Android.Backdoor.1359

Added to the Dr.Web virus database: 2018-05-30

Virus description added: 2018-05-30

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Backdoor.623.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) s####.s.360.cn:80
TCP(HTTP/1.1) p.s.3####.cn:80
TCP(HTTP/1.1) hye.c####.3####.com:80
TCP(TLS/1.0) api.os.q####.com:443

DNS requests:

api.os.q####.com
hye.c####.3####.com
p.s.3####.cn
s####.s.360.cn

HTTP GET requests:

s####.s.360.cn/ak/ca9c267dad0305d1a6308d2a0cf1c39c.html?m2=####

HTTP POST requests:

hye.c####.3####.com/api/sdkPullAds.do
p.s.3####.cn/update/update.php?p=####

Modified file system:

Creates the following files:

/data/data/####/1d2b904cbeadfb72ed9546111a231c85.0
/data/data/####/237540E644090AB61A2F0134BBCF56B7.dex
/data/data/####/24c110e1f76093b35c3c2df1927aab79.0
/data/data/####/Data.zip
/data/data/####/GlobalFlag.xml
/data/data/####/QH_DeviceSDK.xml
/data/data/####/QH_SDK_M2.xml
/data/data/####/QH_SDK_UserData.xml
/data/data/####/QH_SDK_UserDatadd458505749b2941217ddd59394240e8.xml
/data/data/####/QH_SDK_sessionID.xml
/data/data/####/QK_AService.zip
/data/data/####/QK_AService.zip.bvg
/data/data/####/Tconfigcenterproxy-api.1.0.5.dex
/data/data/####/Y29tLm1vYmlsZS5oaXdlYXRoZXI=
/data/data/####/Y29tLm1vYmlsZS5oaXdlYXRoZXI= (deleted)
/data/data/####/Y29tLm1vYmlsZS5oaXdlYXRoZXI=.tick.lock
/data/data/####/adflag.png
/data/data/####/alarms.db-journal
/data/data/####/app_info.xml
/data/data/####/back.png
/data/data/####/cities.db
/data/data/####/cities.db-journal
/data/data/####/classes.dex
/data/data/####/clockweather_preferences.xml
/data/data/####/close.png
/data/data/####/config.xml
/data/data/####/dynamic.apk
/data/data/####/foreground_pref.xml
/data/data/####/hmdb
/data/data/####/hmdb-journal
/data/data/####/journal
/data/data/####/journal.tmp
/data/data/####/logdb.db
/data/data/####/logdb.db-journal
/data/data/####/qihooweather.db-journal
/data/data/####/qksdkapp.xml
/data/data/####/refrush.png
/data/data/####/tv_link_icon.png
/data/data/####/zookongsdkapp.xml
/data/media/####/.deviceId
/data/media/####/.iddata
/data/media/####/1526454009649.db
/data/media/####/5Lb
/data/media/####/5Lb (deleted)
/data/media/####/KSz
/data/media/####/KSz (deleted)
/data/media/####/OUA
/data/media/####/OUA (deleted)
/data/media/####/PHC
/data/media/####/PHC (deleted)
/data/media/####/ReaperLog-2018_05_16.txt
/data/media/####/alsn20170807.db
/data/media/####/alsn20170807.db-journal
/data/media/####/ca9c267dad0305d1a6308d2a0cf1c39c
/data/media/####/d7j
/data/media/####/d7j (deleted)
/data/media/####/data.lock
/data/media/####/dd458505749b2941217ddd59394240e8
/data/media/####/dd458505749b2941217ddd59394240e8 (deleted)
/data/media/####/jiE
/data/media/####/jiE (deleted)
/data/media/####/report.lock

Miscellaneous:

Executes next shell scripts:

getprop debug.reaper.log.enabled
getprop ro.vendor.channel.number
sh

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
RSA-ECB-PKCS1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Gains access to information about running applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial