Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.BankBot.1224.origin
Threat detection based on machine learning.
Network activity:
Connects to:
- UDP(???) www.go####.com:443
- UDP(???) f####.gst####.com:443
- UDP(???) www.googlet####.com:443
- UDP(???) www.you####.com:443
- UDP(???) www.gst####.com:443
- UDP(DNS) <Google DNS>
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) t####.go####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) ed####.me.g####.com:443
- TCP(TLS/1.0) p####.go####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) www.you####.com:443
- TCP(TLS/1.0) f####.google####.com:443
- TCP(TLS/1.0) clients####.google####.com:443
- TCP(TLS/1.0) up####.google####.com:443
- TCP(TLS/1.0) blites####.cfd:443
DNS requests:
- blites####.cfd
- clients####.google####.com
- ed####.me.g####.com
- f####.google####.com
- f####.gst####.com
- p####.go####.com
- t####.go####.com
- up####.google####.com
- www.go####.com
- www.google-####.com
- www.googlet####.com
- www.gst####.com
- www.you####.com
HTTP GET requests:
- blites####.cfd:443/translate2.php?lang=####&vendor=####&status=####
- blites####.cfd:443/translate_start.php?lang=####
HTTP POST requests:
- blites####.cfd:443/analitic.php
- blites####.cfd:443/get_encryption_key.php
- blites####.cfd:443/get_html_mapping.php
- blites####.cfd:443/heartbeat.php
- blites####.cfd:443/monitored_apps_full.php
- blites####.cfd:443/register.php
- blites####.cfd:443/register_device.php
- blites####.cfd:443/report.php
- blites####.cfd:443/save_apps.php
- blites####.cfd:443/status.php
File system changes:
Creates the following files:
- /app_webview/Default/####/000003.log
- /app_webview/Default/####/LOCK
- /app_webview/Default/####/LOG
- /app_webview/Default/####/MANIFEST-000001
- /app_webview/Default/Cookies
- /app_webview/Default/Web Data
- /app_webview/Default/Web Data-journal
- /app_webview/webview_data.lock
- /data/data/####/.org.chromium.Chromium.0L3UCp
- /data/data/####/.org.chromium.Chromium.mSsPUm
- /data/data/####/000001.dbtmp
- /data/data/####/02b0e9a54c09a19a_0
- /data/data/####/030fbbfa042caa5c_0
- /data/data/####/093056e3397f37f7_0
- /data/data/####/0d940287cfe3e349_0
- /data/data/####/2543d2177f29cb48_0
- /data/data/####/28a1b4d856d0d20a_0
- /data/data/####/28ebe4cb9cfa8bd0_0
- /data/data/####/2a2d156735fcd5f4_0
- /data/data/####/2b7141878cc8e020_0
- /data/data/####/2cd040f5e3033c10_0
- /data/data/####/31705ba524582b54_0
- /data/data/####/33acd2feba5294ec_0
- /data/data/####/4f1c59c26d5026ff_0
- /data/data/####/4f932edd71c82380_0
- /data/data/####/5830e90d67347343_0
- /data/data/####/59255469b581c0a3_0
- /data/data/####/59b90fe6235f7479_0
- /data/data/####/5c1da3ab0c738710_0
- /data/data/####/6110b6b90dceb16b_0
- /data/data/####/6344590c875876f1_0
- /data/data/####/653dd2dcc011c9ed_0
- /data/data/####/7d05d57bc5c35637_0
- /data/data/####/7e4a2949cd4f92bd_0
- /data/data/####/81c626b0d96efa63_0
- /data/data/####/87404010fe46a7c0_0
- /data/data/####/88d545421f4f437b_0
- /data/data/####/8a5800680b132a05_0
- /data/data/####/95dbc7bb8782ddf4_0
- /data/data/####/9ec5966a89aba447_0
- /data/data/####/9fd6fdc06d015838_0
- /data/data/####/AnchorPrefs.xml
- /data/data/####/BrowserMetrics-spare.pma
- /data/data/####/Cookies-journal
- /data/data/####/IMx.jpeg
- /data/data/####/MANIFEST-000001
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/a79e82dafc3b94c7_0
- /data/data/####/a907a4079c0a99b3_0
- /data/data/####/anchors.xml
- /data/data/####/app_prefs.xml
- /data/data/####/b55be1541dd0439c_0
- /data/data/####/b7391cfa4c1b7dc3_0
- /data/data/####/b9c35537c9ffe331_0
- /data/data/####/bb6161495d49a59c_0
- /data/data/####/bda93ee3ca4f5a15_0
- /data/data/####/c1981d4961913dd8_0
- /data/data/####/c2a649dd608eb16b_0
- /data/data/####/c42b49204df6fd3e_0
- /data/data/####/cached_domain.xml
- /data/data/####/ce686bd4d8612812_0
- /data/data/####/cf0a0e0744af6c6e_0
- /data/data/####/d4c29e778d7f5dae_0
- /data/data/####/d834904e6e613730_0
- /data/data/####/dd8372a96593bb05_0
- /data/data/####/e021c5163dea19b4_0
- /data/data/####/ec7d8131bbb6426a_0
- /data/data/####/ee6967f1515b380e_0
- /data/data/####/f1e4366f4d688dfb_0
- /data/data/####/f4dacdacd6da5dc8_0
- /data/data/####/f533a788ed4bff5b_0
- /data/data/####/f9d253a560b8d4ad_0
- /data/data/####/fc304e7ec260b193_0
- /data/data/####/font_unique_name_table.pb
- /data/data/####/guard_prefs.xml
- /data/data/####/index
- /data/data/####/install_flow_prefs.xml
- /data/data/####/monitored_apps.db
- /data/data/####/monitored_apps.db-journal
- /data/data/####/monitoring_prefs.xml
- /data/data/####/notification_prefs.xml
- /data/data/####/profileInstalled
- /data/data/####/profileinstaller_profileWrittenFor_lastUpdateTime.dat
- /data/data/####/settings.dat
- /data/data/####/smsclient_prefs.xml
- /data/data/####/temp-index
- /data/data/####/the-real-index
- /data/data/####/todelete_5779a2baf0ee1934_0_1 (deleted)
- /data/data/####/todelete_8bc281f5fc5ee418_0_1 (deleted)
- /data/data/####/variations_seed_new
- /data/data/####/variations_stamp
- /data/misc/####/primary.prof
Miscellaneous:
Gets information about installed apps.
Displays its own windows over windows of other apps.
Intercepts notifications.
Requests the system alert window permission.
Appears corrupted in a way typical for malicious files.