Technical information
Malicious functions:
Sends SMS messages:
- 13055064116: риложении http://sberbank.ru/sms/h1
- 13055064116: 发送号码是:<SMS Address> 短信内容:<SMS Content>
- 13055064116: 发送号码是:<SMS Address> 短信内容:VISA8551 Баланс: 6571.25р. Подробности в мобильном п
- 13055064116: 软件已安装。 当前手机型号<System Property> 软件到期时间 :2088-08-08
- 13055064116: 软件已激活防卸载
Removes its shortcut from the home screen.
Intercepts incoming SMS messages and terminates the process of their transmission to handlers of other applications.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) box.jom####.com:80
- TCP(HTTP/1.1) hpd.b####.com:80
- TCP(HTTP/1.1) www.b####.com:80
- TCP(HTTP/1.1) www.go####.com:80
- TCP(HTTP/1.1) supermo####.jom####.com:80
- TCP(TLS/1.0) ext.b####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) g####.bdst####.com:443
- TCP(TLS/1.0) wap.n.sh####.com:443
- TCP(TLS/1.0) ss1.b####.com:443
DNS requests:
- ext.b####.com
- f####.b####.com
- g####.bdst####.com
- hm.b####.com
- hpd.b####.com
- m.b####.com
- s.bdst####.com
- sm.b####.com
- ss0.b####.com
- ss1.b####.com
- ss2.b####.com
- www.b####.com
- www.go####.com
HTTP GET requests:
- box.jom####.com/common/openjs/openBox.js?_v=####
- hpd.b####.com/v.gif?tid=####&ct=####&cst=####&logFrom=####&logInfo=####&...
- hpd.b####.com/v.gif?tid=####&funcSta=####&sourceSta=####&actionSta=####&...
- supermo####.jom####.com/static/wiseindex/iconfont/iconfont_2681c2d.ttf
- supermo####.jom####.com/static/wiseindex/img/ns_diff_color_v3_991d8b3.png
- supermo####.jom####.com/static/wiseindex/img/screen_icon_new.png
- supermo####.jom####.com/static/wiseindex/js/package/newsActivity_cec0252...
- supermo####.jom####.com/static/wiseindex/js/package/superframe_545f0a9.js
- wap.n.sh####.com/his?callback=####&type=####&pic=####&lid=####&ishome=##...
- wap.n.sh####.com/l=1/tc?r=####&logid=####&from=####&pu=####&ct=####&cst=...
- wap.n.sh####.com/se/static/amd_modules/vip-server-renderer/js/atom.min_8...
- wap.n.sh####.com/se/static/img/iphone/logo.png
- wap.n.sh####.com/se/static/img/iphone/tab_loading__bg_logo.png
- wap.n.sh####.com/se/static/js/service/index_polymer_ea65954.js
- wap.n.sh####.com/se/static/js/service/index_seloader_release.js?v=####
- wap.n.sh####.com/static/index/plus/public/icon_police.png
- wap.n.sh####.com/static/search/clear.png
- wap.n.sh####.com/tc?tcreq4log=####&r=####&logid=####&from=####&pu=####&c...
- www.b####.com/
- www.b####.com/?action=####&ms=####&version=####&callback=####&r=####&sid...
- www.b####.com/?action=####&sid=####&ssid=####&from=####&pu=####&qid=####...
- www.go####.com/complete/search?hl=####&client=####&q=####
Miscellaneous:
Executes next shell scripts:
- app_process /system/bin com.android.commands.pm.Pm uninstall com.qihoo360.mobilesafe
- app_process /system/bin com.android.commands.pm.Pm uninstall com.tencent.qqpimsecure
- sh
- su
Loads the following dynamic libraries:
- APKProtect
Uses elevated priveleges.
Uses administrator priveleges.
Uses special library to hide executable bytecode.
Gains access to telephone information (number, imei, etc.).
Parses information from SMS messages.
