Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Siggen.Susp.35894
Intercepts incoming SMS and terminates the process of their transmission to handlers of other apps.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) all####.hzdao####.com:80
- TCP(HTTP/1.1) pv.s####.com.####.com:80
- TCP(TLS/1.0) 2####.239.32.223:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) rr6---s####.g####.com:443
- TCP(TLS/1.0) rr17---####.g####.com:443
- TCP(TLS/1.2) 1####.250.74.3:443
- TCP(TLS/1.2) 1####.250.74.142:443
- TCP(TLS/1.2) 1####.250.74.132:443
- TCP(TLS/1.2) and####.google####.com:443
- TCP(TLS/1.2) and####.a####.go####.com:443
DNS requests:
- a####.hzdao####.com
- all####.hzdao####.com
- and####.a####.go####.com
- and####.google####.com
- c####.api.eji####.com
- firebas####.google####.com
- i####.api.eji####.com
- p####.mili####.com
- p1.i####.cc
- pv.s####.com
- re####.api.eji####.com
- rr17---####.g####.com
- rr6---s####.g####.com
- ut####.cn
HTTP GET requests:
- pv.s####.com.####.com/cityjson?ie=####
HTTP POST requests:
- all####.hzdao####.com/core/init.json
File system changes:
Creates the following files:
- /data/data/####/.hptc_kache_.vasw.skde.ftky
- /data/data/####/MaiStore.db-journal
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/com.vasw.skde.ftky_preferences.xml
- /data/data/####/data.txt
- /data/data/####/metrics_guid
- /data/data/####/mj.apk
- /data/data/####/mj.dex
- /data/data/####/mj.dex.flock (deleted)
- /data/data/####/plus.dex
- /data/data/####/plus.dex.flock (deleted)
- /data/data/####/plus.jar
- /data/data/####/proc_auxv
- /data/data/####/share_data.xml
- /data/data/####/sms_db
- /data/data/####/sms_db-journal
- /data/data/####/twc.xml
- /data/data/####/utopay.dex
- /data/data/####/utopay.dex.flock (deleted)
- /data/data/####/utopay.jar
- /data/data/####/utopay_close.png
- /data/data/####/utopay_icon.gif
- /data/data/####/zzconfig.xml
- /data/media/####/poiwa
- /data/media/####/qshp_3001_2272.zip
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- getprop apps.customerservice.device
Loads the following dynamic libraries:
- libgame
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- DES
- DES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES
- AES-CBC-PKCS5Padding
- DES
- DES-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
Parses information from SMS.
Gets information about sent/received SMS.
Requests the system alert window permission.
Attempts to detect sandbox environment.
