JavaScript support is required for our site to be fully operational in your browser.
Android.Packed.21106
Added to the Dr.Web virus database:
2017-05-02
Virus description added:
2017-05-02
Technical information
Malicious functions:
Executes code of the following detected threats:
Android.Triada.256.origin
Android.Triada.38.origin
Android.Triada.170.origin
Network activity:
Connecting to:
asd####.com
j####.####.COM
2y####.####.com
w####.####.com:10081
w####.####.com
b####.####.com
b####.####.com:10180
HTTP GET requests:
2y####.####.com/R4562458532240021
2y####.####.com/N6555212374124793
2y####.####.com/N9687742244553469
2y####.####.com/Z68KL1522154563421
2y####.####.com/R1255545233010010
2y####.####.com/R6214789642340040
HTTP POST requests:
b####.####.com:10180/device_info/store?time=####&channel=####
asd####.com/entry/sdk/init.pm
asd####.com/entry/sdk/ana.pm
w####.####.com:10081/OsService/OsStrategy
w####.####.com/OsService/OsStrategy
b####.####.com/device_info/store?time=####&channel=####
j####.####.COM/fsds988d1e7f2c2c/interface.php
Modified file system:
Creates the following files:
/data/data/####/shared_prefs/SHARE_APP_TAG.xml
/data/data/####/files/mySdk.jar
/data/data/####/databases/cc/cc.db
/data/data/####/databases/sdkdatabase-journal
/data/data/####/databases/cc/cc.db-journal
/data/data/####/shared_prefs/umeng_general_config.xml
/data/data/####/files/mobclick_agent_cached_####1
/data/data/####/shared_prefs/uuid.xml
/data/data/####/files/ru.apk
/data/data/####/files/gzpy.jar
/data/data/####/files/ru
/data/data/####/shared_prefs/xapcinfo.xml
/data/data/####/app_temp/wsp.jar
/data/data/####/databases/download.db-journal
/data/data/####/files/aspq.png
/data/data/####/files/Agcr.tmp
/data/data/####/shared_prefs/config.xml
/sdcard/Android/data/cache/uuid
/sdcard/db_20160505
/data/data/####/files/sss.pdb
/data/data/####/shared_prefs/umeng_general_config.xml.bak
/data/data/####/files/.Ag/Agcr
/data/data/####/files/gzpy
/data/data/####/shared_prefs/nt.xml
Sets the 'executable' attribute to the following files:
/data/data/####/files/.Ag/Agcr
Miscellaneous:
Executes next shell scripts:
service call appops 5 i32 15 i32 10044 s16 #### i32 0
service call appops 9 i32 15 i32 10044 s16 #### i32 0
/system/bin/dexopt --dex 27 66 40 208900 /data/data/####/files/mySdk.jar 1251311163 2000887099 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framew
getprop ro.product.cpu.abi
service call appops 3 i32 15 i32 10044 s16 #### i32 0
service call appops 16 i32 15 i32 10044 s16 #### i32 0
cufsmgr eb47495f7bb
/system/bin/dexopt --dex 27 47 40 77864 /data/data/####/files/gzpy.jar 1232949906 1792479911 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framewor
service call appops 7 i32 15 i32 10044 s16 #### i32 0
chmod 777 /data/data/####/files/.Ag/Agcr
service call appops 18 i32 15 i32 10044 s16 #### i32 0
cat /proc/version
service call appops 10 i32 15 i32 10044 s16 #### i32 0
service call appops 8 i32 15 i32 10044 s16 #### i32 0
chmod 777 /data/data/####/files/.Ag
service call appops 0 i32 15 i32 10044 s16 #### i32 0
service call appops 19 i32 15 i32 10044 s16 #### i32 0
service call appops 2 i32 15 i32 10044 s16 #### i32 0
service call appops 14 i32 15 i32 10044 s16 #### i32 0
cufsdosck ac554db364f
/system/bin/dexopt --dex 27 40 40 169504 /data/data/####/app_temp/wsp.jar 1231197563 872162192 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framew
getprop ro.board.platform
service call appops 4 i32 15 i32 10044 s16 #### i32 0
/system/bin/dexopt --dex 27 49 40 41264 /data/data/####/files/ru.apk 0 -2146930016 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework.jar /sys
conbb od2gf04pd9
service call appops 6 i32 15 i32 10044 s16 #### i32 0
service call appops 1 i32 15 i32 10044 s16 #### i32 0
service call appops 13 i32 15 i32 10044 s16 #### i32 0
/system/bin/dexopt --dex 27 52 40 208900 /data/data/####/files/mySdk.jar 1251311163 2000887099 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framew
service call appops 11 i32 15 i32 10044 s16 #### i32 0
service call appops 12 i32 15 i32 10044 s16 #### i32 0
/system/bin/sh
sh
service call appops 17 i32 15 i32 10044 s16 #### i32 0
service call appops 15 i32 15 i32 10044 s16 #### i32 0
Contains functionality to send SMS messages automatically.
Curing recommendations
Android
If the mobile device is operating normally, download and install Dr.Web for Android Light . Run a full system scan and follow recommendations to neutralize the detected threats.
If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
Switch off your device and turn it on as normal.
Find out more about Dr.Web for Android
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK