Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.HiddenAds.102.origin
- Android.Loki.15.origin
- Android.Backdoor.336.origin
- Android.MulDrop.84.origin
Downloads the following detected threats from the Web:
- Android.Backdoor.336.origin
Removes its shortcut from the home screen.
Network activity:
Connecting to:
- buzzade####.com
- r####.####.com
- w####.####.com
- trac####.####.org
- u####.####.com
- a-####.eu
- google-####.com
- p####.####.com
- ip####.io
- l####.####.com
- m####.####.com
- statist####.com
- celery####.com
- flirt4####.com
- t####.####.xyz
- a####.####.com
- t####.####.com
- g####.####.com
- pha####.info
- traktra####.com
- adplexm####.####.com
- c####.####.com
- d####.####.com
- e####.####.com
- ad####.click
- nltopof####.com
HTTP GET requests:
- t####.####.xyz/aff_c?offer_id=####&aff_id=####&aff_sub=####&aff_sub2=###...
- g####.####.com/afu.php?zoneid=####
- buzzade####.com/a/display.php?stamat=####
- traktra####.com/?a_aid=####&page=####&clickid=####&pubid=####
- a####.####.com/pull/top_offer?gaid=####&id=####
- trac####.####.org/zp-redirect?target=####&caid=####&zpid=####&cid=####&r...
- adplexm####.####.com/imp?p=####&ct=####&ap=####&psid=####&referrer=####
- nltopof####.com/m/jpc/nl-6903s/sounds/win.mp3
- celery####.com/06m03/T5gKGQ/W5tP/X5ZeTvs/DdMCGqTF8rOVxtc_aaq8CGnWbwROhu6...
- ip####.io/json
- d####.####.com/thinking/group/rtt_0525_666.apk
- e####.####.com/c/da57dc555e50572d?s1=####&s2=####&s3=####&s5=####&click_...
- l####.####.com/assets/83434662/styles/layouts/layout-phone.css?v=####
- u####.####.com/zcvisitor/db2247a3-48ca-11e7-a799-0ab9d8bd89fa?campaignid...
- a-####.eu/casino/nl/index.html?voluumdata=####
- ad####.click/036082ee-c68f-49f5-8244-d4cbd37c9c20?aff_id=####&aff_sub=##...
- c####.####.com/landings/52883/1496407188/js/avsc2.js?149640####
- pha####.info/redirect?tid=####&ref=####&subid=####&q=####
- flirt4####.com/warning/girls?click_id=####&tracking_code=####
- e####.####.com/thinking/group/test4
- google-####.com/analytics.js
- w####.####.com/afu.php?zoneid=####
- r####.####.com/t/clk?id=####&s2=####
- statist####.com/adv_pxl?pid=####&id=####
HTTP POST requests:
- a####.####.com/app_logs
- m####.####.com/errorview/api/601
- t####.####.com/ggview/rsddateindex
- g####.####.com/pilot/api/300102
- p####.####.com/myservercb/api/1800
Modified file system:
Creates the following files:
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/files/.snow/.ir
- <Package Folder>/files/.snow/.dsmt.apk
- <Package Folder>/files/IQPFsmOUChmkwhbDdynamicloader.jar
- <Package Folder>/files/exid.dat
- <Package Folder>/files/.imprint
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/files/.snow/busybox
- <Package Folder>/files/.snow/.dico.apk
- <Package Folder>/files/hello/hello.dex
- <Package Folder>/files/.snow/.zip/mkdevsh
- <Package Folder>/files/.snow/.zip/r2
- <Package Folder>/files/.snow/.client
- <Package Folder>/files/.snow/.catr.apk
- <Package Folder>/files/.snow/.uks
- <Package Folder>/files/.snow/.dg
- <Package Folder>/files/.snow/checkFile13
- <Package Folder>/files/dbcbd7361f0fdf0d3db91bd4710f63ca.data
- <Package Folder>/files/.umeng/exchangeIdentity.json
- <Package Folder>/files/.snow/checkFile0
- <Package Folder>/files/source.apk
- <Package Folder>/files/.snow/.ukd
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/files/.snow/.dlsb.apk
- <Package Folder>/files/.snow/.uok
- <Package Folder>/files/wrhlrci/libRppEcpLJpRVcTveVlala.so
- <Package Folder>/files/.snow/.dlme.apk
- <Package Folder>/files/.snow/checkFile9
- <Package Folder>/cache/webviewCacheChromium/index
- <Package Folder>/files/.snow/myshell
- <Package Folder>/cache/webviewCacheChromium/f_000008
- <Package Folder>/files/.default/dbcbd7361f0fdf0d3db91bd4710f63ca.data.temp
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/files/wrhlrci/libhMEnYimzyYJbxvhuzxc.so
- <Package Folder>/cache/webviewCacheChromium/f_000001
- <Package Folder>/files/.snow/.service
- <Package Folder>/cache/webviewCacheChromium/f_000003
- <Package Folder>/cache/webviewCacheChromium/f_000002
- <Package Folder>/cache/webviewCacheChromium/f_000005
- <Package Folder>/cache/webviewCacheChromium/f_000004
- <Package Folder>/cache/webviewCacheChromium/f_000007
- <Package Folder>/cache/webviewCacheChromium/f_000006
- <Package Folder>/files/.snow/.zip/rsh
- <Package Folder>/files/.snow/ex0
- <Package Folder>/databases/ua.db
- <Package Folder>/files/.snow/a.xml
- <Package Folder>/files/hello.apk
- <Package Folder>/files/wrhlrci/libKueWuLGqMMnRgVVgbt.so
- <Package Folder>/files/.default/.p.apk
- <Package Folder>/files/.snow/supolicy
- <Package Folder>/files/wrhlrci/libIQPFsmOUChmkwhbDdynamicloader.so
- <Package Folder>/files/.snow/b.png
- <Package Folder>/files/.snow/checkFile5
- <Package Folder>/files/.snow/.zip/r1
- <Package Folder>/files/.snow/.zip/r4
- <Package Folder>/databases/cc.db
- <Package Folder>/files/.snow/.e0.data
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/.snow/.zip/r3
- <Package Folder>/files/.snow/.rshs
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/libswbqgonYxEgdlSXzbootstrap.so
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/files/.snow/.center.tapk
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/files/.snow/.zip/rt8
- <Package Folder>/cache/webviewCacheChromium/data_3
- <Package Folder>/cache/webviewCacheChromium/data_2
- <Package Folder>/cache/webviewCacheChromium/data_1
- <Package Folder>/cache/webviewCacheChromium/data_0
Miscellaneous:
Executes next shell scripts:
- chown 0:0 /system/app/oneshs.apk
- chown 0:0 /system/bin/debuggerd
- mount -wo remount rw /system
- chown 0.0 /system/bin/.author
- app_process /system/bin com.android.commands.pm.Pm disable com.num.hum.kong.ui.op.er
- chown 0:0 /system/app/Linkcai.apk
- chmod 777 <Package Folder>/files/.snow/.zip/
- app_process /system/bin com.android.commands.pm.Pm disable com.kai.kia.dou.ye.cai
- mount -o remount,rw /system
- chown 0.0 /system/xbin/.rainin
- chmod 777 <Package Folder>/files/.snow/b.png
- chown 0:0 /system/xbin/.cp
- chown 0:0 /data/local/tmp/.catr.apk
- chown 0.0 /system/app/Lowerp.apk
- chown 0:0 /system/app/LocalFacebook.apk
- chown 0.0 /system/app/Dingps.apk
- rm <Package Folder>/files/.snow/ex0
- app_process /system/bin com.android.commands.pm.Pm enable com.android.upon.hash
- rm <Package Folder>/files/.snow/.e0.data
- chown 0.0 /system/xbin/supolicy
- chcon u:object_r:system_file:s0 /system/bin/.author
- <dexopt>
- app_process /system/bin com.android.commands.pm.Pm disable com.android.tools.receiver
- chmod 777 <Package Folder>/files/.snow/ex0
- mount -ro remount ro /system
- app_process /system/bin com.android.commands.pm.Pm disable com.setting.dysdtool
- chown 0:0 /system/app/Lowerp.apk
- chcon u:object_r:system_file:s0 /system/xbin/.rainin
- chown 0:0 /data/local/tmp/busybox
- chown 0:0 /system/lib/libsoon.so
- chmod 777 <Package Folder>/files/.snow/a.xml
- chmod 777 <Package Folder>/files/.snow/.zip/rsh
- chmod 777 <Package Folder>/files/.snow/.ukd
- chown 0.0 /system/xbin/.cp
- chown 0.0 /system/app/LocalFacebook.apk
- chmod 777 <Package Folder>/files/.snow/.uok
- chmod 777 <Package Folder>/files/.snow/.dg
- chmod 777 <Package Folder>/files/.snow/.catr.apk
- chmod 777 <Package Folder>/files/.snow/.zip/rt8
- app_process /system/bin com.android.commands.pm.Pm enable com.android.tools.receiver
- chcon u:object_r:system_file:s0 /system/bin/debuggerd
- app_process /system/bin com.android.commands.pm.Pm disable com.android.upon.hash
- chown 0:0 /system/xbin/.ci.pm
- chmod 777 <Package Folder>/files/.snow/.uks
- chmod 777 <Package Folder>/files/.snow/.zip/r3
- chown 0.0 /data/local/tmp/.catr.apk
- chmod 777 <Package Folder>/files/.snow/supolicy
- chown 0:0 /system/xbin/supolicy
- chmod 777 <Package Folder>/files/.snow/.service
- chmod 777 <Package Folder>/files/.snow/.zip/r1
- chmod 777 <Package Folder>/files/.snow/.client
- chmod 777 <Package Folder>/files/.snow/.zip/r2
- chmod 777 <Package Folder>/files/.snow/.zip/r4
- app_process /system/bin com.android.commands.pm.Pm enable com.num.hum.kong.ui.op.er
- mount -o remount ro /system
- mount -o remount rw /system
- chmod 777 <Package Folder>/files/.snow/.zip/mkdevsh
- mount -wo remount,rw /system
- chmod 777 <Package Folder>/files/.snow/busybox
- chmod 777 <Package Folder>/files/.snow/.rshs
- chmod 777 <Package Folder>/files/.snow/myshell
- df /system
- chown 0:0 /system/app/RomterFacebook.apk
- rm /system/bin/debuggerd
- app_process /system/bin com.android.commands.pm.Pm enable com.wo.ai.girl.huy.wp
- chown 0:0 /system/app/Dingps.apk
- mount -o remount,ro /system
- chown 0:0 /system/xbin/.rainin
- app_process /system/bin com.android.commands.pm.Pm enable com.kai.kia.dou.ye.cai
- <error:2>
- chown 0.0 /system/lib/libsoon.so
- mount -ro remount,ro /system
- app_process /system/bin com.android.commands.pm.Pm enable com.setting.dysdtool
- chown 0:0 /system/bin/.author
- chcon u:object_r:system_file:s0 /system/xbin/.ci.pm
- sh
- chown 0.0 /system/app/Linkcai.apk
- chown 0.0 /system/bin/debuggerd
- chown 0.0 /system/xbin/.ci.pm
- chown 0.0 /system/app/RomterFacebook.apk
- /system/bin/sh ./mkdevsh
- app_process /system/bin com.android.commands.pm.Pm disable com.wo.ai.girl.huy.wp
Contains functionality to send SMS messages automatically.
