TCP(HTTP/1.1) ds-####.oss-acc####.aliy####.####.com:80
  • TCP(HTTP/1.1) g####.gif####.com:80
  • TCP(HTTP/1.1) 47.1####.152.28:80
  • TCP(HTTP/1.1) 64.2####.162.94:80
  • TCP(HTTP/1.1) v####.v####.yx####.####.com:80
  • TCP(TLS/1.0) rr2---s####.g####.com:443
  • TCP(TLS/1.0) n####.cdn.bc####.####.com:443
  • TCP(TLS/1.0) p####.adu####.com.####.cn:443
  • TCP(TLS/1.0) and####.a####.go####.com:443
  • TCP(TLS/1.0) 64.2####.162.94:443
  • TCP(TLS/1.0) s####.e.qq.com:443
  • TCP(TLS/1.0) p####.google####.com:443
  • TCP(TLS/1.0) rr9---s####.g####.com:443
  • TCP(TLS/1.0) rr18---####.g####.com:443
  • TCP(TLS/1.0) gro####.pangoli####.com.####.com:443
  • TCP(TLS/1.0) tx.a.k####.####.com:443
  • TCP(TLS/1.0) to####.ctobsn####.com.####.com:443
  • TCP(TLS/1.0) 1####.194.220.95:443
  • TCP(TLS/1.0) st####.yx####.com.####.net:443
  • TCP(TLS/1.0) t####.m.qq.com:443
  • TCP(TLS/1.0) pla####.google####.com:443
  • TCP(TLS/1.0) www.gst####.com:443
  • TCP(TLS/1.0) o####.e.kuai####.com:443
  • TCP(TLS/1.0) qzs.gd####.com.####.com:443
  • TCP(TLS/1.0) g####.gif####.com:443
  • TCP(TLS/1.2) 64.2####.162.94:443
  • TCP(TLS/1.2) 1####.177.14.99:443
  • TCP log####.pangoli####.com.####.net:443
  • TCP lf3-ad-####.pglstat####.com:443
  • UDP www.gst####.com:443
  • UDP p####.google####.com:443
  • TCP api-ac####.pangoli####.com.####.com:443
  • TCP v####.v####.yx####.####.com:443
DNS requests:
  • a####.u####.com
  • al####.a.yx####.com
  • and####.a####.go####.com
  • and####.google####.com
  • api####.oss-acc####.aliy####.com
  • api-ac####.pangoli####.com
  • api-ac####.pangoli####.com
  • g####.gif####.com
  • gmscomp####.google####.com
  • gro####.pangoli####.com
  • hw-o####.a.yx####.com
  • lf3-ad-####.pglstat####.com
  • log####.pangoli####.com
  • m####.vo####.com
  • n####.cdn.bc####.com
  • o####.e.kuai####.com
  • oc.u####.co
  • oc.u####.com
  • p####.ad####.com
  • p####.adu####.com
  • p####.google####.com
  • pla####.google####.com
  • qzs.gd####.com
  • rr18---####.g####.com
  • rr2---s####.g####.com
  • rr9---s####.g####.com
  • s####.e.qq.com
  • sf3-fe####.pglstat####.com
  • st####.yx####.com
  • t####.m.qq.com
  • to####.ctobsn####.com
  • tx.a.k####.com
  • ulog####.gif####.com
  • v####.v####.yx####.com
  • www.go####.com
  • www.gst####.com
  • zt.gif####.com
HTTP GET requests:
  • ds-####.oss-acc####.aliy####.####.com/api.txt?-187733####
  • ds-####.oss-acc####.aliy####.####.com/api.txt?-25832####
  • ds-####.oss-acc####.aliy####.####.com/api.txt?119142####
  • ds-####.oss-acc####.aliy####.####.com/api.txt?128206####
  • hw-o####.a.yx####.####.com/kos/nlav11461/r_ksad-video-top-bar.243.zip
  • hw-o####.a.yx####.####.com/kos/nlav11461/r_ksad-video-web-close-card.116...
  • n####.cdn.bc####.####.com:443/xiaoshuoplugin_tg_1106
  • o####.e.kuai####.com:443/rest/e/system/speed
  • p####.adu####.com.####.cn:443/udata/pkg/KS-Android-KSAdSDk/offline_compo...
  • qzs.gd####.com.####.com:443/union/res/android/plugin/plugin.dex-1421.jar
  • qzs.gd####.com.####.com:443/union/res/union_cdn/page/android/quickjs/lib...
  • st####.yx####.com.####.net:443/udata/pkg/KS-Android-KSAdSDk/tachikoma/3....
  • to####.ctobsn####.com.####.com:443/service/2/app_alert_check/?aid=####&t...
  • tx.a.k####.####.com:443/bs2/antispamWeaponApk/0981106345f4bacd15295b07b8...
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-exit-intent-popup.103.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-feed-back-card.110.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-feed-card.197.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-fullscreen-video-card.4...
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-image-video-card.287.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-installed-activate-card...
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-interstitial-card.707.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-live-video-card.339.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-neo-video-card.690.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-pre-landingpage-card.13...
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-push-card.104.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-splash-end-card.232.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-splash-play-card.303.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-video-bottom-card-v2.12...
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-video-confirm-card.118....
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-video-interact-card.152...
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-video-middle-card.129.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-video-secondclick-card....
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-video-task-card.128.zip
  • v####.v####.yx####.####.com/kos/nlav11461/r_ksad-video-topfloor.136.zip
HTTP POST requests:
  • a####.u####.com/app_logs
  • g####.gif####.com/r/t/h?timestamp=####&secretkey=####&appkey=####&sign=#...
  • g####.gif####.com:443/f/a/p?timestamp=####&secretkey=####&appkey=####&si...
  • g####.gif####.com:443/rest/infra/gdfp/a/q?timestamp=####&secretkey=####&...
  • g####.gif####.com:443/x/f/g?timestamp=####&secretkey=####&appkey=####&si...
  • gro####.pangoli####.com.####.com:443/api/ad/union/mediation/config/
  • gro####.pangoli####.com.####.com:443/mscc/common_setting_otob?lc_id=####...
  • gro####.pangoli####.com.####.com:443/ri/report_otob?lc_id=####&platform=...
  • o####.e.kuai####.com:443/rest/e/v3/open/config
  • o####.e.kuai####.com:443/rest/e/v3/open/sdk2
  • s####.e.qq.com:443/activate
  • s####.e.qq.com:443/event
  • s####.e.qq.com:443/mediation?version=####
  • s####.e.qq.com:443/msg
  • s####.e.qq.com:443/perf
  • t####.m.qq.com:443/?mc=####
  • to####.ctobsn####.com.####.com:443/service/2/app_log/?device_platform=##...
  • to####.ctobsn####.com.####.com:443/service/2/device_register_only/?aid=#...
  • to####.ctobsn####.com.####.com:443/service/2/log_settings/?device_platfo...
File system changes:
Creates the following files:
  • /data/data/####/-630614594783448885
  • /data/data/####/.bak
  • /data/data/####/.base.dex
  • /data/data/####/.base.dex.flock (deleted)
  • /data/data/####/.base.jar
  • /data/data/####/.imprint
  • /data/data/####/.msf3_31d659304230575c05a3c5ebd11c8d076e58118c
  • /data/data/####/.msf3_6f05be3a01810a12a0dce73b48e953e9237e0a2b
  • /data/data/####/.msf3_904f2636614f90c4f53ea2df4c3b31d5d606a64b
  • /data/data/####/.msp_092fde7a53a0274594af0984c7830fc0c13dc8bd
  • /data/data/####/.msp_589c22335a381f122d129225f5c0ba3056ed5811
  • /data/data/####/.mss_1f149f2d7f76b27fded4588b7ec7fb6dd577723d
  • /data/data/####/.mss_9b8ed9956d7e60469912dd239a0251f93cd1e80d
  • /data/data/####/.t.log
  • /data/data/####/.turing.dat
  • /data/data/####/105498_au_1
  • /data/data/####/1317362924-1506538232
  • /data/data/####/1871278429-310469596
  • /data/data/####/2-6.1.1.tmp
  • /data/data/####/2-6.1.1.zip
  • /data/data/####/3951.yaqcookie
  • /data/data/####/3f06333c7b7b14b581c65c10d5a986e2.tmp
  • /data/data/####/3f06333c7b7b14b581c65c10d5a986e2.tmp (deleted)
  • /data/data/####/972980811-14359712
  • /data/data/####/BuglySdkInfos.xml
  • /data/data/####/GDTSDK.db
  • /data/data/####/GDTSDK.db-journal
  • /data/data/####/Web Data-journal
  • /data/data/####/WebViewChromiumPrefs.xml
  • /data/data/####/acbd.xml
  • /data/data/####/aggregation_end_page_arrow.png
  • /data/data/####/aggregation_icon_ad.png
  • /data/data/####/aggregation_icon_backup.png
  • /data/data/####/aggregation_middle_icon.png
  • /data/data/####/aggregation_play_icon.png
  • /data/data/####/aggregation_right_bg.png
  • /data/data/####/aggregation_shop_bg.png
  • /data/data/####/base-1.apk
  • /data/data/####/base-1.dex
  • /data/data/####/base-1.dex.flock (deleted)
  • /data/data/####/bg_progressbar.png
  • /data/data/####/black_btn.json
  • /data/data/####/black_card.json
  • /data/data/####/btn_download.png
  • /data/data/####/btn_open_app.png
  • /data/data/####/btn_open_link.png
  • /data/data/####/c728032e0ee8348b8a27b52ee78da067.tmp
  • /data/data/####/c728032e0ee8348b8a27b52ee78da067.tmp (deleted)
  • /data/data/####/circle_skip.json
  • /data/data/####/close_gray.png
  • /data/data/####/com.android.miaodazi.app.xml
  • /data/data/####/com.android.miaodazi.app.xml.bak
  • /data/data/####/com.android.miaodazi.app_preferences.xml
  • /data/data/####/com.byted.pangle.m.apk
  • /data/data/####/com.qq.e.eaconfig.xml
  • /data/data/####/com.qq.e.sdkconfig.xml
  • /data/data/####/config
  • /data/data/####/cycle_ripple.json
  • /data/data/####/cycle_rotate.json
  • /data/data/####/db_lib.db
  • /data/data/####/db_lib.db-journal
  • /data/data/####/devCloudSetting.cfg
  • /data/data/####/devCloudSetting.sig
  • /data/data/####/download_sdk_config.sgv
  • /data/data/####/downloader.db
  • /data/data/####/downloader.db-journal
  • /data/data/####/ecb3b22be1397c6ceb8e7522f875cef3-d06e87bb919a07...4.conf
  • /data/data/####/ecb3b22be1397c6ceb8e7522f875cef3-d06e87bb919a07...leted)
  • /data/data/####/finger_animation.json
  • /data/data/####/finger_swipe_horizontal.json
  • /data/data/####/finger_swipe_vertical.json
  • /data/data/####/gdt_config.cfg
  • /data/data/####/gdt_plugin.dex
  • /data/data/####/gdt_plugin.dex.flock (deleted)
  • /data/data/####/gdt_plugin.jar
  • /data/data/####/gdt_plugin.jar.sig
  • /data/data/####/gdt_plugin.next
  • /data/data/####/gdt_plugin.next.sig
  • /data/data/####/gdt_plugin.tmp.sig
  • /data/data/####/gdt_stat.db
  • /data/data/####/gdt_stat.db-journal
  • /data/data/####/gdt_suid
  • /data/data/####/gift_bg_for_img.webp
  • /data/data/####/gift_bg_for_text.webp
  • /data/data/####/hand_click.json
  • /data/data/####/ic_arrow_right.png
  • /data/data/####/ic_force_close.png
  • /data/data/####/ic_play.png
  • /data/data/####/ic_rotate_arrow.png
  • /data/data/####/ic_rotate_phone.png
  • /data/data/####/ic_rotate_phone_vertical.png
  • /data/data/####/ic_shake.png
  • /data/data/####/ic_shake_combine_black.json
  • /data/data/####/ic_shake_combine_white.json
  • /data/data/####/ic_shake_hand.png
  • /data/data/####/ic_shake_red.png
  • /data/data/####/ic_shake_white.png
  • /data/data/####/ic_sound_off.png
  • /data/data/####/ic_sound_on.png
  • /data/data/####/ic_splash_default_bgimg.webp
  • /data/data/####/ic_splash_default_icon.png
  • /data/data/####/ic_splash_shake_hand.png
  • /data/data/####/ic_top_rotate_arrow.png
  • /data/data/####/icon_actionbar_back.png
  • /data/data/####/icon_actionbar_close.png
  • /data/data/####/icon_ksad_bubble_rain_bubble.png
  • /data/data/####/icon_ksad_bubble_rain_double_eleven.png
  • /data/data/####/icon_ksad_bubble_rain_golden_bubble.png
  • /data/data/####/icon_ksad_bubble_rain_golden_red_packet.png
  • /data/data/####/icon_ksad_bubble_rain_preheat_number1.png
  • /data/data/####/icon_ksad_bubble_rain_preheat_number2.png
  • /data/data/####/icon_ksad_bubble_rain_preheat_number3.png
  • /data/data/####/icon_ksad_bubble_rain_red_packet.png
  • /data/data/####/icon_ksad_circle_close.png
  • /data/data/####/icon_ksad_close.png
  • /data/data/####/icon_ksad_confirm_arrow.png
  • /data/data/####/icon_ksad_confirm_close.png
  • /data/data/####/icon_ksad_confirm_live.png
  • /data/data/####/icon_ksad_endcard_btn.png
  • /data/data/####/icon_ksad_endcard_close.png
  • /data/data/####/icon_ksad_endcard_giftbox.png
  • /data/data/####/icon_ksad_endcard_high_btn.png
  • /data/data/####/icon_ksad_endcard_shake.png
  • /data/data/####/icon_ksad_endcard_title.png
  • /data/data/####/icon_ksad_gift.png
  • /data/data/####/icon_ksad_gift_new.png
  • /data/data/####/icon_ksad_gift_small.png
  • /data/data/####/icon_ksad_mute.png
  • /data/data/####/icon_ksad_secondclick_close.png
  • /data/data/####/icon_ksad_secondclick_hand.png
  • /data/data/####/icon_ksad_secondclick_present.png
  • /data/data/####/icon_ksad_skip.png
  • /data/data/####/icon_ksad_sound.png
  • /data/data/####/icon_ksad_video_interact_button.png
  • /data/data/####/icon_ksad_video_interact_button_red.png
  • /data/data/####/icon_ksad_video_interact_error.png
  • /data/data/####/icon_ksad_video_interact_hand.png
  • /data/data/####/icon_ksad_video_interact_puzzle_mask.png
  • /data/data/####/icon_ksad_video_interact_puzzle_mask_tmp.png
  • /data/data/####/icon_ksad_video_interact_redbag.png
  • /data/data/####/icon_ksad_video_interact_right.png
  • /data/data/####/icon_ksad_video_intteract_close.png
  • /data/data/####/icon_ksad_video_task_close.png
  • /data/data/####/icon_ksad_video_task_finished.png
  • /data/data/####/icon_ksad_video_task_hand.png
  • /data/data/####/icon_ksad_video_task_tipsbg.png
  • /data/data/####/icon_ksad_video_task_unfinished.png
  • /data/data/####/icon_ksad_wave.png
  • /data/data/####/icon_ksad_wave2.png
  • /data/data/####/icon_ksad_white_right_arrow.png
  • /data/data/####/icon_up_arrow.png
  • /data/data/####/img_0.png
  • /data/data/####/img_red_packet_background.png
  • /data/data/####/interact_card_bg.png
  • /data/data/####/interact_card_bg_blue.png
  • /data/data/####/ksad-exit-intent-popup
  • /data/data/####/ksad-exit-intent-popup.103.js
  • /data/data/####/ksad-exit-intent-popup.103.json
  • /data/data/####/ksad-feed-back-card
  • /data/data/####/ksad-feed-back-card.110.js
  • /data/data/####/ksad-feed-back-card.110.json
  • /data/data/####/ksad-feed-card
  • /data/data/####/ksad-feed-card.197.js
  • /data/data/####/ksad-feed-card.197.json
  • /data/data/####/ksad-fullscreen-video-card
  • /data/data/####/ksad-fullscreen-video-card.498.js
  • /data/data/####/ksad-fullscreen-video-card.498.json
  • /data/data/####/ksad-image-video-card
  • /data/data/####/ksad-image-video-card.287.js
  • /data/data/####/ksad-image-video-card.287.json
  • /data/data/####/ksad-installed-activate-card
  • /data/data/####/ksad-installed-activate-card.101.js
  • /data/data/####/ksad-installed-activate-card.101.json
  • /data/data/####/ksad-interstitial-card
  • /data/data/####/ksad-interstitial-card.707.js
  • /data/data/####/ksad-interstitial-card.707.json
  • /data/data/####/ksad-live-video-card
  • /data/data/####/ksad-live-video-card.339.js
  • /data/data/####/ksad-live-video-card.339.json
  • /data/data/####/ksad-neo-video-card
  • /data/data/####/ksad-neo-video-card.690.js
  • /data/data/####/ksad-neo-video-card.690.json
  • /data/data/####/ksad-pre-landingpage-card
  • /data/data/####/ksad-pre-landingpage-card.136.js
  • /data/data/####/ksad-pre-landingpage-card.136.json
  • /data/data/####/ksad-push-card
  • /data/data/####/ksad-push-card.104.js
  • /data/data/####/ksad-push-card.104.json
  • /data/data/####/ksad-splash-end-card
  • /data/data/####/ksad-splash-end-card.232.js
  • /data/data/####/ksad-splash-end-card.232.json
  • /data/data/####/ksad-splash-play-card
  • /data/data/####/ksad-splash-play-card.303.js
  • /data/data/####/ksad-splash-play-card.303.json
  • /data/data/####/ksad-video-bottom-card-v2
  • /data/data/####/ksad-video-bottom-card-v2.129.js
  • /data/data/####/ksad-video-bottom-card-v2.129.json
  • /data/data/####/ksad-video-confirm-card
  • /data/data/####/ksad-video-confirm-card.118.js
  • /data/data/####/ksad-video-confirm-card.118.json
  • /data/data/####/ksad-video-interact-card
  • /data/data/####/ksad-video-interact-card.152.js
  • /data/data/####/ksad-video-interact-card.152.json
  • /data/data/####/ksad-video-middle-card
  • /data/data/####/ksad-video-middle-card.129.js
  • /data/data/####/ksad-video-middle-card.129.json
  • /data/data/####/ksad-video-secondclick-card
  • /data/data/####/ksad-video-secondclick-card.107.js
  • /data/data/####/ksad-video-secondclick-card.107.json
  • /data/data/####/ksad-video-task-card
  • /data/data/####/ksad-video-task-card.128.js
  • /data/data/####/ksad-video-task-card.128.json
  • /data/data/####/ksad-video-top-bar
  • /data/data/####/ksad-video-top-bar.243.js
  • /data/data/####/ksad-video-top-bar.243.json
  • /data/data/####/ksad-video-topfloor
  • /data/data/####/ksad-video-topfloor.136.js
  • /data/data/####/ksad-video-topfloor.136.json
  • /data/data/####/ksad-video-web-close-card
  • /data/data/####/ksad-video-web-close-card.116.js
  • /data/data/####/ksad-video-web-close-card.116.json
  • /data/data/####/ksad_endcard_rotate_arrow.json
  • /data/data/####/ksad_endcard_rotate_icon.json
  • /data/data/####/ksad_gift_box_0.png
  • /data/data/####/ksad_gift_box_1.png
  • /data/data/####/ksad_gift_box_2.png
  • /data/data/####/ksad_icon_close.png
  • /data/data/####/ksad_lottie_gift_box_transition_android.json
  • /data/data/####/ksad_lottie_gift_box_transition_ios.json
  • /data/data/####/ksad_web_close_agg_mid_close.png
  • /data/data/####/ksad_web_close_dialog_flag_image.png
  • /data/data/####/ksad_web_close_dialog_flag_title.png
  • /data/data/####/ksadrep.db-journal
  • /data/data/####/ksadsdk_JS_CONFIG.kva
  • /data/data/####/ksadsdk_JS_CONFIG.kvb
  • /data/data/####/ksadsdk_JS_CONFIG.xml
  • /data/data/####/ksadsdk_api_path.kva
  • /data/data/####/ksadsdk_api_path.kvb
  • /data/data/####/ksadsdk_api_path.xml
  • /data/data/####/ksadsdk_config.xml
  • /data/data/####/ksadsdk_config_request.kva
  • /data/data/####/ksadsdk_config_request.kvb
  • /data/data/####/ksadsdk_config_request.xml
  • /data/data/####/ksadsdk_data_flow_auto_start.kva
  • /data/data/####/ksadsdk_data_flow_auto_start.kvb
  • /data/data/####/ksadsdk_data_flow_auto_start.xml
  • /data/data/####/ksadsdk_device_sig.kva
  • /data/data/####/ksadsdk_device_sig.kvb
  • /data/data/####/ksadsdk_device_sig.xml
  • /data/data/####/ksadsdk_download_package_length.kva
  • /data/data/####/ksadsdk_download_package_length.kvb
  • /data/data/####/ksadsdk_download_package_length.xml
  • /data/data/####/ksadsdk_download_package_md5.kva
  • /data/data/####/ksadsdk_download_package_md5.kvb
  • /data/data/####/ksadsdk_download_package_md5.xml
  • /data/data/####/ksadsdk_egid.kva
  • /data/data/####/ksadsdk_egid.kvb
  • /data/data/####/ksadsdk_egid.xml
  • /data/data/####/ksadsdk_fullscreen_local_ad_count.kva
  • /data/data/####/ksadsdk_fullscreen_local_ad_count.kvb
  • /data/data/####/ksadsdk_fullscreen_local_ad_count.xml
  • /data/data/####/ksadsdk_gidExpireTimeMs.kva
  • /data/data/####/ksadsdk_gidExpireTimeMs.kvb
  • /data/data/####/ksadsdk_gidExpireTimeMs.xml
  • /data/data/####/ksadsdk_idc.kva
  • /data/data/####/ksadsdk_idc.kvb
  • /data/data/####/ksadsdk_idc.xml
  • /data/data/####/ksadsdk_interstitial_aggregate_daily_show_count.kva
  • /data/data/####/ksadsdk_interstitial_aggregate_daily_show_count.kvb
  • /data/data/####/ksadsdk_interstitial_aggregate_daily_show_count.xml
  • /data/data/####/ksadsdk_interstitial_daily_show_count.kva
  • /data/data/####/ksadsdk_interstitial_daily_show_count.kvb
  • /data/data/####/ksadsdk_interstitial_daily_show_count.xml
  • /data/data/####/ksadsdk_kv_perf.xml
  • /data/data/####/ksadsdk_local_ad_force_active.kva
  • /data/data/####/ksadsdk_local_ad_force_active.kvb
  • /data/data/####/ksadsdk_local_ad_force_active.xml
  • /data/data/####/ksadsdk_local_ad_force_active_data.kva
  • /data/data/####/ksadsdk_local_ad_force_active_data.kvb
  • /data/data/####/ksadsdk_local_ad_force_active_data.xml
  • /data/data/####/ksadsdk_local_ad_task_info.kva
  • /data/data/####/ksadsdk_local_ad_task_info.kvb
  • /data/data/####/ksadsdk_local_ad_task_info.xml
  • /data/data/####/ksadsdk_model.kva
  • /data/data/####/ksadsdk_model.kvb
  • /data/data/####/ksadsdk_model.xml
  • /data/data/####/ksadsdk_model.xml.bak
  • /data/data/####/ksadsdk_mplogseq.kva
  • /data/data/####/ksadsdk_mplogseq.kvb
  • /data/data/####/ksadsdk_mplogseq.xml
  • /data/data/####/ksadsdk_notification_download_complete.kva
  • /data/data/####/ksadsdk_notification_download_complete.kvb
  • /data/data/####/ksadsdk_notification_download_complete.xml
  • /data/data/####/ksadsdk_perf.xml
  • /data/data/####/ksadsdk_perf.xml.bak
  • /data/data/####/ksadsdk_pref.kva
  • /data/data/####/ksadsdk_pref.kvb
  • /data/data/####/ksadsdk_pref.xml
  • /data/data/####/ksadsdk_rep.kva
  • /data/data/####/ksadsdk_rep.kvb
  • /data/data/####/ksadsdk_rep.xml
  • /data/data/####/ksadsdk_reward_auto_call_app_card_show_count.kva
  • /data/data/####/ksadsdk_reward_auto_call_app_card_show_count.kvb
  • /data/data/####/ksadsdk_reward_auto_call_app_card_show_count.xml
  • /data/data/####/ksadsdk_reward_full_ad_jump_direct.kva
  • /data/data/####/ksadsdk_reward_full_ad_jump_direct.kvb
  • /data/data/####/ksadsdk_reward_full_ad_jump_direct.xml
  • /data/data/####/ksadsdk_reward_reflow_config.kva
  • /data/data/####/ksadsdk_reward_reflow_config.kvb
  • /data/data/####/ksadsdk_reward_reflow_config.xml
  • /data/data/####/ksadsdk_sdk_config_data
  • /data/data/####/ksadsdk_seq.kva
  • /data/data/####/ksadsdk_seq.kvb
  • /data/data/####/ksadsdk_seq.xml
  • /data/data/####/ksadsdk_so_load_times.kva
  • /data/data/####/ksadsdk_so_load_times.kvb
  • /data/data/####/ksadsdk_so_load_times.xml
  • /data/data/####/ksadsdk_solder.kva
  • /data/data/####/ksadsdk_solder.kvb
  • /data/data/####/ksadsdk_solder.xml
  • /data/data/####/ksadsdk_splash_daily_show_count.kva
  • /data/data/####/ksadsdk_splash_daily_show_count.kvb
  • /data/data/####/ksadsdk_splash_daily_show_count.xml
  • /data/data/####/ksadsdk_splash_local_rotate_active_count.kva
  • /data/data/####/ksadsdk_splash_local_rotate_active_count.kvb
  • /data/data/####/ksadsdk_splash_local_rotate_active_count.xml
  • /data/data/####/ksadsdk_splash_preload_id_list.kva
  • /data/data/####/ksadsdk_splash_preload_id_list.kvb
  • /data/data/####/ksadsdk_splash_preload_id_list.xml
  • /data/data/####/ksadsdk_wallpaper_path.kva
  • /data/data/####/ksadsdk_wallpaper_path.kvb
  • /data/data/####/ksadsdk_wallpaper_path.xml
  • /data/data/####/kscfg_outdfp.xml
  • /data/data/####/kssdk_api_pref.xml
  • /data/data/####/kssdk_kv_mode.xml
  • /data/data/####/left_arrow_black.png
  • /data/data/####/libMMANDKSignature.dd382f03.so
  • /data/data/####/libPglbizssdk_ml.so
  • /data/data/####/libavmdl_lite.so
  • /data/data/####/libc++_shared.so
  • /data/data/####/libkeva.so
  • /data/data/####/libkwad-fb.so
  • /data/data/####/libkwad-yoga.so
  • /data/data/####/libkwai-v8-lite.so
  • /data/data/####/libmaparmor.so
  • /data/data/####/libpanglearmor.so
  • /data/data/####/libquickjs.so
  • /data/data/####/libquickjs.zip (deleted)
  • /data/data/####/libtk_runtime_lite_v0_0_38.so
  • /data/data/####/libtobEmbedEncrypt.so
  • /data/data/####/libtobEmbedEncryptForM.so
  • /data/data/####/libttmplayer_lite.so
  • /data/data/####/libturingau.dd382f03.so
  • /data/data/####/libweapon611.so
  • /data/data/####/libyaqbasic.dd382f03.so
  • /data/data/####/libyaqpro.dd382f03.so
  • /data/data/####/lottie_bottom_mask_bounce.json
  • /data/data/####/lottie_hint_btn.json
  • /data/data/####/lottie_hint_hand.json
  • /data/data/####/lottie_red_packet_outside_background1.json
  • /data/data/####/lottie_ripple_btn.json
  • /data/data/####/lottie_ver_slide.json
  • /data/data/####/metrics_guid
  • /data/data/####/mobclick_agent_cached_com.android.miaodazi.app263
  • /data/data/####/mobclick_agent_online_setting_com.android.miaodazi.app.xml
  • /data/data/####/mpdc_105498_1
  • /data/data/####/mpdc_r_105498_1
  • /data/data/####/na.czl
  • /data/data/####/neo_live_shop_one.png
  • /data/data/####/neo_rotate.json
  • /data/data/####/neo_rotate_arrow.json
  • /data/data/####/neo_rotate_style_2.json
  • /data/data/####/neo_rotate_style_3.json
  • /data/data/####/neo_welfare_luminance.json
  • /data/data/####/packageIndex.json
  • /data/data/####/pangle_com.byted.pangle.m_applog_net_cache.dat.xml
  • /data/data/####/pangle_com.byted.pangle.m_applog_net_cache.dat.xml.bak
  • /data/data/####/pangle_com.byted.pangle.m_bd_embed_m_log.db
  • /data/data/####/pangle_com.byted.pangle.m_bd_embed_m_log.db-journal
  • /data/data/####/pangle_com.byted.pangle.m_bd_embed_tea_agent.db
  • /data/data/####/pangle_com.byted.pangle.m_bd_embed_tea_agent.db-journal
  • /data/data/####/pangle_com.byted.pangle.m_d8b674543fc0b023b69f6...04.xml
  • /data/data/####/pangle_com.byted.pangle.m_embed_applog_stats.xml
  • /data/data/####/pangle_com.byted.pangle.m_embed_header_custom.xml
  • /data/data/####/pangle_com.byted.pangle.m_embed_last_sp_session.xml
  • /data/data/####/pangle_com.byted.pangle.m_embed_last_sp_session.xml.bak
  • /data/data/####/pangle_com.byted.pangle.m_evt_upload_info.xml
  • /data/data/####/pangle_com.byted.pangle.m_evt_upload_info.xml.bak
  • /data/data/####/pangle_com.byted.pangle.m_freqctl_102532940.xml
  • /data/data/####/pangle_com.byted.pangle.m_npth.xml
  • /data/data/####/pangle_com.byted.pangle.m_npth_log.db
  • /data/data/####/pangle_com.byted.pangle.m_npth_log.db-journal
  • /data/data/####/pangle_com.byted.pangle.m_npth_m_log.db
  • /data/data/####/pangle_com.byted.pangle.m_npth_m_log.db-journal
  • /data/data/####/pangle_com.byted.pangle.m_pacing_102532940.xml
  • /data/data/####/pangle_com.byted.pangle.m_pangle_com.byted.pang...fo.xml
  • /data/data/####/pangle_com.byted.pangle.m_snssdk_openudid.xml
  • /data/data/####/pangle_com.byted.pangle.m_sp_bidding_opt_libra....leted)
  • /data/data/####/pangle_com.byted.pangle.m_sp_bidding_opt_libra.xml
  • /data/data/####/pangle_com.byted.pangle.m_tt_device_info.xml
  • /data/data/####/pangle_com.byted.pangle.m_tt_mediation_open_sdk.db
  • /data/data/####/pangle_com.byted.pangle.m_tt_mediation_open_sdk.db-journal
  • /data/data/####/pangle_com.byted.pangle.m_tt_mediation_ppe_info.xml
  • /data/data/####/pangle_com.byted.pangle.m_tt_sdk_settings_5448802.xml
  • /data/data/####/pangle_com.byted.pangle.m_tt_sdk_settings_other.xml
  • /data/data/####/pangle_com.byted.pangle.m_tt_sdk_settings_other.xml.bak
  • /data/data/####/pangle_com.byted.pangle.m_ttopensdk.db
  • /data/data/####/pangle_com.byted.pangle.m_ttopensdk.db-journal
  • /data/data/####/pangle_meta_data_sp.xml
  • /data/data/####/pangle_meta_data_sp.xml.bak
  • /data/data/####/plugin_oat_info.xml
  • /data/data/####/proc_auxv
  • /data/data/####/progress.json
  • /data/data/####/re_po_rt.xml
  • /data/data/####/report_cgi
  • /data/data/####/reward_swipe_right_00001.png
  • /data/data/####/reward_swipe_right_00002.png
  • /data/data/####/reward_swipe_right_00003.png
  • /data/data/####/reward_swipe_right_00004.png
  • /data/data/####/reward_swipe_right_00005.png
  • /data/data/####/reward_swipe_right_00006.png
  • /data/data/####/reward_swipe_right_00007.png
  • /data/data/####/reward_swipe_right_00008.png
  • /data/data/####/reward_swipe_right_00009.png
  • /data/data/####/reward_swipe_right_00010.png
  • /data/data/####/reward_swipe_right_00011.png
  • /data/data/####/reward_swipe_right_00012.png
  • /data/data/####/reward_swipe_right_00013.png
  • /data/data/####/reward_swipe_right_00014.png
  • /data/data/####/reward_swipe_right_00015.png
  • /data/data/####/reward_swipe_right_00016.png
  • /data/data/####/reward_swipe_right_00017.png
  • /data/data/####/reward_swipe_right_00018.png
  • /data/data/####/reward_swipe_right_00019.png
  • /data/data/####/reward_swipe_right_00020.png
  • /data/data/####/reward_swipe_right_00021.png
  • /data/data/####/reward_swipe_right_00022.png
  • /data/data/####/reward_swipe_right_00023.png
  • /data/data/####/reward_swipe_right_00024.png
  • /data/data/####/reward_swipe_right_00025.png
  • /data/data/####/rotate_shake_arrow.png
  • /data/data/####/rotate_shake_gray.png
  • /data/data/####/rotate_shake_hand.png
  • /data/data/####/rotate_shake_white.png
  • /data/data/####/scan_aggregation_back.png
  • /data/data/####/scan_aggregation_fingerbg.png
  • /data/data/####/scan_aggregation_live_goods.png
  • /data/data/####/scan_aggregation_loadbg.png
  • /data/data/####/scan_aggregation_sound.png
  • /data/data/####/scan_aggregation_video_goods.png
  • /data/data/####/scan_aggregation_widget.png
  • /data/data/####/scheme_list_data.sgv
  • /data/data/####/sdkCloudSetting.cfg
  • /data/data/####/sdkCloudSetting.sig
  • /data/data/####/tt_nd
  • /data/data/####/tt_sdk_settings_other.blk
  • /data/data/####/turingfd_conf_105498_au.xml
  • /data/data/####/umeng_general_config.xml
  • /data/data/####/umeng_it.cache
  • /data/data/####/update.lock
  • /data/data/####/update_lc
  • /data/data/####/video_play_icon.png
  • /data/data/####/w.db-journal
  • /data/data/####/white_btn.json
  • /data/data/####/white_card.json
  • /data/data/####/win.apk
  • /data/data/####/win.dex
  • /data/data/####/win.dex.flock (deleted)
  • /data/data/####/yaq.dd382f03.sec
  • /data/data/####/yaq2.dd382f03.sec
  • /data/data/####/yaq3_0.dd382f03.sec
  • /data/data/####/yaqsdkcookie
  • /data/media/####/.android_system_config.prop
  • /data/media/####/.oukdtft
  • /data/media/####/069a7bb8cb34867fb8e6fbfd3a50d6d3
  • /data/media/####/240c0470983a38ed1d56fa70297dca15
  • /data/media/####/29e172a04b388c45f45e05bd22cf6346
  • /data/media/####/clientudid.dat
  • /data/media/####/journal
  • /data/media/####/journal.tmp
  • /data/media/####/meta.dat
  • /data/media/####/temp_pkg_info.json
  • /data/media/####/user.data
  • /data/media/####/xiaoshuoplugin_tg_1106
  • /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
  • busybox df
  • id
  • which su
  • /data/user/0/<Package>/files/pangle_com.byted.pangle.m/tt_nd
  • /system/bin/cat /proc/cpuinfo
  • /system/bin/getprop
  • app_process /system/bin com.android.commands.am.Am get-config
  • app_process /system/bin com.android.commands.pm.Pm list features
  • app_process /system/bin com.android.commands.pm.Pm list libraries
  • app_process /system/bin com.android.commands.pm.Pm list packages -f
  • app_process /system/bin com.android.commands.pm.Pm path <Package>
  • app_process /system/bin com.android.commands.pm.Pm path com.ss.android.ugc.aweme
  • app_process /system/bin com.android.commands.pm.Pm path com.tencent.mm
  • app_process /system/bin com.android.commands.wm.Wm density
  • app_process /system/bin com.android.commands.wm.Wm size
  • busybox df
  • busybox lspci
  • cat /proc/sys/kernel/random/boot_id
  • cat /sys/devices/soc0/serial_number
  • chmod 777 /data/user/0/<Package>/files/pangle_com.byted.pangle.m/tt_nd
  • getenforce
  • getprop ro.build.version.emui
  • getprop ro.product.cpu.abi
  • grep <Package>
  • grep frida
  • grep frida-server
  • id
  • ip route
  • ls -al /proc/3951/fd
  • lspci
  • lsusb
  • netstat -nap
  • pidof adbd
  • ps
  • sh
  • sh -c ls -al /proc/3951/fd | grep frida
  • sh -c ps | grep <Package>
  • sh -c ps | grep frida-server
  • su -v
  • which su
Loads the following dynamic libraries:
  • libMMANDKSignature.dd382f03
  • libPglbizssdk_ml
  • libavmdl_lite
  • libc++_shared
  • libeInB
  • libkeva
  • libkwad-fb
  • libkwad-yoga
  • libkwai-v8-lite
  • libmaparmor
  • libpanglearmor
  • libquickjs
  • libsgcore
  • libtk_runtime_lite_v0_0_38
  • libtobEmbedEncrypt
  • libtobEmbedEncryptForM
  • libttmplayer_lite
  • libturingau.dd382f03
  • libweapon611
  • libyaqbasic.dd382f03
  • libyaqpro.dd382f03
Uses the following algorithms to encrypt data:
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-PKCS5Padding
  • AES-ECB-PKCS7Padding
Uses the following algorithms to decrypt data:
  • AES-CBC-PKCS5Padding
  • AES-ECB-PKCS5Padding
  • AES-ECB-PKCS7Padding
  • RSA-ECB-PKCS1Padding
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
Requests the system alert window permission.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android