A Trojan for Android that serves as the executable Linux library incorporated into Android.Xiny.60 as an additional module. It is installed in a system catalog under the following path:
Android.Xiny.62 uses the Android.Xiny.61 Trojan to inject itself into the system processes of Google Play (com.android.vending) and Google Play Services (com.google.android.gms and co.google.android.gms.persistent) applications. Moreover, Android.Xiny.62 can inject itself into the zygote process, although this functionality is not used in this version of the malicious application.
Once downloaded, the igpld.so module determines which process it has infected. If it is the zygote process, Android.Xiny.62 intercepts the ioctl function and uses it to detect the launch of any new applications. If the Trojan detects a newly launched process, it injects the igpi.jar malicious library (Android.Xiny.60) into it. This library is then used to download and run additional Trojan modules.