My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2018-10-04

Virus description added:

SHA1 hash:

  • 1d5cb15e64612fcf35eaf8af5e5a3303a2a3258a (libcore64.jar)


A trojan module that malicious actors embed into Android apps. For example, it was found in the firmware updating system app of the Elari Kidphone 4G smart watch. The module is used to collect and send confidential information to the C&C server and to receive and execute various commands.

Operating routine

The module represents a libcore64.jar file that is encrypted and stored in the application package of the main app. When the device is turned on for the first time, the trojan code (Android.DownLoader.3894) that is embedded into this app decrypts and launches the module. After that, whenever the device is powered on, as well as when the network connectivity is changed, the module is launched automatically.

Upon its launch, Android.DownLoader.812.origin connects to the C&C server at hxxp://mad[.]dwphonetest[.]com:58801/msg/pull with set time intervals. By default, the connection interval is 8 hours but it can be changed with the corresponding server command.

Upon successful connection, the trojan sends a request with the data to the C&C server. The transferred data is encrypted with base64 and can include:

  • d0version—trojan module version
  • d1session—an APP-REQ constant that is replaced by an s20 value
  • d2devid—device unique ID (IMEI for a GSM device or MEID or ESN for a CDMA device)
  • d3utdid—a unique UserTrack Device Identity
  • d4man—device manufacturer
  • d5mod—device model
  • d6osv—an OS version installed on the device
  • d8lang—OS default language
  • d9operator(mcc mnc)—mobile carrier ID (MCC+MNC)
  • daloc—geolocation data
  • dbmsisdn—mobile phone number
  • dciccid—SIM ID
  • ddimsi—a unique ID of the mobile operator subscriber
  • dedldir—a default location of the directory to store files downloaded from the Internet (for the internal storage the value is set as data, and for SD card the value is set as sd);
  • dfavaisize—free space of the internal storage available
  • dgtotalsize—total amount of the internal storage
  • c1appid—an RSOTA_APP_ID value from the app’s metadata
  • c2carrier_pkgname—a package name of the app with embedded trojan
  • c3channel—an RSOTA_CHANNEL_ID value from the app’s metadata
  • c4carrier_version—an coreVersion value
  • c5silent—a parameter indicating if the app with the trojan module is a system app
  • c6capability—an 01|02|03|04|05|08 value;
  • c7stub_version—an agentVersion value.

In response, the trojan can receive the following commands:

  • r2cycle—to change C&C server connection intervals
  • a0applist—to receive parameters for downloading, launching and installing apps:
    • a3pkgname
    • a5appversion
    • a20versionCode
    • a4appname
    • a6brief
    • a7objecturi
    • a8objectsize
    • a9icon
    • a10start
      • a11type
      • a12action
      • a13class
      • a14extra
    • a1correlator
    • a2taskid
    • a15operation—to perform action in accordance with the specified parameter value:
      • 1—to download and install an app
      • 2—to download, install and run an app
      • 3—to run specified app
    • l0link—to open a specified URL
  • a21caplist—to receive parameters for uninstalling apps, and for self-updating:
    • a3pkgname
    • a1correlator
    • a2taskid
    • a7objecturi
    • a8objectsize
    • a5appversion
    • a15operation — to perform an action in accordance with specified parameter value:
      • 4—to uninstall specified app
      • 8—to update the trojan module

Upon successful or failed task execution, the trojan connects to the C&C server at hxxp://mad[.]dwphonetest[.]com:58802/msg/post and sends a request with the task number and its status.

More details on Android.DownLoader.3894

News about the trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android