Technical information
Malicious functions:
Removes app icon from the screen.
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) 4####.98.88.210:80
- TCP(HTTP/1.1) 1####.31.55.181:80
- TCP(HTTP/1.1) da####.c####.qini####.com:80
- TCP(HTTP/1.1) bs####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) www.t####.cn:80
- TCP(HTTP/1.1) 2####.i####.com:80
- TCP(HTTP/1.1) 47.98.1####.25:80
- TCP(HTTP/1.1) idv####.qini####.com:80
- TCP(HTTP/1.1) 1####.178.153.46:80
- TCP(HTTP/1.1) c####.suis####.com:80
- TCP(HTTP/1.1) sdk.suis####.com:80
- TCP(HTTP/1.1) ip.ws.1####.net:80
- TCP(HTTP/1.1) gdv.a.s####.com:80
- TCP(HTTP/1.1) bwse####.huin####.com:8220
- TCP(Recorder|com.android.launcher,Launcher|com.android.defcontainer,Package Access Helper|com.example.android.notepad,NotePad|com.android.quicksearchbox,Search|com.android.contacts,Contacts|com.android.inputmethod.latin,Android Keyboard (AOSP)|com.android.phone,Mobile Data|com.android.calculator2,Calculator|com.android.htmlviewer,HTML Viewer|com.google.android.gsf.login,Google Account Manager|com.android.providers.calendar,Calendar Storage|com.android.bluetooth,Bluetooth Share|com.android.inputdevices,Input Devices|com.android.wallpaper.holospiral,com.android.wallpaper.holospiral|com.android.calendar,Calendar|com.android.browser,Browser|com.android.music,Music|com.android.onetimeinitializer,One Time Init|com.android.providers.downloads.ui,Downloads|com.android.providers.userdictionary,User Dictionary|com.mdht.cs01,??|com.android.sharedstoragebackup,com.android.sharedstoragebackup|com.android.vpndialogs,VpnDialogs|com.android.mms,Messaging|com.android.provision,com.android.provision|com.android.providers.media,Media Storage|com.android.certinstaller,Certificate Installer|com.android.basicsmsreceiver,Simple message receiver|com.android.galaxy4,Black Hole|com.google.android.gms,Google Play services|com.example.android.rssreader,RSS Reader|com.android.gallery,Camera|android,Android System|com.android.settings,Settings|com.android.providers.contacts,Contacts Storage|com.android.providers.applications,Search Applications Provider|com.android.dreams.basic,Basic Daydreams|com.android.vending,Google Play Store|com.android.providers.drm,DRM Protected Content Storage|com.android.systemui,System UI|com.android.exchange,Exchange Services|com.android.musicvis,Music Visualization Wallpapers|com.android.wallpaper.livepicker,Live Wallpaper Picker|com.android.keychain,Key Chain|com.android.speechrecorder,Speech Recorder|com.android.packageinstaller,Package installer|com.android.development,Dev Tools|com.android.providers.telephony,Mobile Network Configuration|com.android.wallpaper,Android Live Wallpapers|com.svox.pico,Pico TTS|com.android.email,Email|com.android.dialer,Dialer|com.android.deskclock,Clock|com.android.location.fused,Fused Location|com.android.backupconfirm,com.android.backupconfirm|com.android.providers.settings,Settings Storage|com.android.magicsmoke,Magic Smoke Wallpapers|com.google.android.gsf,Google Services Framework|com.android.shell,Shell|com.android.providers.downloads,Download Manager|com.android.musicfx,MusicFX|com.android.phasebeam,Phase Beam| HTTP/1.1) c####.suis####.com:80
DNS requests:
- 2####.i####.com
- bs####.oss-cn-####.aliy####.com
- bwse####.huin####.com
- c####.suis####.com
- h####.c####.com
- ip.ws.1####.net
- md1.huin####.cn
- ojtgd####.bkt.clo####.com
- pv.s####.com
- sdk.suis####.com
- www.t####.cn
HTTP GET requests:
- 2####.i####.com/ic.asp
- bs####.oss-cn-####.aliy####.com/sdk_files/bk
- bwse####.huin####.com:8220/qianya/sdk/confignanjing.txt
- c####.suis####.com/tongji.php?cs01?uid=####&osint=####&pkg=####&net=####...
- c####.suis####.com/u?q=####&u=####&p=####&c=####&a=####&os=####&pkg=####...
- da####.c####.qini####.com/task_config_local.json
- da####.c####.qini####.com/task_config_remote.json
- gdv.a.s####.com/cityjson?ie=####
- idv####.qini####.com/c1
- idv####.qini####.com/confignanjing.txt
- ip.ws.1####.net/ipquery?ip=####
- sdk.suis####.com/check?channel=####
- sdk.suis####.com/cnzz?channel=####
- sdk.suis####.com/shield?channel=####&sdk=####
- www.t####.cn/ajax/imsi.ashx?imsi=####
- z.c####.com/stat.htm?id=####&cnzz_eid=####
HTTP POST requests:
- da####.c####.qini####.com/classes.jar
- da####.c####.qini####.com/config_v1_x32.json
- da####.c####.qini####.com/task_cpa.zip
- da####.c####.qini####.com/task_userinfo.zip
File system changes:
Creates the following files:
- /data/data/####/IcmWeatherProvider.db
- /data/data/####/IcmWeatherProvider.db-journal
- /data/data/####/area.xml
- /data/data/####/bk.apk
- /data/data/####/cache.xml
- /data/data/####/cacheclasses.jar
- /data/data/####/classes.jar
- /data/data/####/config.json
- /data/data/####/global.xml
- /data/data/####/mainApplicationSharedPreferences.xml
- /data/data/####/plugin.xml
- /data/data/####/qysettings.xml
- /data/data/####/sdkconfig.xml
- /data/data/####/task_config.json
- /data/data/####/task_cpa.zip
- /data/data/####/task_userinfo.zip
- /data/data/####/webview.db-journal
Miscellaneous:
Executes the following shell scripts:
- cat /proc/cpuinfo
- cat /sys/class/net/wlan0/address
Uses the following algorithms to encrypt data:
- DES-ECB-NoPadding
Uses the following algorithms to decrypt data:
- DES-ECB-NoPadding
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.