Android.Toorch.2.origin

One of the Android.Toorch.1.origin components that encompasses the Trojan’s main malicious functionality. This component is a JAR file with the name libimpl.jar. Using the DexClassLoder class, it is loaded into the RAM. Once it is launched, it establishes a connection with the command and control server and receives from it the following configuration file:

<boolean name="android.library.libanalytics.action.self_update_last_is_success" 
value="true" />
<boolean name="android.library.libanalytics.action.upload_installed_apps_last_is_success" 
value="true" />
<boolean name="android.library.libanalytics.action.upload_device_info_last_is_success" 
value="true" />
<boolean name="android.library.libanalytics.action.upload_event_last_is_success" 
value="true" />
<boolean name="android.library.libanalytics.action.config_update_last_is_success" 
value="true" />

This Trojan’s component can execute the following actions:

• Send the signal about its successful launch.
• Download and install its own updates.
• Send the server detailed information about the infected device (ID, device model and manufacturer, SDK version of the operating system, GPS coordinates, and other useful data).
• Send the server the list of installed applications.
• Stealthily download, install, and remove programs specified by cybercriminals.