Technical information
Malicious functions:
Removes its shortcut from the home screen.
Network activity:
Connecting to:
- googl####.####.net
- 25wfbnp####.ru
- im####.####.net
- r####.####.tv
- e####.####.net
- d####.####.io
- u####.####.fi
- s####.####.com
- b####.####.net
- u####.####.com
- p####.####.net
- undersc####.org
- 5####.####.196
- f####.####.com
- n####.####.tv
- d####.####.net
- googlea####.com
- l####.####.com
- b####.####.com
- c####.####.org
- a####.####.io
- 6####.####.com
- id####.####.com
- a####.####.com
- t####.####.com
- i####.####.fi
- u####.####.de
- c####.####.com
- d####.####.com
- clicksf####.com
- 268457####.####.com
HTTP GET requests:
- u####.####.fi/y_match?xid=####
- 5####.####.196/?z=####
- b####.####.net/map/c=7625/tp=SIMP/tpid=8C149905C534B558045D026B02E448E4
- e####.####.net/assets/ilovevideo/mobile/9ec70610/img/mobile/cac_ilv_mobile_icon-play.png
- i####.####.fi/p?cid=####&cb=####
- n####.####.tv/nl/video/drew-barrymore-in-talks-to-host-new-talk-show-732787-1518049
- t####.####.com/site/20676?dt=####&r=####&sig=####&bkca=####
- c####.####.com/af.php?rt=####&a=####
- d####.####.net/demconf.jpg?et:ibs%7cdata:dpid=####&dpuuid=####&redir=####
- c####.####.com/i.php?a=####&rt=####&v=####&h=####&d=####&c=####&dm1=####&j=####&k=####&t=####
- 268457####.####.com/rv2.php?c0f1d20####&q=####&utm_source=####
- googl####.####.net/pagead/viewthroughconversion/1026675585/?random=####&cv=####&fst=####&fmt=####&value=####&label=####&guid=####&ctc_id=####&ct_cooki...
- c####.####.com/util/click.pl?id=####&ac=####&q=####&ac2=####
- a####.####.com/cms/v1?esig=####&sigv=####&nwid=####
- b####.####.com/b?c1=####&c2=####&c3=####&ns__t=####&ns_c=####&ns_if=####&cv=####&c8=####&c7=####&c9=####
- u####.####.com/mapuser?providerid=####&userid=####
- f####.####.com/s/opensans/v13/cJZKeOuBrn4kERxqtaUH3SZ2oysoEQEeKwjgmXLRnTc.ttf
- u####.####.fi/lj_match
- f####.####.com/s/opensans/v13/DXI1ORHCpsQm3Vp6mXoaTZS3E-kSBmtLoNJPDtbj2Pk.ttf
- c####.####.com/merge?pid=####&3pid=####&dnr=####
- e####.####.net/files/clip/809402/freeze_frame_30/20/49/08_159198_SPL1417468-mp4.jpg/806x487.jpg
- n####.####.tv/nl/drew-barrymore-in-talks-to-host-new-talk-show-732787-1518049
- c####.####.com/af2.php?a=####&rt=####&h=####&dv=####&z=####&w=####&fq=####&r=####&u=####&t=####
- d####.####.net/ibs:dpid=477&dpuuid=173a0d7a71c810712a8ced43cf14d1254bdc47e693b0f46a3f6347e8f5aaac8bb0da87c991749652&redir=http%3A%2F%2Fidsync.rlcdn.co...
- 268457####.####.com/tags.php?kw=####&cat=####&ip=####&s=####&c=####
- i####.####.fi/dpx?cid=####&m=####&quid=####&cbri=####&referrer=####
- clicksf####.com/bank_accounts_opening_double_glazing.cfm?fm=####
- i####.####.fi/dpx.js?cid=####&m=####&quid=####
- googlea####.com/pagead/conversion/1026675585/?random=####&cv=####&fst=####&fmt=####&value=####&label=####&guid=####
- u####.####.fi/match_redirect?sifi_redir=####
- 6####.####.com/bapi?anId=####&pubid=####&chanId=####&auth_token=####&ias_callback=####
- b####.####.net/5/c=7079/int=financeh/int=bank+accounts+opening+double+glazing/int=ezanga.com
- d####.####.com/dt?anId=####&asId=####&tv=####&br=####
- e####.####.net/assets/ilovevideo/mobile/9ec70610/css/screen_mobile-stage.css
- t####.####.com/js/bk-coretag.js
- undersc####.org/underscore-min.js
- 6####.####.com/dbapi?ias_callback=####&anId=####&pubid=####&chanId=####&auth_token=####&adsafe_url=####&adsafe_type=####&adsafe_jsinfo=####
- u####.####.fi/spotx_match
- c####.####.org/go.php?t=####&hash=####
- u####.####.de/mapuser?provide####
- p####.####.net/engine?site=14####
- f####.####.com/s/opensans/v13/k3k702ZOKiLJc3WVjuplzJS3E-kSBmtLoNJPDtbj2Pk.ttf
- s####.####.com/profiles_engine/ProfilesEngineServlet?at=####&dpi=####&pcid=####
- 25wfbnp####.ru/Look%20Search%20Trace_files/style.css
- e####.####.net/assets/ilovevideo/mobile/9ec70610/img/mobile/cac_ilv_mobile_icon-arrow-down.png
- u####.####.fi/aol
- n####.####.tv/video/drew-barrymore-in-talks-to-host-new-talk-show-732787-1518049?utm_source=####&utm_medium=####&utm_term=####&utm_content=####&utm_ca...
- 25wfbnp####.ru/site_real.php?session_param=####
- b####.####.net/5/ct=y/c=7079/int=financeh/int=bank+accounts+opening+double+glazing/int=ezanga.com
- t####.####.com/site/29931?id=####
- f####.####.com/css?family=####
- d####.####.com/dt?anId=####&asId=####&tv=####&bkp=####
- 268457####.####.com/go.php?sid=####
- im####.####.net/resize/760x428/freeze_frame_5/78/72/37_159198_SPL1311031-mp4.jpg
- b####.####.com/b2?c1=####&c2=####&c3=####&ns__t=####&ns_c=####&ns_if=####&cv=####&c8=####&c7=####&c9=####
- clicksf####.com/redirect?aff=####&saff=####&q=####
- b####.####.com/beacon.js
- e####.####.net/files/clip/849450/null/806x487.jpg
- id####.####.com/419566.gif?partner_uid=####&redirect=####
- a####.####.io/showads.js
- a####.####.com/ajax/libs/webfont/1.5.2/webfont.js
- d####.####.io/request.js?instance=####&source=####&campaign=####&9699378####
- id####.####.com/419566.gif?partner_uid=####
- r####.####.tv/rce/api/v1.0/multiple/732787?jsonp=####
- e####.####.net/tmp/verticals/9ec70610/scripts/main_mobile.js
- c####.####.com/jquery-2.1.1.min.js
- u####.####.fi/liveramp_match
- l####.####.com/load/?p=####&g=####&j=####
- e####.####.net/files/clip/842820/freeze_frame_30/02/82/48_718512_5f0454ae3dc6d2c5f516adc989be9513-mp4.jpg/806x487.jpg
- c####.####.com/merge?pid=####&3pid=####
- t####.####.com/site/20675?ret=####&phint=####&phint=####&phint=####&phint=####&bknms=v####&r=####
HTTP POST requests:
- clicksf####.com/go?feed_id=####&sub_id=####
- 25wfbnp####.ru/apk_sub.php?get_hash=####
- 25wfbnp####.ru/cpc_v2.php?get_hash=####
- 268457####.####.com/rva.php
- d####.####.io/response.json
Modified file system:
Creates the following files:
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/cache/webviewCacheChromium/f_000002
- /data/data/####/shared_prefs/MyPref.xml
- /data/data/####/cache/webviewCacheChromium/data_3
- /data/data/####/shared_prefs/MyPref.xml.bak
- /data/data/####/cache/webviewCacheChromium/index
- /data/data/####/databases/webview.db-journal
- /data/data/####/cache/webviewCacheChromium/f_000001
- /data/data/####/cache/webviewCacheChromium/f_000003
- /data/data/####/cache/webviewCacheChromium/data_2
- /data/data/####/cache/webviewCacheChromium/data_1
- /data/data/####/cache/webviewCacheChromium/data_0
- /data/data/####/cache/webviewCacheChromium/f_000005
- /data/data/####/cache/webviewCacheChromium/f_000004
Miscellaneous:
Uses administrator priveleges.
Contains functionality to send SMS messages automatically.
