Technical information
Malicious functions:
Sends SMS messages:
- 18477134507: <IMEI> 型号:<System Property>; 手机:<System Property>; 系统版本:4.3.1
- 18477134507: <SMS Content> 广播:900
- 18477134507: <SMS Content> 广播:<SMS Address>
Executes code of the following detected threats:
- Android.SmsSpy.651.origin
Removes its shortcut from the home screen.
Intercepts incoming SMS messages and terminates the process of their transmission to handlers of other applications
Network activity:
Connecting to:
- a####.####.com:8011
- and####.####.com
HTTP POST requests:
- a####.####.com:8011/rqd/async
- and####.####.com/rqd/async
Modified file system:
Creates the following files:
- <Package Folder>/databases/bugly_db_lejiagu-journal
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/local_crash_lock (deleted)
- <Package Folder>/files/native_record_lock
- <Package Folder>/files/security_info
- <Package Folder>/mix.dex
- <Package Folder>/shared_prefs/configurations_data.xml
- <Package Folder>/shared_prefs/legu_900015015.xml
- <Package Folder>/tx_shell/libshella-2.4.2.so
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c type su
- chmod 700 /data/data/com.cs1k3322tdb/tx_shell/libshella-2.4.2.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.4.2.so
- getprop ro.board.platform
- getprop ro.yunos.version
Loads the following dynamic libraries:
- Bugly
- libshella-2.4.2
Uses the following algorithms to encrypt data:
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-GCM-NoPadding
Uses administrator priveleges.
Uses special library to hide executable bytecode.
Changes volume and vibration settings
Gains access to telephone information (number, imei, etc.)
Gains access to information about active device administrators
Displays its own windows over windows of other applications
Parses information from SMS messages
Gains access to information about sent/received SMS messages
