Android.Triada.823

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Triada.222.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) reso####.msg.xi####.net:80
TCP(HTTP/1.1) scs.opensp####.cn:80
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) api.xima####.com:80
TCP(HTTP/1.1) d####.opensp####.cn:80
TCP(HTTP/1.1) 1####.213.69.195:80
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) h####.opensp####.cn:80
TCP(HTTP/1.1) d####.c####.l####.####.com:80
TCP(HTTP/1.1) api.snail####.com:80
TCP(HTTP/1.1) 1####.121.48.5:80
TCP(TLS/1.0) sh.wagbr####.alibaba####.com:443
TCP(TLS/1.0) owe.joy-r####.com:9050
TCP(TLS/1.0) regi####.xm####.xi####.com:443
TCP 4####.62.94.2:443

DNS requests:

a####.u####.com
and####.b####.qq.com
api.snail####.com
api.xima####.com
cdn.joy-r####.com
d####.opensp####.cn
h####.opensp####.cn
log.u####.com
owe.joy-r####.com
regi####.xm####.xi####.com
reso####.msg.xi####.net
s####.u####.com
scs.opensp####.cn

HTTP GET requests:

api.snail####.com/cloudmusic/api/getHasCoverAd?packagename=####&language...
api.snail####.com/cloudmusic/api/getModuleState?client_sign=####&pk_name...
api.snail####.com/cloudmusic/api/getSnailloveCoverAd?packagename=####&la...
d####.c####.l####.####.com/95335c56-ebc5-4f35-b610-16d5472ce8e6bdco_60032
h####.opensp####.cn/launchconfig?t=####&p=bmdkY####
reso####.msg.xi####.net/gslb/?ver=4.0&type=wap&conpt=dvidpodv >>4>>4>>4...

HTTP POST requests:

a####.u####.com/app_logs
and####.b####.qq.com/rqd/async?aid=####
api.xima####.com/oauth2/access_token
d####.opensp####.cn/index.php/clientrequest/clientcollect/isCollect
scs.opensp####.cn/scs?cmd=####&logver=####&size=####

Modified file system:

Creates the following files:

/data/data/####/.imprint
/data/data/####/1002
/data/data/####/1004
/data/data/####/1522451156206.log
/data/data/####/BUGLY_COMMON_VALUES.xml
/data/data/####/CloudPreferences.cache.xml
/data/data/####/H4O783l.apk
/data/data/####/XMPushServiceConfig.xml
/data/data/####/alarms.db-journal
/data/data/####/bird_plugin.dex
/data/data/####/bird_plugin.jar
/data/data/####/bird_plugin.jar.sig
/data/data/####/bird_plugin.tmp
/data/data/####/bird_plugin.tmp.sig
/data/data/####/bugly_db_-journal
/data/data/####/com.chipsguide.app.colorbluetoothlamp.v3.changd...88.zip
/data/data/####/com.chipsguide.app.colorbluetoothlamp.v3.changd...ES.xml
/data/data/####/com.chipsguide.app.colorbluetoothlamp.v3.changd...ervice
/data/data/####/com.chipsguide.app.colorbluetoothlamp.v3.changd...es.xml
/data/data/####/com.iflytek.id.xml
/data/data/####/com.iflytek.msc.xml
/data/data/####/config.xml
/data/data/####/crashrecord.xml
/data/data/####/downloader.db-journal
/data/data/####/geofencing.db
/data/data/####/geofencing.db-journal
/data/data/####/ifly_launch_lib.xml
/data/data/####/iflytek_state_com.chipsguide.app.colorbluetooth...da.xml
/data/data/####/ilightDB-journal
/data/data/####/local_crash_lock
/data/data/####/mipush.xml
/data/data/####/mipush_account.xml
/data/data/####/mipush_extra.xml
/data/data/####/mobclick_agent_online_setting_com.chipsguide.ap...da.xml
/data/data/####/multidex.version.xml
/data/data/####/native_record_lock
/data/data/####/pref_registered_pkg_names.xml
/data/data/####/security_info
/data/data/####/tMS866P3hcq
/data/data/####/ting_data.xml
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/umeng_socialize.xml
/data/data/####/update_lc
/data/media/####/.nomedia
/data/media/####/Badinfo.xml
/data/media/####/YvscMPs.xml
/data/media/####/iflyworkdir_test
/data/media/####/log.lock
/data/media/####/log1.txt
/data/media/####/rinsWPVPycqVPSq38.db
/data/media/####/rinsWPVPycqVPSq38.db-journal
/data/media/####/u.data

Miscellaneous:

Executes next shell scripts:

/system/bin/sh -c getprop
/system/bin/sh -c type su
<Package Folder>/app_aqPVSg3/tMS866P3hcq -p <Package> -s com.birdads.out.BGService -t 600
chmod 0755 <Package Folder>/app_aqPVSg3/tMS866P3hcq
getprop
sh <Package Folder>/app_aqPVSg3/tMS866P3hcq -p <Package> -s com.birdads.out.BGService -t 600

Loads the following dynamic libraries:

Bugly
bluetoothlibrary
msc
realm-jni

Uses the following algorithms to encrypt data:

AES-CBC-NoPadding
AES-CBC-PKCS5Padding
AES-GCM-NoPadding
DES-ECB-NoPadding
RSA-ECB-PKCS1Padding

Uses the following algorithms to decrypt data:

AES-CBC-NoPadding
AES-CBC-PKCS5Padding
AES-GCM-NoPadding
DES-ECB-NoPadding

Gains access to interfaces of audio/video data writing.

Writes audio/video data.

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

Tecnologías

Términos

Formación y educación

Mitos

Technical information

Curing recommendations

Free trial