SHA1: 4d1d840eedfb9bcfc481457f64dc5ac8644cca00
It is a Trojan for Android designed to install applications upon cybercriminals’ command and display advertisements. Android.Loki.1.origin helps it elevate its privileges if necessary.
Once launched, it collects and sends the following information:
- IMEI identifier
- IMSI identifier
- MAC address
- MCC (Mobile Country Code) identifier
- MNC (Mobile Network Code) identifier
- Version of the operating system
- Screen resolution
- Information about installed and available RAM of the device
- Version of the operating system kernel
- Device model
- Device manufacturer
- Version of the firmware
- Serial number of the device
In return, the Trojan receives a configuration file containing such necessary information as servers addresses, which the malicious application establishes connection to, frequency of connections, and so on.
The configuration file is binary and stored in the application folder.
In specific time periods, Android.Loki.2.origin connects to the server in order to accept instructions and send the following information:
- Version of the configuration file
- Version of the service provided by Android.Loki.1.origin
- Current system language
- Country
- Information about Google account created by the user
Android.Loki.2.origin, in turn, receives a command either to install some application, which can be also downloaded from Google Play, or to display advertisements. The user can be redirected to some website or prompted to install some software if they tap the Trojan’s notifications. Downloaded programs are installed on the device with the help of Android.Loki.1.origin.
Android.Loki.2.origin sends the following information to the command and control server:
- List of installed applications
- Browser history
- List of contacts
- Call history
- Current location
The malicious application has the com.loki.sdk.ClientService class that helps use the Android.Loki.1.origin capabilities. A service with the same name needs to be announced in the application manifest file:
<service android:enabled=»true» android:exported="true" android:
name="com.loki.sdk.ClientService" />
Every 3 seconds, Android.Loki.1.origin checks all applications on the device. Once the Trojan finds that this service is mentioned in a manifest file belonging to one of these programs, it connects to the service using the bindService method of the Context class.