Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.64.origin
Network activity:
Connecting to:
- c####.####.com
- a####.####.com
HTTP GET requests:
- c####.####.com/dex/container_165.dex
HTTP POST requests:
- a####.####.com/collector/static_info?cid=####&udid=####&cv=####
- a####.####.com/collector/apk_install?cid=####&udid=####&cv=####
- a####.####.com/container/global_config?cid=####&udid=####&cv=####
- a####.####.com/collector/app_usage?cid=####&udid=####&cv=####
Modified file system:
Creates the following files:
- /data/data/####/shared_prefs/yoo_fsconf_pre.xml
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/app_bangcleplugin/container.apk
- /data/data/####/databases/yoo_p_download.db-journal
- /data/data/####/app_data/container.pre_need_update_plugins
- /data/data/####/shared_prefs/device_id.xml.xml
- /data/data/####/shared_prefs/yo_conf_pre.xml.bak
- /data/data/####/shared_prefs/yoo_r_common_pre.xml
- /data/data/####/.cache/libsecexe.x86.so
- /data/data/####/shared_prefs/yoo_fsappnfo_pre.xml
- /data/data/####/.cache/####
- /data/data/####/files/collector_app_start
- /data/data/####/files/collector_static_info
- /data/data/####/.md5
- /data/data/####/databases/data
- /data/data/####/.cache/libsecmain.x86.so
- /data/data/####/files/collector_my_mf_md5
- /data/data/####/app_bangcleplugin/collector.dex
- /data/data/####/shared_prefs/yoo_fstrategy_pre.xml
- /data/data/####/.sec_version
- /data/data/####/shared_prefs/yo_conf_pre.xml
- /data/data/####/shared_prefs/####_preferences.xml.bak
- /data/data/####/.cache/####.art
- /data/data/####/app_data/container.pre_global_config
- /data/data/####/.cache/classes.jar
- /data/data/####/shared_prefs/yoo_fsconf_pre.xml.bak
- /data/data/####/app_bangcleplugin/container.dex
- /data/data/####/.cache/classes.dex
- /data/data/####/databases/data-journal
- /data/data/####/files/collector_last_app_info
- /data/data/####/app_bangcleplugin/libcpu
- /data/data/####/databases/yoo_s_download.db-journal
- /data/data/####/files/collector_change_app_info
Sets the 'executable' attribute to the following files:
- /data/data/####/.cache/####
- /data/data/####/app_bangcleplugin/libcpu
Miscellaneous:
Executes next shell scripts:
- sh -c chmod 775 /data/data/####/app_bangcleplugin/libcpu
- chmod 755 /data/data/####/.cache/####
- sh -c /data/data/####/app_bangcleplugin/libcpu /storage/emulated/0/.1683efa7-c1a3-3bac-a07c-a2d539153efc 18 1
- getprop ro.product.cpu.abi
- ls -l /system/bin/su
- chmod 755 /data/data/####/.cache/####.art
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
