SHA1:
- bc202804250692ffa889d96f056cc86422efbeb1
Detection of the program platform (SDK) Excelliance, embedded into Android games and applications by software developers. It is designed to optimize the update process, but it can operate as a downloader Trojan and download other programs.
Android.DownLoader.558.origin is a JAR package named main2.jar. It is encrypted and stored in the directory /assets along with other program sources it is embedded into. During the first launch of a program or a game, this package is decrypted and run. After that, it starts operating on its own every time the mobile device connects to the Internet.
Android.DownLoader.558.origin tracks a network connection state, and, on each Internet connection or disconnection, it checks availability of the command and control server http://sdk-o******eota.com. When addressing it, the Trojan sends the following requests:
/picksingleapk.php?chid=61762&imei=000000000000000&imsi=310260*******00&vercode=2***1&uid=30&
pkg=com.actgames.bbrr.sgp&api=19&release=4.4.2&sdkver=106870&brand=generic&
manufacturer=unknown&model=google_sdk&product=google_sdk...
As a response, the Trojan can get a command to download DEX, APK and ELF files.
Launch of code from the DEX files is executed automatically using DexClassLoader, which is located in the main application (Android.RemoteCode.81.origin).
Once APK files are launched, a standard system dialog box is displayed to user. However, if the device has the root access, they are launched automatically.
Rights for downloaded APK and ELF files are assigned via the system tool chmod.
