Technical information
Malicious functions:
Removes its shortcut from the home screen.
Network activity:
Connecting to:
- u####.####.com
- ser####.####.net
- 1####.####.108
- a####.####.com
- i####.####.net
- m####.####.com
- 1####.####.108:8010
- s####.####.net
- appke####.####.com
HTTP GET requests:
- i####.####.net/userfiles/images/2017-05-10/ed1f4a2299bd4358b8c5eec954256...
- a####.####.com/Report/GetPushApp
- 1####.####.108:8010/m/umeng:53c3364556240b61020acd56/2008/Aps9dgCj1buq1y...
- u####.####.com/rest/api3.do?t=####&deviceId=####&imei=####&appKey=####&v...
- i####.####.net/userfiles/images/2017-05-10/c355510c38f14719808ee72da4978...
- i####.####.net/userfiles/images/2017-05-02/b9aec80937d8470c9e6b40beb37b5...
- appke####.####.com//BaseConfig/GetBaseConfigValue
- i####.####.net/upfiles/image/20170303/20170303150634_6039.jpg
- u####.####.com/rest/api3.do?ttid=####&t=####&imei=####&appKey=####&v=###...
- i####.####.net/userfiles/images/2017-05-24/f78eca05e9a6464da61eaa791c29e...
- i####.####.net/userfiles/images/2017-04-12/ede7a1a3d5444ca19bf0b21f42e4e...
- u####.####.com/activeip/?appkey=####&ttid=####&deviceId=####&imei=####&n...
- i####.####.net/userfiles/images/2017-04-28/d289c88b7e4d458a88182f7457985...
- 1####.####.108/m/umeng:53c3364556240b61020acd56/2008/Aps9dgCj1buq1yW0wQm...
- i####.####.net/userfiles/images/2017-04-12/1165058cecbd4927a97567c881001...
- a####.####.com/Customised/GetItemUrl
- i####.####.net/upfiles/image/20170531/20170531100600_6337.png
- i####.####.net/userfiles/images/2017-06-01/4014ba949b9c49a08f68cc10aa298...
- i####.####.net/upfiles/image/20170601/20170601170237_5933.png
- i####.####.net/userfiles/images/2017-06-01/e8d0b72c924444a986004ce104916...
- i####.####.net/userfiles/images/2017-04-19/4eccd6b81ec54be49140636d6a73f...
- u####.####.com/spdyip/?appkey=####&ttid=####&deviceId=####&imei=####&nt=...
- i####.####.net/upfiles/image/20170504/20170504141532_1662.jpg
- u####.####.com/rest/api3.do?ttid=####&t=####&deviceId=####&imei=####&app...
- i####.####.net/userfiles/images/2017-05-12/867d76367bc449e99f42ed819747d...
- s####.####.net/upgradeApp.aspx?packname=####&ver=####&coid=####&typeid=#...
- i####.####.net/userfiles/images/2017-06-01/a0e01cfb70474ff6ab92caa949d51...
HTTP POST requests:
- appke####.####.com//Faster/RefreshUserLoginInfo
- ser####.####.net/Mobile/Agg/V3000/Active.aspx?
- ser####.####.net/Mobile/Agg/V3000/SendApkInfo.aspx?
- appke####.####.com//Activity/GetLatest?
- appke####.####.com//Faster/WapFaster
- appke####.####.com/NoticeInformation/GetNoticeInformationInformationList?
- a####.####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&sv=#...
- m####.####.com/v2/register
- appke####.####.com//AppKeeper/GetAdvertList
- appke####.####.com/FloatingInformation/GetFloatingInformation?
- appke####.####.com/Report/ActiveStat
- appke####.####.com/BaseConfig/GetBaseConfigValue?
- a####.####.com/app_logs
- appke####.####.com/AppKeeper/GetCommonSwitch
- a####.####.com/rest/gc?ak=####&av=####&c=####&v=####&s=####&d=####&sv=##...
- appke####.####.com//AppKeeper/GetClassApkList
- a####.####.com/Stat/WapStatistics
Modified file system:
Creates the following files:
- <Package Folder>/databases/battery.db-journal
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/<Package>_preference.xml
- <Package Folder>/shared_prefs/zxly_agg.conf.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/s_update.xml
- <Package Folder>/files/.imprint
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/databases/com.zxly.Agg.db-journal
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/UTMCLog-513445323.xml
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/files/recovery.dat
- <Package Folder>/shared_prefs/zxly_agg.conf.xml
- <Package Folder>/files/agoo.pid
- <Package Folder>/databases/agg_list.db-journal
- <Package Folder>/shared_prefs/queen_conf.xml.bak
- <Package Folder>/shared_prefs/UTMCBase.xml
- <Package Folder>/files/mobclick_agent_cached_<Package>2008
- <Package Folder>/files/DaemonServer
- <Package Folder>/files/init_er.pid
- <Package Folder>/databases/database.db-journal
- <Package Folder>/shared_prefs/AGOO_CONNECT.xml
- <Package Folder>/shared_prefs/AppStore.xml.bak
- <Package Folder>/shared_prefs/static_pref.xml.bak
- <Package Folder>/shared_prefs/AGOO_HOST.xml
- <Package Folder>/databases/replace_list.db-journal
- <Package Folder>/databases/xUtils.db-journal
- <Package Folder>/databases/agg_classify_new.db-journal
- <Package Folder>/databases/agg_classify_new.db
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/databases/agg_cfglist.db-journal
- <Package Folder>/databases/UmengLocalNotificationStore.db-journal
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/databases/database.db
- <Package Folder>/shared_prefs/UTMCConf-513445323.xml
- <Package Folder>/files/float.png
- <Package Folder>/shared_prefs/queen_conf.xml
- <Package Folder>/shared_prefs/PhoneUtil.xml
- <Package Folder>/shared_prefs/static_pref.xml
- <Package Folder>/databases/MsgLogStore.db-journal
Miscellaneous:
Executes next shell scripts:
- chmod 777 <Package Folder>/files/recovery.dat
- chmod 777 <Package Folder>/files/agg.xml
- <error:2>
- chmod 777 /data/system/zxly
- su
- <su-internal:result>
- /system/bin/sh
- sh
- <su-internal:request>
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -a <Package>.intent.action.COCKROACH --es cockroach cockroach-PPreotect --es pack <Package> --user 0 -f <Package Folder> -t 60 -c agoo.pid -P <Package Folder> -K 952
- chmod 500 <Package Folder>/files/DaemonServer
- chmod 777 /data/data/####/files/recovery.dat
- /system/bin/aggdll
- chmod 777 <Package Folder>/files/busybox
Uses elevated priveleges.
Contains functionality to send SMS messages automatically.
