Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.BackDoor.2884

Added to the Dr.Web virus database: 2021-02-27

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Android.Backdoor.657.origin
Network activity:
Connects to:
  • UDP(DNS) 8####.8.4.4:53
  • TCP(HTTP/1.1) pic.ange####.cn:80
  • TCP(HTTP/1.1) a.e####.cn:80
  • TCP(HTTP/1.1) 47.1####.96.64:80
  • TCP(HTTP/1.1) 1####.55.22.53:9099
  • TCP(HTTP/1.1) mon####.ssp.admo####.top:80
  • TCP(HTTP/1.1) dc.11####.com:80
  • TCP(HTTP/1.1) amdc####.m.ta####.com:80
  • TCP(HTTP/1.1) api.yidao####.com:80
  • TCP(HTTP/1.1) beacon####.aliy####.com:80
  • TCP(HTTP/1.1) and####.b####.qq.com:80
  • TCP(HTTP/1.1) sdk.ssp.admo####.top:80
  • TCP(HTTP/1.1) 47.1####.33.209:80
  • TCP(HTTP/1.1) u.ssp.admo####.top:80
  • TCP(HTTP/1.1) api.e####.cn:80
  • TCP(HTTP/1.1) luna-im####.qq.com.####.com:80
  • TCP(HTTP/1.1) 1####.31.213.162:80
  • TCP(HTTP/1.1) 1####.55.28.235:80
  • TCP(HTTP/1.1) s####.e.qq.com:80
  • TCP(HTTP/1.1) trac####.xind####.com:80
  • TCP(HTTP/1.1) j####.admo####.top:80
  • TCP(HTTP/1.1) 47.1####.44.93:80
  • TCP(TLS/1.0) api.e####.cn:443
  • TCP(TLS/1.0) ssl.google-####.com:443
  • TCP(TLS/1.0) 1####.250.179.202:443
  • TCP(TLS/1.0) i####.go-mp####.net.####.net:443
  • TCP(TLS/1.0) blackho####.m.jd.com:443
  • TCP(TLS/1.0) 1####.217.17.42:443
  • TCP(TLS/1.0) android####.go####.com:443
  • TCP(TLS/1.0) 1####.217.17.46:443
  • TCP(TLS/1.0) j####.admo####.top:443
  • TCP(TLS/1.0) q####.tc.qq.com:443
  • TCP(TLS/1.0) m.j####.com:443
  • TCP(TLS/1.0) m####.m.jd.com:443
  • TCP(TLS/1.0) w####.jd.com:443
  • TCP(TLS/1.0) c####.jd.com:443
  • TCP(TLS/1.0) i####.j####.com:443
  • TCP(TLS/1.0) a####.m.jd.com:443
  • TCP(TLS/1.0) al####.u####.com:443
  • TCP(TLS/1.0) ap####.uc.cn:443
  • TCP(TLS/1.0) i####.jd.com:443
  • TCP(TLS/1.0) cn-jdtr####.com.edg####.####.net:443
  • TCP(TLS/1.0) mi.g####.qq.com:443
  • TCP(TLS/1.0) regi####.xm####.xi####.com:443
  • TCP(TLS/1.0) instant####.google####.com:443
  • TCP(TLS/1.0) wildca####.go-mp####.net.####.net:443
  • TCP(TLS/1.0) p####.google####.com:443
  • TCP(TLS/1.0) www.j####.com:443
  • TCP(TLS/1.0) h5s####.m.jd.com:443
  • TCP(TLS/1.0) ur####.jd.com:443
  • TCP(TLS/1.0) securit####.sp####.mig.####.net:443
  • TCP(TLS/1.0) g####.jd.com:443
  • TCP(TLS/1.2) 1####.217.17.46:443
  • TCP(TLS/1.2) 1####.217.17.42:443
  • TCP(TLS/1.2) 1####.250.179.195:443
  • TCP(TLS/1.2) 1####.250.179.206:443
  • TCP zb-cent####.m.ta####.com:80
  • TCP zb-cent####.m.ta####.com:443
  • UDP s####.serv####.moz####.com:3478
DNS requests:
  • a####.m.jd.com
  • a####.man.aliy####.com
  • a.e####.cn
  • ad####.m.ta####.com
  • ada####.m.ta####.com
  • amdc####.m.ta####.com
  • and####.b####.qq.com
  • android####.go####.com
  • ap####.uc.cn
  • api.e####.cn
  • api.yidao####.com
  • beacon####.aliy####.com
  • blackho####.m.jd.com
  • c####.jd.com
  • c.go-mp####.net
  • dc.11####.com
  • g####.jd.com
  • g####.jd.com
  • h5.360bu####.com
  • h5s####.m.jd.com
  • httpdn####.aliy####.com
  • i####.360bu####.com
  • i####.jd.com
  • imgc####.qq.com
  • instant####.google####.com
  • j####.admo####.top
  • m####.go####.com
  • m####.m.jd.com
  • m.360bu####.com
  • mi.g####.qq.com
  • mon####.ssp.admo####.top
  • p####.google####.com
  • p####.m.jd.com
  • pic.ange####.cn
  • q####.qq.com
  • regi####.xm####.xi####.com
  • s####.e.qq.com
  • s####.serv####.moz####.com
  • s.go-mp####.net
  • sdk.ssp.admo####.top
  • ssl.google-####.com
  • sto####.360bu####.com
  • t####.m.qq.com
  • trac####.xind####.com
  • u####.u####.com
  • u.ssp.admo####.top
  • umen####.m.ta####.com
  • umengj####.m.ta####.com
  • ur####.jd.com
  • w####.jd.com
  • w####.jd.com
  • wq.360bu####.com
HTTP GET requests:
  • a.e####.cn/favicon.ico
  • a.e####.cn/public/getClickUrlPoList.shtml?sd=####&machinedmp=####&oaid=#...
  • a.e####.cn/public/rab.shtml?id=####&network=####&machine=####
  • a.e####.cn/public/showUrlVisit.shtml?os=####&osversion=####&appversion=#...
  • api.e####.cn/public/getSecondaryHomeData.shtml?machine=####&appid=####&t...
  • api.yidao####.com/api/report?c=####&mst=####
  • api.yidao####.com/api/report?i=####
  • dc.11####.com/ip-service/ipExt/findInfoByIpMD5.json?keys=####&timeStamp=...
  • j####.admo####.top/jump/update/tracking?url=http://47.102.96.64/az/monit...
  • j####.admo####.top/jump/update/tracking?url=http://47.111.44.93/ad/repor...
  • j####.admo####.top/jump/update/tracking?url=http://api.yidaomobi.com/api...
  • j####.admo####.top/jump/update/tracking?url=http://tracking.xinduoad.com...
  • luna-im####.qq.com.####.com/qzone/biz/gdt/mod/android/AndroidAllInOne/pr...
  • pic.ange####.cn/web/256922188.jpg!s6
  • pic.ange####.cn/web/257066482.jpg!s6
  • pic.ange####.cn/web/257530622.jpg!s6
  • pic.ange####.cn/web/258237495.jpg!s6
  • pic.ange####.cn/web/262350514.jpg!s6
  • pic.ange####.cn/web/262978225.jpg!s6
  • pic.ange####.cn/web/264444203.jpg!s6
  • pic.ange####.cn/web/264666660.jpg!s6
  • trac####.xind####.com/tk?1####&g=####&fw=####&slot=####&df=####&sid=####...
  • trac####.xind####.com/tk?2####&g=####&fw=####&slot=####&df=####&sid=####...
HTTP POST requests:
  • amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
  • and####.b####.qq.com/rqd/async?aid=####
  • beacon####.aliy####.com/beacon/fetch/config/byappkey
  • dc.11####.com//log/getToken.json
  • dc.11####.com//log/strlog.json
  • dc.11####.com/log/getData
  • dc.11####.com/u-service/getId
  • mon####.ssp.admo####.top/adReport?adType=####&event=####&platform=####&g...
  • mon####.ssp.admo####.top/statistic
  • s####.e.qq.com/activate
  • sdk.ssp.admo####.top/config/init
  • u.ssp.admo####.top/task/url/list
File system changes:
Creates the following files:
  • /data/data/####/.cl
  • /data/data/####/.imprint
  • /data/data/####/.jg.ic
  • /data/data/####/.turing.dat
  • /data/data/####/0304b7e831950c24_0
  • /data/data/####/03ce807154344c1c_0
  • /data/data/####/06481f4e8aa43403_0
  • /data/data/####/0aa35428660934b5_0
  • /data/data/####/0aa35428660934b5_1
  • /data/data/####/0b75e054760e87b2_0
  • /data/data/####/0ce78a4cd25df061_0
  • /data/data/####/1002
  • /data/data/####/1004
  • /data/data/####/105498_auMini_1
  • /data/data/####/13efed99115a856e_0
  • /data/data/####/13efed99115a856e_1
  • /data/data/####/1416f4da233ec65233b16f4a6f686f16_0
  • /data/data/####/171279c3f7aaffff_0
  • /data/data/####/171279c3f7aaffff_1
  • /data/data/####/17398e5482968040_0
  • /data/data/####/1acf95ef74c2d49b_0
  • /data/data/####/1deed7936f7b7aa8_0
  • /data/data/####/1e3cf4bfcefe785d_0
  • /data/data/####/1e3cf4bfcefe785d_1
  • /data/data/####/1fc0596260b62d82_0
  • /data/data/####/28e12d1f4bad9af8_0
  • /data/data/####/29da46891a4d5e63_0
  • /data/data/####/2c649830da04d7ad_0
  • /data/data/####/2cbfe51bfd206f8a_0
  • /data/data/####/2ccee7e200dfa74c_0
  • /data/data/####/3395ab4ff6bfc33f8b3ccb22fd3b9c429b14ab7998260fc....0.tmp
  • /data/data/####/3695.yaqcookie
  • /data/data/####/3cc844ed03f43991_0
  • /data/data/####/401732baafd16718_0
  • /data/data/####/40f34fd2fd0a918f_0
  • /data/data/####/40f34fd2fd0a918f_1
  • /data/data/####/42159336a3b665d882d11de5837afe04c42af4f984738a8....0.tmp
  • /data/data/####/423b9c0b57d6a526_0
  • /data/data/####/44cd54788197eeee_0
  • /data/data/####/4f11af601a8caa74_0
  • /data/data/####/51be35cde47f0833_0
  • /data/data/####/53ee45fd5321b1e0_0
  • /data/data/####/556ea2a5968c6e3d_0
  • /data/data/####/57f4134502e1d6e1_0
  • /data/data/####/5cb6878037078d86_0
  • /data/data/####/5d58bcda667657f3_0
  • /data/data/####/5e43e309e6af847c_0
  • /data/data/####/5e43e309e6af847c_1
  • /data/data/####/600cab6fea988b6a_0
  • /data/data/####/600cab6fea988b6a_1
  • /data/data/####/60c3b0be2224dcb2e92de6b157103362ff63bdd88229a3d....0.tmp
  • /data/data/####/65ddeb272ae08109_0
  • /data/data/####/65ddeb272ae08109_1
  • /data/data/####/6620c0bd41103029e9f716e71b8aa9d91312e9f980ab7d4....0.tmp
  • /data/data/####/673e7e97fa245982_0
  • /data/data/####/67df075aace31263_0
  • /data/data/####/699f29a39082b0b8_0
  • /data/data/####/6cf9d4625c15632d_0
  • /data/data/####/6d52524f16d5c433_0
  • /data/data/####/6f0d6e95c208de2179ec9d90830f9c73cda936d3db6c821....0.tmp
  • /data/data/####/7032759767be1176_0
  • /data/data/####/7032759767be1176_1
  • /data/data/####/70c1d51663b60f5e_0
  • /data/data/####/727f1a26d0a75daa_0
  • /data/data/####/76a12070ce601320_0
  • /data/data/####/7a6742f18b2e516c_0
  • /data/data/####/7a6742f18b2e516c_1
  • /data/data/####/8543001f2376da38_0
  • /data/data/####/87b295bd0ed35929_0
  • /data/data/####/8861b038810f0014_0
  • /data/data/####/89b393ba93581718_0
  • /data/data/####/8d984b56370ef346_0
  • /data/data/####/8efa710074f892e1_0
  • /data/data/####/91431a731b940621_0
  • /data/data/####/92c2440041afcb19_0
  • /data/data/####/93c3fca555a974f5_0
  • /data/data/####/99843564aa2c4b83_0
  • /data/data/####/99843564aa2c4b83_1
  • /data/data/####/9eb483ee3e461626_0
  • /data/data/####/ACCS_BINDdefault.xml
  • /data/data/####/ACCS_SDK.xml
  • /data/data/####/ACCS_SDK_CHANNEL.xml
  • /data/data/####/AGOO_BIND.xml
  • /data/data/####/AdloadStore.xml
  • /data/data/####/AdmobileApiAd_4.8.4.dex
  • /data/data/####/AdmobileApiAd_4.8.4.dex (deleted)
  • /data/data/####/AdmobileApiAd_4.8.4.dex.flock (deleted)
  • /data/data/####/Agoo_AppStore.xml
  • /data/data/####/Alvin2.xml
  • /data/data/####/AndroidLogPlusXl_5.7.2.dex
  • /data/data/####/AndroidLogPlusXl_5.7.2.dex (deleted)
  • /data/data/####/AndroidLogPlusXl_5.7.2.dex.flock (deleted)
  • /data/data/####/BUGLY_COMMON_VALUES.xml
  • /data/data/####/BuglySdkInfos.xml
  • /data/data/####/ContextData.xml
  • /data/data/####/Cookies-journal
  • /data/data/####/ECIVRESHSUP1ENOKOOCE0NC.st
  • /data/data/####/ENOKOOCE0NC.st
  • /data/data/####/Ji.xml
  • /data/data/####/LENNAHC1ENOKOOCE0NC.st
  • /data/data/####/MessageStore.db-journal
  • /data/data/####/MsgLogStore.db-journal
  • /data/data/####/UM_PROBE_DATA.xml
  • /data/data/####/UTCommon.xml
  • /data/data/####/UTCommon.xml.bak
  • /data/data/####/WebViewChromiumPrefs.xml
  • /data/data/####/a44dc9ae05597849f93a19df28b0017b44a83ac2271b2b1....0.tmp
  • /data/data/####/a6b5de0306540881_0
  • /data/data/####/a6d6e4a7cafe62e342c8d78e76f8571b_0
  • /data/data/####/a81b6a6e5dd769f7_0
  • /data/data/####/a8ed7f95a15f212d_0
  • /data/data/####/a9d8c031a140d79c_0
  • /data/data/####/a9d8c031a140d79c_1
  • /data/data/####/a==9.3.0&&3.7.1_1614457073172_dW5pZnlfbG9ncw==;.log
  • /data/data/####/aa5912af77f6a5b9_0
  • /data/data/####/accs.db-journal
  • /data/data/####/ae1d677f4980dcd4_0
  • /data/data/####/ae1d677f4980dcd4_1
  • /data/data/####/af6a5bd06e4e0992ec7997c3b6069761cf89ddc1ba2f0eb....0.tmp
  • /data/data/####/agoo.pid
  • /data/data/####/ap.Lock
  • /data/data/####/bd9b642c941053ff_0
  • /data/data/####/be18eddcba8c4e79e761c913fbe81d34_0
  • /data/data/####/bugly_db_-journal
  • /data/data/####/c0379943abcf8684_0
  • /data/data/####/c086d9dce2ba1a10_0
  • /data/data/####/c3ce53a85d06ed10_0
  • /data/data/####/c429943189b6d112_0
  • /data/data/####/c6126ab9ae372c1e_0
  • /data/data/####/c6b9dd54f73de7ea_0
  • /data/data/####/cb0ce9da10746d8e2ef9ca542afa8cf67c55f76879364e5....0.tmp
  • /data/data/####/cdt.wa
  • /data/data/####/cebcf5aa65bf3a42_0
  • /data/data/####/cf60ecf539516ab7_0
  • /data/data/####/cf60ecf539516ab7_1
  • /data/data/####/cf635fe1e6779c19_0
  • /data/data/####/channel_umeng_common_config.xml
  • /data/data/####/channel_umeng_common_config.xml.bak
  • /data/data/####/classes.dex
  • /data/data/####/classes.dex;classes2.dex
  • /data/data/####/classes.dex;classes3.dex
  • /data/data/####/classes.dex;classes4.dex
  • /data/data/####/classes.dex;classes5.dex
  • /data/data/####/cn.admobiletop.admobile.api_redirect.xml
  • /data/data/####/cn.admobiletop.adsuyi
  • /data/data/####/cn.admobiletop.adsuyi-journal
  • /data/data/####/cn.admobiletop.adsuyi.machine.xml
  • /data/data/####/cn.admobiletop.adsuyi.xml
  • /data/data/####/cn.ecook.xml
  • /data/data/####/cn.ecookone.BETA_VALUES.xml
  • /data/data/####/cn.ecookone.BETA_VALUES.xml.bak
  • /data/data/####/cn.ecookone.xml
  • /data/data/####/cn.ecookone_preferences.xml
  • /data/data/####/cn.ecookone_vupDate.xml
  • /data/data/####/cn.ecookone_vupDate.xml.bak
  • /data/data/####/com.ciba.data.xml
  • /data/data/####/com.google.android.gms.analytics.prefs.xml
  • /data/data/####/com.google.android.gms.analytics.prefs.xml.bak
  • /data/data/####/com.qq.e.sdkconfig.xml
  • /data/data/####/com.qq.e.sdkconfig.xml.bak
  • /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info
  • /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info_cn.eco...ervice
  • /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info_cn.eco...hannel
  • /data/data/####/config
  • /data/data/####/cr.wa
  • /data/data/####/crashrecord.xml
  • /data/data/####/d5e08a1ea4a92c7a_0
  • /data/data/####/db60c1eccb575cf2_0
  • /data/data/####/de6fc6e6d00bdf773ac85456213ada55_0
  • /data/data/####/devCloudSetting.cfg
  • /data/data/####/devCloudSetting.sig
  • /data/data/####/dt.wa
  • /data/data/####/e098e2f59656825d_0
  • /data/data/####/e1c432002a4aa8d2_0
  • /data/data/####/e2c82b229211d5f8_0
  • /data/data/####/e3c9a901318c852f_0
  • /data/data/####/e3c9a901318c852f_1
  • /data/data/####/e40cd9069a92eeec_0
  • /data/data/####/e8a257ff8fe644e9b53ef8af54d1627c
  • /data/data/####/e8f182ccd531e6f1_0
  • /data/data/####/ecbb6f4227f82ddb_0
  • /data/data/####/ecookpush.db-journal
  • /data/data/####/ef8ae1348f604152b721c90e9febfbb3
  • /data/data/####/exchangeIdentity.json
  • /data/data/####/exid.dat
  • /data/data/####/f055a623f8dfd329_0
  • /data/data/####/f384a559c79d2012_0
  • /data/data/####/f9a605e8bb64e6cd_0
  • /data/data/####/f9a605e8bb64e6cd_0 (deleted)
  • /data/data/####/firstDate.xml
  • /data/data/####/gaClientId
  • /data/data/####/gdt_config.cfg
  • /data/data/####/gdt_plugin.dex
  • /data/data/####/gdt_plugin.dex.flock (deleted)
  • /data/data/####/gdt_plugin.jar
  • /data/data/####/gdt_plugin.jar.sig
  • /data/data/####/gdt_plugin.tmp
  • /data/data/####/gdt_plugin.tmp.sig
  • /data/data/####/gdt_suid
  • /data/data/####/geofencing.db
  • /data/data/####/geofencing.db-journal
  • /data/data/####/google_analytics_v4.db-journal
  • /data/data/####/httpdns_config_enable.xml
  • /data/data/####/https_pro.m.jd.com_0.localstorage-journal
  • /data/data/####/i==1.2.0&&3.7.1_1614457072214_dW5pZnlfbG9ncw==;.log
  • /data/data/####/index
  • /data/data/####/info.xml
  • /data/data/####/isFirstOpen.xml
  • /data/data/####/isNewUseUser.xml
  • /data/data/####/journal.tmp
  • /data/data/####/libMMANDKSignature.9dd3b77e.so
  • /data/data/####/libjiagu.so
  • /data/data/####/libturingau.9dd3b77e.so
  • /data/data/####/libyaqbasic.9dd3b77e.so
  • /data/data/####/libyaqpro.9dd3b77e.so
  • /data/data/####/local_crash_lock
  • /data/data/####/local_crash_lock (deleted)
  • /data/data/####/message_accs_db
  • /data/data/####/message_accs_db-journal
  • /data/data/####/metrics_guid
  • /data/data/####/mipush.xml
  • /data/data/####/mipush.xml.bak
  • /data/data/####/mipush_extra.xml
  • /data/data/####/mipush_region
  • /data/data/####/mipush_region.lock
  • /data/data/####/mpdc_105498_1
  • /data/data/####/native_record_lock
  • /data/data/####/native_record_lock (deleted)
  • /data/data/####/p==6.2.0&&3.7.1_1614457087192_dW1weF9wdXNoX2xhd...=;.log
  • /data/data/####/proc_auxv
  • /data/data/####/pushservice_umeng_common_config.xml
  • /data/data/####/pv.wa
  • /data/data/####/sdkCloudSetting.cfg
  • /data/data/####/sdkCloudSetting.sig
  • /data/data/####/security_info
  • /data/data/####/the-real-index
  • /data/data/####/tiny_data.data
  • /data/data/####/tiny_data.lock
  • /data/data/####/turingfd_conf_105498_auMini.xml
  • /data/data/####/turingfd_conf_105498_auMini.xml.bak
  • /data/data/####/turingfd_protect_105498_47_auMini.xml
  • /data/data/####/ua.db
  • /data/data/####/ua.db-journal
  • /data/data/####/um_pri.xml
  • /data/data/####/um_session_id.xml
  • /data/data/####/umeng_common_config.xml
  • /data/data/####/umeng_common_config.xml.bak
  • /data/data/####/umeng_common_location.xml
  • /data/data/####/umeng_general_config.xml
  • /data/data/####/umeng_general_config.xml.bak
  • /data/data/####/umeng_it.cache
  • /data/data/####/umeng_message_state.xml
  • /data/data/####/umeng_sp_zdata.xml
  • /data/data/####/umeng_zcfg_flag
  • /data/data/####/umeng_zero_cache.db
  • /data/data/####/umeng_zero_cache.db-journal
  • /data/data/####/unique
  • /data/data/####/update_lc
  • /data/data/####/ut.db
  • /data/data/####/ut.db-journal
  • /data/data/####/ver
  • /data/data/####/yaq.9dd3b77e.sec
  • /data/data/####/yaq2.9dd3b77e.sec
  • /data/data/####/yaq3_0.9dd3b77e.sec
  • /data/data/####/yaqsdkcookie
  • /data/data/####/z==1.2.0&&3.7.1_1614457059897_emNmZw==;.log
  • /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_e_qq_com_plugin_6ff16037237a893da281f6790181944c/gdt_plugin.jar --oat-fd=174 --oat-location=/data/user/0/<Package>/app_e_qq_com_dex_6ff16037237a893da281f6790181944c/gdt_plugin.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/cache/AdmobileApiAd_4.8.4.dex --oat-fd=169 --oat-location=/data/user/0/<Package>/app_admobile_api_dex/AdmobileApiAd_4.8.4.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/cache/AndroidLogPlusXl_5.7.2.dex --oat-fd=129 --oat-location=/data/user/0/<Package>/app_android_log_plus_xl/AndroidLogPlusXl_5.7.2.dex --compiler-filter=speed
  • /system/bin/df
  • /system/bin/getprop
  • getprop
  • ls /
  • ls /sys/class/thermal
  • sh -c type su
Uses the following algorithms to encrypt data:
  • AES-CBC-PKCS5PADDING
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-PKCS5Padding
  • AES-ECB-PKCS7Padding
  • AES-GCM-NoPadding
  • RSA-ECB-PKCS1Padding
  • RSA-NONE-PKCS1Padding
Uses the following algorithms to decrypt data:
  • AES
  • AES-CBC-PKCS5PADDING
  • AES-CBC-PKCS7Padding
  • AES-ECB-PKCS5Padding
  • AES-ECB-PKCS7Padding
  • AES-GCM-NoPadding
  • RSA-ECB-PKCS1Padding
  • RSA-NONE-PKCS1Padding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android