Technical information
Malicious functions:
Sends SMS messages:
- 1046402336: Zesty Dragon;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
- 1201916811: Blinker;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
- 1242377475: Toe;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
- 1311437138: Chapstick;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
- 1321518946: Achilles Mountain;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
- 1343538450: Shwatson;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
- 1414519097: Disco Thunder;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
- 1415951338: Fast FLAK;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
- 15738792489: <IMEI> <System Property> <System Property> 4.3.1
- 15738792489: <SMS Content> 广播:<SMS Address>
- 15738792489: Just sent it. So what type of food do you like? 内容:6531339892
- 15738792489: 激活成功
- 1731886411: Iron Butterfly;你看下这些影集怎么会有我和你 grstudio.cn 到底是谁帕下来的?
Executes code of the following detected threats:
- Android.SmsSpy.651.origin
Removes its shortcut from the home screen.
Intercepts incoming SMS messages and terminates the process of their transmission to handlers of other applications.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(SMTP) s####.263.net:25
DNS requests:
- and####.b####.qq.com
- s####.263.net
HTTP POST requests:
- and####.b####.qq.com/rqd/async
Modified file system:
Creates the following files:
- /data/data/####/bugly_db_legu-journal
- /data/data/####/configurations_data.xml
- /data/data/####/libnfix.so
- /data/data/####/libshella-2.8.so
- /data/data/####/libufix.so
- /data/data/####/local_crash_lock
- /data/data/####/mix.dex
- /data/data/####/native_record_lock
- /data/data/####/security_info
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.8.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
Loads the following dynamic libraries:
- Bugly
- libnfix
- libshella-2.8
- libufix
- nfix
- ufix
Uses the following algorithms to encrypt data:
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-GCM-NoPadding
Uses administrator priveleges.
Uses special library to hide executable bytecode.
Changes volume and vibration settings.
Gains access to telephone information (number, imei, etc.).
Gains access to information about active device administrators.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
Parses information from SMS messages.
Gains access to information about sent/received SMS messages.
