Technical information
Malicious functions:
Removes its shortcut from the home screen.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) api.k####.info:80
- TCP(HTTP/1.1) del####.com:80
- TCP(HTTP/1.1) trietha####.com:80
- TCP(HTTP/1.1) r####.adsb####.com:80
- TCP(HTTP/1.1) go.oclase####.com:80
- TCP(HTTP/1.1) newrota####.com:80
- TCP(HTTP/1.1) offer####.online:80
- TCP(HTTP/1.1) of####.joym####.mobi:80
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) acco####.go####.com:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) yt3.g####.com:443
- TCP(TLS/1.0) smarto####.site:443
- TCP(TLS/1.0) m.you####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) ssl.google-####.com:443
- TCP(TLS/1.0) proadsr####.com:443
- TCP(TLS/1.0) f####.google####.com:443
- TCP(TLS/1.0) i.y####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) www.you####.com:443
DNS requests:
- acco####.go####.com
- api.k####.info
- del####.com
- f####.google####.com
- f####.gst####.com
- go.oclase####.com
- googl####.g.doublec####.net
- hy####.com
- i.y####.com
- m.you####.com
- mt####.go####.com
- newrota####.com
- of####.joym####.mobi
- offer####.online
- proadsr####.com
- smarto####.site
- ssl.google-####.com
- www.go####.nl
- www.gst####.com
- www.trac####.site
- www.you####.com
- yt3.g####.com
HTTP GET requests:
- api.k####.info/v6/index.php?action=####&android=####&app_id=####&app_ver...
- of####.joym####.mobi/index.php?r=####&a=####&c=####&aff_sub=####
- of####.joym####.mobi/index.php?r=####&aff_id=####
- r####.adsb####.com/c/140a6455137922f3?c1=####&c2=####&c3=####&_uu=####
- trietha####.com/28c88/4acA/76MQ/t-9Gs6VqRfgVCfcgxeCEkAI6SfAXQk8arOD0goKh...
Modified file system:
Creates the following files:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/index
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/google_analytics_v2.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/1.jar
- <Package Folder>/files/dog_x86
- <Package Folder>/files/gaClientId
- <Package Folder>/shared_prefs/pref_landlord.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
Miscellaneous:
Executes next shell scripts:
- /system/bin/netcfg
- <Package Folder>/files/dog_x86 -ps <Package>/com.yu.yong.WorkerService -s com.yu.yong:worker_service
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -n <Package>/com.yu.yong.WorkerService
- chmod 755 <Package Folder>/files/dog_x86
- sh -c echo ttta
- sh -c su -c ' echo ttta'
- su -c echo ttta
Loads the following dynamic libraries:
- jackkai
Uses elevated priveleges.
Uses administrator priveleges.
Gains access to telephone information (number, imei, etc.).
Displays its own windows over windows of other applications.