Android.Packed.34938

Added to the Dr.Web virus database: 2017-12-04

Virus description added: 2017-12-04

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.BackDoor.312
Android.Backdoor.547.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) cf.gdata####.net:80
TCP(HTTP/1.1) rd.gdata####.net:80

DNS requests:

cf.gdata####.net
cl.mo####.u####.com
i####.cn.com
j####.isix####.com
pg.x####.com
rd.gdata####.net

HTTP POST requests:

rd.gdata####.net/dc/sync_adr

Modified file system:

Creates the following files:

/data/anr/traces.txt
<Package Folder>/databases/MF_CFG-journal
<Package Folder>/databases/dataeye_database_F26766DB7A9C32139B6...19A.db
<Package Folder>/databases/dataeye_database_F26766DB7A9C32139B6...ournal
<Package Folder>/databases/talkingdata_app.db-journal
<Package Folder>/databases/vi_db_pay-journal
<Package Folder>/databases/webview.db-journal
<Package Folder>/files/####/bc2dc1ef-dce1-4795-a85d-f5de1d71bd75.zip
<Package Folder>/files/libexec.so
<Package Folder>/files/libexecmain.so
<Package Folder>/files/look
<Package Folder>/files/myfvu.jar
<Package Folder>/files/paylib.jar
<Package Folder>/files/talkingdata_app_process_preferences_file
<Package Folder>/files/talkingdata_app_version_preferences_file
<Package Folder>/shared_prefs/3cff577985556567209c8fa8131303f63...le.xml
<Package Folder>/shared_prefs/TD_app_pefercen_profile.xml
<Package Folder>/shared_prefs/dc.F26766DB7A9C32139B6C3865F566E1...es.xml
<Package Folder>/shared_prefs/dc.F26766DB7A9C32139B6C3865F566E1...ml.bak
<Package Folder>/shared_prefs/indion.xml
<Package Folder>/shared_prefs/initdata.xml
<Package Folder>/shared_prefs/pref_file.xml
<Package Folder>/shared_prefs/td_pefercen_profile.xml
<Package Folder>/shared_prefs/umeng_general_config.xml
<SD-Card>/.4d02db8e14/####/crash-2017-12-04-1512386720752.log
<SD-Card>/.4d02db8e14/####/crash-2017-12-04-1512386726369.log
<SD-Card>/.4d02db8e14/.fsks
<SD-Card>/.SystemService/####/2D7F07BB6125DEB407E92A22DC4AC550
<SD-Card>/.SystemService/####/oid
<SD-Card>/.SystemService/####/uid
<SD-Card>/.acterr
<SD-Card>/.tcookieid

Miscellaneous:

Executes next shell scripts:

/system/bin/sh
cat /sys/block/mmcblk0/device/cid
chmod 777 <Package Folder>/files/look
getprop ro.product.cpu.abi
ls -l /sbin/su
ls -l /system/bin/su
ls -l /system/sbin/su
ls -l /system/xbin/su
ls -l /vendor/bin/su
sh

Loads the following dynamic libraries:

cocos2dcpp
libexec
libexecmain

Uses special library to hide executable bytecode.

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Adds tasks to the system scheduler.

Gains access to information about sent/received SMS messages.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial