Android.Hidden.8886

Technical information

Malicious functions:

Removes app icon from the screen.

Network activity:

Connects to:

UDP(DNS) 8####.8.4.4:53
TCP(HTTP/1.1) d1en85a####.cloudf####.net:80
TCP(HTTP/1.1) d1s0lgh####.cloudf####.net:80
TCP(TLS/1.0) www.gst####.com:443
TCP(TLS/1.0) instant####.google####.com:443
TCP(TLS/1.0) 2####.58.208.106:443
TCP(TLS/1.0) d1en85a####.cloudf####.net:443
TCP(TLS/1.0) 1####.217.17.74:443
TCP(TLS/1.0) android####.go####.com:443
TCP(TLS/1.0) 1####.217.168.206:443
TCP(TLS/1.0) md####.google####.com:443
TCP(TLS/1.2) 2####.58.208.106:443
TCP(TLS/1.2) 1####.217.19.195:443
TCP(TLS/1.2) 2####.58.208.110:443
TCP(TLS/1.2) 1####.217.168.206:443

DNS requests:

android####.go####.com
d1en85a####.cloudf####.net
d1s0lgh####.cloudf####.net
instant####.google####.com
md####.google####.com
www.gst####.com

HTTP GET requests:

d1en85a####.cloudf####.net/track.php?event=####&cnv_status=####
d1s0lgh####.cloudf####.net/fr?pn=####&sid=####&cv=####&uid=####&clid=###...
d1s0lgh####.cloudf####.net/ii?pn=####&sid=####&cv=####&uid=####&aid=####...
d1s0lgh####.cloudf####.net/md?pn=####&uid=####&clid=####&srcid=Y####&sid...
d1s0lgh####.cloudf####.net/mi?pn=####&sid=####&cv=####&uid=####&clid=###...

File system changes:

Creates the following files:

/data/data/####/File_001
/data/data/####/File_10
/data/data/####/File_11
/data/data/####/File_12
/data/data/####/File_13
/data/data/####/File_14
/data/data/####/File_15
/data/data/####/File_16
/data/data/####/File_17
/data/data/####/File_18
/data/data/####/File_19
/data/data/####/File_2 (deleted)
/data/data/####/File_20
/data/data/####/File_21
/data/data/####/File_22
/data/data/####/File_23
/data/data/####/File_24
/data/data/####/File_25
/data/data/####/File_26
/data/data/####/File_27
/data/data/####/File_28
/data/data/####/File_29
/data/data/####/File_3
/data/data/####/File_30
/data/data/####/File_31
/data/data/####/File_32
/data/data/####/File_33
/data/data/####/File_34
/data/data/####/File_35
/data/data/####/File_36
/data/data/####/File_37
/data/data/####/File_4
/data/data/####/File_5
/data/data/####/File_6
/data/data/####/File_7
/data/data/####/File_8
/data/data/####/File_9
/data/data/####/base.lock
/data/data/####/control_auth_cookie
/data/data/####/control_auth_cookie.tmp
/data/data/####/geoip
/data/data/####/geoip6
/data/data/####/libproxy.so
/data/data/####/libproxy.so (deleted)
/data/data/####/pid
/data/data/####/state.tmp
/data/data/####/tmp1024924590.dex
/data/data/####/tmp1024924590.dex.flock (deleted)
/data/data/####/tmp1024924590.jar
/data/data/####/tmp1074962915.dex
/data/data/####/tmp1074962915.dex.flock (deleted)
/data/data/####/tmp1074962915.jar
/data/data/####/tmp1156981149.dex
/data/data/####/tmp1156981149.dex.flock (deleted)
/data/data/####/tmp1156981149.jar
/data/data/####/tmp1284123917.dex
/data/data/####/tmp1284123917.dex.flock (deleted)
/data/data/####/tmp1284123917.jar
/data/data/####/tmp1543301008.dex
/data/data/####/tmp1543301008.dex.flock (deleted)
/data/data/####/tmp1543301008.jar
/data/data/####/tmp1667238923.dex
/data/data/####/tmp1667238923.dex.flock (deleted)
/data/data/####/tmp1667238923.jar
/data/data/####/tmp168656394.dex (deleted)
/data/data/####/tmp168656394.dex.flock (deleted)
/data/data/####/tmp168656394.jar
/data/data/####/tmp1778077592.dex (deleted)
/data/data/####/tmp1778077592.dex.flock (deleted)
/data/data/####/tmp1778077592.jar
/data/data/####/tmp1882378752.dex
/data/data/####/tmp1882378752.dex.flock (deleted)
/data/data/####/tmp1882378752.jar
/data/data/####/tmp1943084758.dex
/data/data/####/tmp1943084758.dex.flock (deleted)
/data/data/####/tmp1943084758.jar
/data/data/####/tmp1975447587.dex
/data/data/####/tmp1975447587.dex.flock (deleted)
/data/data/####/tmp1975447587.jar
/data/data/####/tmp1998193477.dex
/data/data/####/tmp1998193477.dex.flock (deleted)
/data/data/####/tmp1998193477.jar
/data/data/####/tmp2046810494.dex
/data/data/####/tmp2046810494.dex.flock (deleted)
/data/data/####/tmp2046810494.jar
/data/data/####/tmp205799714.dex
/data/data/####/tmp205799714.dex.flock (deleted)
/data/data/####/tmp205799714.jar
/data/data/####/tmp2079815291.dex
/data/data/####/tmp2079815291.dex.flock (deleted)
/data/data/####/tmp2079815291.jar
/data/data/####/tmp350347718.dex
/data/data/####/tmp350347718.dex.flock (deleted)
/data/data/####/tmp350347718.jar
/data/data/####/tmp430525573.dex (deleted)
/data/data/####/tmp430525573.dex.flock (deleted)
/data/data/####/tmp430525573.jar
/data/data/####/tmp484297264.dex
/data/data/####/tmp484297264.dex.flock (deleted)
/data/data/####/tmp484297264.jar
/data/data/####/tmp490461817.dex
/data/data/####/tmp490461817.dex.flock (deleted)
/data/data/####/tmp490461817.jar
/data/data/####/tmp536560324.dex (deleted)
/data/data/####/tmp536560324.dex.flock (deleted)
/data/data/####/tmp536560324.jar
/data/data/####/tmp58829793.dex
/data/data/####/tmp58829793.dex.flock (deleted)
/data/data/####/tmp58829793.jar
/data/data/####/tmp691484728.dex
/data/data/####/tmp691484728.dex.flock (deleted)
/data/data/####/tmp691484728.jar
/data/data/####/tmp794798750.dex (deleted)
/data/data/####/tmp794798750.dex.flock (deleted)
/data/data/####/tmp794798750.jar
/data/data/####/tmp850165066.dex
/data/data/####/tmp850165066.dex.flock (deleted)
/data/data/####/tmp850165066.jar
/data/data/####/tor
/data/data/####/torrc
/data/data/####/ysayudewq.xml

Miscellaneous:

Executes the following shell scripts:

/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1024924590.jar --oat-fd=57 --oat-location=/data/user/0/<Package>/code_cache/tmp1024924590.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1074962915.jar --oat-fd=54 --oat-location=/data/user/0/<Package>/code_cache/tmp1074962915.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1156981149.jar --oat-fd=44 --oat-location=/data/user/0/<Package>/code_cache/tmp1156981149.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1284123917.jar --oat-fd=58 --oat-location=/data/user/0/<Package>/code_cache/tmp1284123917.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1543301008.jar --oat-fd=36 --oat-location=/data/user/0/<Package>/code_cache/tmp1543301008.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1667238923.jar --oat-fd=35 --oat-location=/data/user/0/<Package>/code_cache/tmp1667238923.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp168656394.jar --oat-fd=57 --oat-location=/data/user/0/<Package>/code_cache/tmp168656394.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1778077592.jar --oat-fd=55 --oat-location=/data/user/0/<Package>/code_cache/tmp1778077592.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1882378752.jar --oat-fd=40 --oat-location=/data/user/0/<Package>/code_cache/tmp1882378752.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1943084758.jar --oat-fd=41 --oat-location=/data/user/0/<Package>/code_cache/tmp1943084758.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1975447587.jar --oat-fd=57 --oat-location=/data/user/0/<Package>/code_cache/tmp1975447587.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp1998193477.jar --oat-fd=47 --oat-location=/data/user/0/<Package>/code_cache/tmp1998193477.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp2046810494.jar --oat-fd=56 --oat-location=/data/user/0/<Package>/code_cache/tmp2046810494.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp205799714.jar --oat-fd=36 --oat-location=/data/user/0/<Package>/code_cache/tmp205799714.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp2079815291.jar --oat-fd=35 --oat-location=/data/user/0/<Package>/code_cache/tmp2079815291.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp350347718.jar --oat-fd=42 --oat-location=/data/user/0/<Package>/code_cache/tmp350347718.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp430525573.jar --oat-fd=55 --oat-location=/data/user/0/<Package>/code_cache/tmp430525573.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp484297264.jar --oat-fd=36 --oat-location=/data/user/0/<Package>/code_cache/tmp484297264.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp490461817.jar --oat-fd=50 --oat-location=/data/user/0/<Package>/code_cache/tmp490461817.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp536560324.jar --oat-fd=56 --oat-location=/data/user/0/<Package>/code_cache/tmp536560324.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp58829793.jar --oat-fd=43 --oat-location=/data/user/0/<Package>/code_cache/tmp58829793.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp691484728.jar --oat-fd=36 --oat-location=/data/user/0/<Package>/code_cache/tmp691484728.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp794798750.jar --oat-fd=40 --oat-location=/data/user/0/<Package>/code_cache/tmp794798750.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/code_cache/tmp850165066.jar --oat-fd=42 --oat-location=/data/user/0/<Package>/code_cache/tmp850165066.dex --compiler-filter=speed
/system/lib/arm/houdini /data/user/0/<Package>/app_torfiles/tor /data/user/0/<Package>/app_torfiles/tor -f /data/user/0/<Package>/app_torfiles/torrc __OwningControllerProcess 3606
/system/lib/arm/houdini /data/user/0/<Package>/app_torfiles/tor /data/user/0/<Package>/app_torfiles/tor -f /data/user/0/<Package>/app_torfiles/torrc __OwningControllerProcess 4016
/system/lib/arm/houdini /data/user/0/<Package>/app_torfiles/tor /data/user/0/<Package>/app_torfiles/tor -f /data/user/0/<Package>/app_torfiles/torrc __OwningControllerProcess 4233

Uses administrator priveleges.

Gets information about phone status (number, IMEI, etc.).

Gets information about active device administrators.

Gets information about accounts associated with the device (Google, Facebook, etc.).

Displays its own windows over windows of other apps.

Gets information about incoming/outgoing calls.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial