Technical information
Malicious functions:
Prompts to install third-party apps.
Removes app icon from the screen.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) android####.ru:80
- TCP(HTTP/1.1) prog-m####.com:80
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) 1####.250.27.95:443
- TCP(TLS/1.2) and####.cli####.go####.com:443
- TCP(TLS/1.2) 1####.250.102.94:443
- TCP(TLS/1.2) 1####.250.27.95:443
DNS requests:
- and####.cli####.go####.com
- and####.google####.com
- android####.go####.com
- android####.ru
- instant####.google####.com
- m####.go####.com
- prog-m####.com
HTTP GET requests:
- android####.ru/monitor_checker_link.php?ver=####
- prog-m####.com/am.html
HTTP POST requests:
- android####.ru/common/api.php?tp=####&type=####&count=####
- android####.ru/files/com.amon/MCh.apk
File system changes:
Creates the following files:
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex.flo...leted)
- /data/media/####/log_checker.txt
Miscellaneous:
Executes the following shell scripts:
- /system/bin/log -p d -t su /dev/com.android.settings/.socket3764
- /system/bin/log -p d -t su 10065 /system/bin/app_process32 executing 0 /system/bin/sh using binary /system/bin/sh : sh
- /system/bin/log -p d -t su child exited
- /system/bin/log -p d -t su remote args: 1
- /system/bin/log -p d -t su remote pid: 3751
- /system/bin/log -p d -t su remote pts_slave:
- /system/bin/log -p d -t su remote req pid: 3447
- /system/bin/log -p d -t su remote uid: 10065
- /system/bin/log -p d -t su sending code
- /system/bin/log -p d -t su su invoked.
- /system/bin/log -p d -t su waiting for child exit
- /system/bin/log -p d -t su waiting for user
- sh
Uses elevated priveleges.
Adds tasks to the system scheduler.
Intercepts notifications.
Requests the system alert window permission.
