Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.SkyMobi.6.origin
Network activity:
Connecting to:
- s####.####.com
- l####.####.com:9820
- d####.####.net
- and####.####.com
- c####.####.com
- mig####.com
- m####.####.com
- and####.####.com:8077
HTTP GET requests:
- m####.####.com/course/693628.html?dataSrcId=####&sqId=####&cm=####
- d####.####.net/apkf/3rdapk2/M01/0F/82/wKhklFiFe92AE1NeAAQYN1n4N4Q886.apk
- c####.####.com/mainjarupdate/gamesdk/59810/empty102/102327/main.zip
- and####.####.com/3rd-access-android/image/show.do?imageName=####
- d####.####.net/apkf/3rdapk2/M01/0E/50/wKhklFhblTOAFDJdAADx6QcmZVE171.apk
- s####.####.com/chksdkupdate.php?sdkver=####&compver=####&mainver=####&chid=####&type=####&pkg=####&api=####&release=####&uid=####&abi=####&abi2=####&a...
- d####.####.net/apkf/3rdapk2/M01/0E/50/wKhklFhbmYeALjHcAACxpWlURyc965.apk
- s####.####.com/gensdkuser.php?chid=####&cpmeta=####&vercode=####&md5=####&type=####&sdkver=####&pkg=####&api=####&release=####&brand=####&manufacturer...
- d####.####.net/apkf/3rdapk2/M01/0F/89/wKhklFiamFuAdzZqAALQ9q8rIV0633.apk
- s####.####.com/pickoverlay.php?chid=####&cpmeta=####&vercode=####&ovid=####&md5=####
- s####.####.com/picksdkgame.php?chid=####&imei=####&imsi=####&vercode=####&uid=####&uflag=####&pkg=####&api=####&release=####&type=####&sdkver=####&bra...
- mig####.com/course/693628.html?dataSrcId=####&sqId=####&cm=####
- d####.####.net/apkf/3rdapk2/M00/01/33/wKhklVVtdKOAVv5IAAFBG_mUhK4571.apk
- d####.####.net/apkf/3rdapk2/M01/0E/57/wKhklVhl8iuAPRONAASU16x8R3w033.apk
- c####.####.com/vmupdate/pack/empty/empty/28800/vm_generic/102/-1/vm.zip
- d####.####.net/apkf/3rdapk2/M01/0F/8A/wKhklVib1VaAFGm5AAn7f81SmP0432.apk
- s####.####.com/chksdkupdate.php?sdkver=####&compver=####&mainver=####&chid=####&type=####&pkg=####&api=####&release=####&abi=####&abi2=####&abilist=##...
- s####.####.com/chksdkupdate.php?sdkver=####&compver=####&mainver=####&expver=####&chid=####&type=####&pkg=####&api=####&release=####&abi=####&abi2=###...
- s####.####.com/getdomain.php?chid=####&subchid=####&cpmeta=####&type=####&sdkver=####
HTTP POST requests:
- and####.####.com/zm-adv-mis/adv/list/query.do
- l####.####.com:9820/chnlt/ltpay/pytstart.do
- and####.####.com/android/sms/netpay/prefetch.do
- and####.####.com/payment-adv-mis/adv/payment/getAdvInfo.do
- and####.####.com:8077/query-plat/cap/query.do
Modified file system:
Creates the following files:
- /data/data/####/SkyAdver_file/NotifyBarAdvResponse
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.advert.new.apk.temp
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.push.new.apk.temp
- /data/data/####/.platformcache/tmp/main/lib_main/libapplypatch.so
- /data/data/####/shared_prefs/excl_lb_kxqp.xml
- /data/data/####/.platformcache/tmp/main/lib_main/tmp.uH2211
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.advert.new.apk
- /data/data/####/shared_prefs/uuid.xml
- /data/data/####/shared_prefs/first.xml
- /data/data/####/databases/Data_sync.db-journal
- /data/data/####/databases/webview.db-journal
- /data/data/####/shared_prefs/appstarttwo.xml
- /data/data/####/shared_prefs/ACCOUNT_SYSTEM_ACCOUNT_INFO.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.thirdpay.new.apk
- /data/data/####/zyfadv/c7a44900a7f1959b3eaf5a573371e8d3.img
- /data/data/####/.zmvmp/so_9406587_1485415592000/libkxqpzmvmpinf.9406587.415592000.so.flag
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/PushDataReciveTime
- /data/data/####/.platformcache/tmp/vm/lib/tmp.iD2280
- /data/data/####/.zmvmp/so_9406587_1485415592000/libzmvmpcls.9406587.415592000.so.lock
- /data/data/####/.platformcache/tmp/main/lib_main/tmp.OS2293
- /data/data/####/app_workbench12398/apk.zip
- /data/data/####/.zmvmp/so_9406587_1485415592000/libzmvmpcls.9406587.415592000.so
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.recordupload.new.apk
- /data/data/####/shared_prefs/excl_lb_lbmain.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/NextReqInterval
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/PushDataServerTime
- /sdcard/Android/data/com.skymobi.pay.app/zyfadv/response.data
- /data/data/####/shared_prefs/excl_lb_chInfo.xml
- /data/data/####/shared_prefs/excl_lb_platform.xml.bak
- /data/data/####/.platformcache/tmp/main/lib_main/tmp.xI2194
- /data/data/####/shared_prefs/####_preferences.xml.bak
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.main.new.apk.temp
- /data/data/####/files_main/key_AppPluginCapInfo
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.recordupload.new.apk.temp
- /data/data/####/shared_prefs/excl_lb_kxqpChannal.xml
- /data/data/####/app_workbench56752/apk.zip
- /data/data/####/files_main/key_ServerPluginInfo
- /data/data/####/zyfadv/response.data
- /data/data/####/.platformcache/tmp/main/lib_main/tmp.tK2312
- /data/data/####/.zmvmp/so_9406587_1485415592000/libzmvmpcls.9406587.415592000.so.flag
- /sdcard/com/android/system/uid.sys
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.main.new.apk
- /data/data/####/app_workbench17924/apk.zip
- /data/data/####/.zmvmp_2194_599692/classes.dex
- /data/data/####/.platformcache/tmp/vm/lib/tmp.ZP2280
- /data/data/####/shared_prefs/excl_lb_userInfo.xml
- /data/media/obb/####/game_res/conveying
- /data/data/####/zyfadv/ad4083923264a6583a716b0724d0b789.img
- /data/media/obb/####/game_res/mainVersion
- /data/data/####/.platformcache/tmp/main/lib_main/tmp.ZF2293
- /data/data/####/shared_prefs/excl_lb_extractInfo.xml
- /data/data/####/shared_prefs/excl_lb_gameInfo.xml
- /sdcard/Android/data/com.skymobi.pay.app/zyfadv/c7a44900a7f1959b3eaf5a573371e8d3.img
- /data/data/####/.platformcache/tmp/vm/kxqpplatform.jar.tmp
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.push.new.apk
- /data/data/####/.zmvmp_2126_596042/classes.dex
- /data/data/####/app_workbench40028/apk.zip
- /data/data/####/databases/database-journal
- /sdcard/Android/data/com.skymobi.pay.app/zyfadv/ad4083923264a6583a716b0724d0b789.img
- /data/data/####/apk/vm.zip.dload
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.smspay.new.apk
- /data/data/####/.zmvmp/so_9406587_1485415592000/libkxqpzmvmpinf.9406587.415592000.so
- /data/data/####/.zmvmp_2280_625764/classes.dex
- /data/data/####/.platformcache/lbextjartag
- /data/data/####/shared_prefs/mainplugin_query.xml
- /data/data/####/shared_prefs/BOOT_SMS_SENT_TIME.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_push/dolls_push/sharemem_push.lock
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.smspay.apk
- /data/data/####/files/classes.dex
- /data/data/####/apk/main.zip.dload
- /data/data/####/.platformcache/tmp/main/lib_main/tmp.QS2211
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/.zmvmp_2211_599896/classes.dex
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_main/key_ServerPluginInfo
- /data/data/####/.platformcache/tmp/main/main2.jar.tmp
- /data/data/####/app_workbench23450/apk.zip
- /data/data/####/SkyAdver_file/PushDataReciveTime
- /data/data/####/shared_prefs/excl_lb_platform.xml
- /data/data/####/.platformcache/tmp/main/lib_main/tmp.pP2312
- /data/data/####/shared_prefs/excl_lb_domain.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.main.apk
- /data/data/####/shared_prefs/excl_lb_updateInfo.xml
- /data/data/####/.zmvmp_2312_625997/classes.dex
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.ovspay.new.apk.temp
- /data/data/####/.zmvmp_2106_595352/classes.dex
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/LatestPushIndex
- /data/media/obb/####/game_res/compVersion
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.smspay.new.apk.temp
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.recordupload.apk
- /data/data/####/.zmvmp/so_9406587_1485415592000/libkxqpzmvmpinf.9406587.415592000.so.lock
- /data/data/####/shared_prefs/zhangpay_sms_info.xml
- /sdcard/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.ovspay.new.apk
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.thirdpay.new.apk.temp
- /data/data/####/app_workbench62278/apk.zip
- /data/data/####/.platformcache/tmp/vm/lib/tmp.hT2280
- /data/data/####/.zmvmp_2293_625785/classes.dex
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/NotifyBarAdvResponse
- /data/data/####/shared_prefs/appstartone.xml
- /data/data/####/app_workbench45554/apk.zip
- /data/data/####/shared_prefs/excl_lb_soUpdate.xml
- /data/data/####/shared_prefs/BOOT_SMS_INFO.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/user.sys
- /data/data/####/shared_prefs/zhangpay_share.xml.bak
- /data/data/####/SkyAdver_file/PushDataServerTime
- /data/data/####/SkyAdver_file/LatestPushIndex
- /data/data/####/SkyAdver_file/NextReqInterval
- /data/data/####/shared_prefs/zhangpay_share.xml
Sets the 'executable' attribute to the following files:
- /data/data/####/.platformcache/tmp/main/lib_main/libapplypatch.so
- /data/data/####/.platformcache/tmp/main/lib_main/tmp.ZF2293
- /data/data/####/apk/vm.zip.dload
- /data/data/####/apk/main.zip.dload
Miscellaneous:
Executes next shell scripts:
- chmod 666 /storage/emulated/0/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.advert.apk
- chmod 666 /storage/emulated/0/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.smspay.apk
- chmod 666 /storage/emulated/0/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.push.apk
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
