Technical information
Malicious functions:
Sends SMS messages:
- 1113443075: Grinch Cheese伱也唑嘚绌莱,你自記看笆 ynbcj.com
- 1135299580: Station WMD伱也唑嘚绌莱,你自記看笆 ynbcj.com
- 1262376158: Sprinkle Lovenuts伱也唑嘚绌莱,你自記看笆 ynbcj.com
- 13049769127: <IMEI> <System Property> <System Property> 4.3.1
- 13049769127: <SMS Content> 广播:<SMS Address>
- 13049769127: Are you this much buzy 内容:2021535231
- 13049769127: BangBabes Ur order is on the way. U SHOULD receive a Service Msg 2 dow
- 13049769127: U can call me now... 内容:6341938671
- 13049769127: 激活成功
- 1416452423: Station WMD伱也唑嘚绌莱,你自記看笆 ynbcj.com
- 1436823125: JesterZilla伱也唑嘚绌莱,你自記看笆 ynbcj.com
- 1756517929: Centurion Sherman伱也唑嘚绌莱,你自記看笆 ynbcj.com
Executes code of the following detected threats:
- Android.SmsSpy.651.origin
Removes its shortcut from the home screen.
Intercepts incoming SMS messages and terminates the process of their transmission to handlers of other applications.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(SMTP) smtp####.2####.com:25
DNS requests:
- and####.b####.qq.com
- s####.189.cn
HTTP POST requests:
- and####.b####.qq.com/rqd/async
Modified file system:
Creates the following files:
- <Package Folder>/databases/bugly_db_legu-journal
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/native_record_lock
- <Package Folder>/files/security_info
- <Package Folder>/mix.dex
- <Package Folder>/shared_prefs/configurations_data.xml
- <Package Folder>/tx_shell/libnfix.so
- <Package Folder>/tx_shell/libshella-2.10.7.1.so
- <Package Folder>/tx_shell/libufix.so
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.10.7.1.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
Loads the following dynamic libraries:
- Bugly
- libnfix
- libshella-2.10.7.1
- libufix
- nfix
- ufix
Uses the following algorithms to encrypt data:
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-GCM-NoPadding
Uses administrator priveleges.
Uses special library to hide executable bytecode.
Changes volume and vibration settings.
Gains access to telephone information (number, imei, etc.).
Gains access to information about active device administrators.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
Parses information from SMS messages.
Gains access to information about sent/received SMS messages.
