Android.Triada.439

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Triada.222.origin

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) d####.c####.l####.####.com:80
TCP(HTTP/1.1) api.snail####.com:80
TCP(TLS/1.0) x####.tc.qq.com:443
TCP(TLS/1.0) owe.joy-r####.com:9050
TCP(TLS/1.0) regi####.xm####.xi####.com:443

DNS requests:

a####.u####.com
and####.b####.qq.com
api.snail####.com
cdn.joy-r####.com
owe.joy-r####.com
regi####.xm####.xi####.com
s.b####.g####.com

HTTP GET requests:

api.snail####.com/cloudmusic/api/getHasCoverAd?packagename=####&language...
api.snail####.com/cloudmusic/api/getSnailloveCoverAd?packagename=####&la...
d####.c####.l####.####.com/0c20e007-2b19-47cb-9d01-37cdc57d7436bdco_60013

HTTP POST requests:

a####.u####.com/app_logs
and####.b####.qq.com/rqd/async?aid=####

Modified file system:

Creates the following files:

<Package Folder>/.jiagu/libjiagu.so
<Package Folder>/app_aqPVSg3/tMS866P3hcq
<Package Folder>/app_bird_plugin/bird_plugin.dex
<Package Folder>/app_bird_plugin/bird_plugin.jar
<Package Folder>/app_bird_plugin/bird_plugin.jar.sig
<Package Folder>/app_bird_plugin/bird_plugin.tmp
<Package Folder>/app_bird_plugin/bird_plugin.tmp.sig
<Package Folder>/app_bird_plugin/update_lc
<Package Folder>/app_crashrecord/1002
<Package Folder>/app_crashrecord/1004
<Package Folder>/app_dex/patch.apk
<Package Folder>/app_tmpPatch/ec8fa812-6689-4b64-b51a-e3d2fe85c...leted)
<Package Folder>/app_tmpPatch/tmpPatch.apk
<Package Folder>/databases/alarm_color-journal
<Package Folder>/databases/bugly_db_-journal
<Package Folder>/databases/geofencing.db
<Package Folder>/databases/geofencing.db-journal
<Package Folder>/files/####/.jg.ic
<Package Folder>/files/.imprint
<Package Folder>/files/H4O783l.apk
<Package Folder>/files/local_crash_lock
<Package Folder>/files/native_record_lock
<Package Folder>/files/security_info
<Package Folder>/files/umeng_it.cache
<Package Folder>/shared_prefs/<Package>.BETA_VALUES.xml
<Package Folder>/shared_prefs/<Package>.BETA_VALUES.xml.bak
<Package Folder>/shared_prefs/BUGLY_COMMON_VALUES.xml
<Package Folder>/shared_prefs/CloudPreferences.cache.xml
<Package Folder>/shared_prefs/config.xml
<Package Folder>/shared_prefs/crashrecord.xml
<Package Folder>/shared_prefs/jg_so_upgrade_setting.xml
<Package Folder>/shared_prefs/mipush.xml
<Package Folder>/shared_prefs/mipush_extra.xml
<Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
<Package Folder>/shared_prefs/multidex.version.xml
<Package Folder>/shared_prefs/umeng_general_config.xml
<Package Folder>/tinker/####/changed_classes.dex.jar
<Package Folder>/tinker/####/patch-f586606d.apk
<Package Folder>/tinker/####/test.dex.jar
<Package Folder>/tinker/info.lock
<Package Folder>/tinker/patch.info
<Package Folder>/tinker_temp/patch.retry
<Package Folder>/tinker_temp/temp.apk
<SD-Card>/Android/####/log.lock
<SD-Card>/Android/####/log1.txt
<SD-Card>/BIRDDOWNLOAD/####/YvscMPs.xml

Miscellaneous:

Executes next shell scripts:

/system/bin/sh -c getprop
/system/bin/sh -c type su
<Package Folder>/app_aqPVSg3/tMS866P3hcq -p <Package> -s com.birdads.out.BGService -t 600
chmod 0755 <Package Folder>/app_aqPVSg3/tMS866P3hcq
chmod 755 <Package Folder>/.jiagu/libjiagu.so
getprop
sh <Package Folder>/app_aqPVSg3/tMS866P3hcq -p <Package> -s com.birdads.out.BGService -t 600

Loads the following dynamic libraries:

Bugly
libjiagu

Uses special library to hide executable bytecode.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Displays its own windows over windows of other applications.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial