One of the Android.Toorch.1.origin components that encompasses the Trojan’s main malicious functionality. This component is a JAR file with the name libimpl.jar. Using the DexClassLoder class, it is loaded into the RAM. Once it is launched, it establishes a connection with the command and control server and receives from it the following configuration file:
<boolean name="android.library.libanalytics.action.self_update_last_is_success" value="true" /> <boolean name="android.library.libanalytics.action.upload_installed_apps_last_is_success" value="true" /> <boolean name="android.library.libanalytics.action.upload_device_info_last_is_success" value="true" /> <boolean name="android.library.libanalytics.action.upload_event_last_is_success" value="true" /> <boolean name="android.library.libanalytics.action.config_update_last_is_success" value="true" />
This Trojan’s component can execute the following actions:
- Send the signal about its successful launch.
- Download and install its own updates.
- Send the server detailed information about the infected device (ID, device model and manufacturer, SDK version of the operating system, GPS coordinates, and other useful data).
- Send the server the list of installed applications.
- Stealthily download, install, and remove programs specified by cybercriminals.