Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Loki.15.origin
- Android.SmsSend.1859.origin
- Android.Loki.10.origin
Removes its shortcut from the home screen.
Network activity:
Connecting to:
- trac####.####.com
- re####.####.com
- set####.####.com
- and####.####.com
- d####.####.com
- cdn####.####.com
- n####.####.com
- a####.####.com
HTTP GET requests:
- set####.####.com/appwall/setting?app_id=####&sign=####&platform=####&os_...
- trac####.####.com/click?mb_pl=####&mb_nt=####&mb_campid=####&aff_sub=###...
- n####.####.com/setting?app_id=####&sign=####
- set####.####.com/setting?unit_ids=####&app_id=####&sign=####&platform=##...
- n####.####.com/openapi/ad/v3?app_id=####&unit_id=####&req_type=####&only...
- d####.####.com/onlyImpression?k=####&p=####
- re####.####.com/ad/find?platform=####&os_version=####&package_name=####&...
- cdn####.####.com/cdn-adn/offersync/17/03/13/16/14/58c654d6792d5.png
- d####.####.com/click?k=####&p=####&q=####¬ice=####
- a####.####.com/com.gtarcade.lod?pid=####&af_click_lookback=####&c=####&c...
- cdn####.####.com/cdn-adn/offersync/17/03/28/18/30/58da3b5f853e1.jpg
- set####.####.com/setting?app_id=####&sign=####&platform=####&os_version=...
- d####.####.com/impression?k=####&p=####&q=####&x=####
- n####.####.com/openapi/ad/v3?app_id=####&unit_id=####&category=####&req_...
HTTP POST requests:
- a####.####.com/subscribe/api/1997
- and####.####.com/rqd/async
- a####.####.com/app_logs
Modified file system:
Creates the following files:
- /data/data/####/shared_prefs/com.nativedroid.sa.xml
- /data/data/####/files/qoTNtdFONGGUhUtMdaemon.so
- /data/data/####/shared_prefs/mobclick_agent_header_####.xml
- /data/data/####/cache/picasso-cache/0749ca48de6f610453c35a0f4a359ad0.1.tmp
- /data/data/####/shared_prefs/SSPPreference.xml.bak
- /data/data/####/mix.dex
- /data/data/####/cache/picasso-cache/38608c8d71612006ef4445cd3f9c6bb2.1.tmp
- /data/data/####/shared_prefs/SSPPreference.xml
- /data/data/####/cache/picasso-cache/0749ca48de6f610453c35a0f4a359ad0.0.tmp
- /data/data/####/shared_prefs/com.nativedroid.module.offerprobe.xml
- /data/data/####/cache/picasso-cache/journal.tmp
- /data/data/####/files/GheuNwdttQeoWzdCsa.jar
- /data/data/####/shared_prefs/sspwrap_prefs.xml.bak
- /data/data/####/databases/_nohttp_cookies_db.db-journal
- /data/data/####/databases/_nohttp_cookies_db.db
- /data/data/####/cache/picasso-cache/0f86ce2e5ef127aeac9bc532b6ce6733.0.tmp
- /data/data/####/files/ico.png
- /data/data/####/files/solibs/libRTOGVFzxWTKYIDCzdynamicloader.so
- /sdcard/.nativedroid/tick
- /data/data/####/app_indicators/indicator_p
- /data/data/####/shared_prefs/mobclick_agent_state_####.xml
- /sdcard/.mobvista700/download/-1670272049.temp
- /data/data/####/files/solibs/libDgZnWaZUpOQklAGLstub.so
- /data/data/####/files/DgZnWaZUpOQklAGLstub.jar
- /data/data/####/cache/picasso-cache/38608c8d71612006ef4445cd3f9c6bb2.0.tmp
- /sdcard/.nativedroid/####
- /data/data/####/shared_prefs/time_p.xml
- /sdcard/.googlex9/.xamdecoq0962
- /data/data/####/files/log/crash_log
- /data/data/####/databases/mobvista.msdk.db-journal
- /data/data/####/databases/_nohttp_cache_db.db
- /data/data/####/files/RTOGVFzxWTKYIDCzdynamicloader.jar
- /data/data/####/shared_prefs/mobvista.xml
- /data/data/####/shared_prefs/sspwrap_prefs.xml
- /data/data/####/databases/webview.db-journal
- /data/data/####/files/solibs/libGheuNwdttQeoWzdCsa.so
- /data/data/####/shared_prefs/mobclick_agent_state_####.xml.bak
- /data/data/####/databases/_nohttp_cache_db.db-journal
- /data/data/####/cache/picasso-cache/0f86ce2e5ef127aeac9bc532b6ce6733.1.tmp
- /data/data/####/files/log/agent_log
- /data/data/####/databases/bat_statistics.db-journal
- /data/data/####/shared_prefs/is_cut_first.xml
- /data/data/####/files/libaUrKTQmjoYYUyZNBbootstrap.so
- /data/data/####/files/mcr.apk
- /data/data/####/files/s
- /sdcard/Android/data/####/cache/.nomedia
- /data/data/####/files/security_info
- /data/data/####/databases/bugly_db_legu-journal
- /data/data/####/shared_prefs/sharedpreferences_batmobi_settings.xml
- /data/data/####/tx_shell/libshella-2.8.1.so
- /sdcard/.mobvista700/download/2082986419.temp
- /data/data/####/shared_prefs/com.nativedroid.sa.xml.bak
- /data/data/####/files/libdt.so
- /data/data/####/files/local_crash_lock
- /data/data/####/files/c
- /data/data/####/files/a
- /data/data/####/files/native_record_lock
- /data/data/####/shared_prefs/sdk_scl_pid_config.xml
- /data/data/####/app_indicators/indicator_d
Sets the 'executable' attribute to the following files:
- /data/data/####/tx_shell/libshella-2.8.1.so
Miscellaneous:
Executes next shell scripts:
- getprop ro.lewa.version
- /system/bin/dexopt --dex 27 74 40 1220 /data/data/####/files/DgZnWaZUpOQklAGLstub.jar 1232626690 169289847 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/f
- /system/bin/sh -c getprop ro.meizu.product.model
- getprop ro.gn.gnromvernumber
- /system/bin/sh -c type su
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.aa.romver
- logcat -d -v threadtime
- getprop ro.aa.romver
- /system/bin/dexopt --dex 27 73 40 764484 /data/data/####/files/GheuNwdttQeoWzdCsa.jar 1232626689 520346111 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/f
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/dexopt --dex 27 72 40 25968 /data/data/####/files/RTOGVFzxWTKYIDCzdynamicloader.jar 1232626673 -825495102 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/
- getprop ro.build.rom.id
- getprop ro.lenovo.series
- getprop ro.yunos.version
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- getprop ro.build.nubia.rom.name
- getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/dexopt --dex 27 56 40 60760 /data/data/####/files/mcr.apk 1233547725 946511212 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework.jar /sy
- getprop ro.build.version.opporom
- getprop ro.meizu.product.model
- getprop ro.board.platform
- getprop ro.build.tyd.kbstyle_version
- /system/bin/dexopt --dex 27 55 40 292 /data/data/####/mix.dex 1493728883 -49011495 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework.jar /system/fra
- chmod 700 /data/data/####/tx_shell/libshella-2.8.1.so
- getprop ro.vivo.os.build.display.id
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.build.version.emui
- getprop ro.build.version.emui
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
