Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.336.origin
Downloads the following detected threats from the Web:
- Android.Backdoor.336.origin
Network activity:
Connecting to:
- t####.####.com
- a####.####.net
- c####.####.com
- baiduli####.####.org
- m####.####.com
- a####.####.com
HTTP GET requests:
- t####.####.com/agentapi/click?cid=####&aid=####&did=####&im=####&gaid=##...
- baiduli####.####.org/aff_c?offer_id=####&aff_id=####&aff_sub=####&aff_su...
- baiduli####.####.org/aff_r?offer_id=####&aff_id=####&url=####&urlauth=####
- m####.####.com/tracking/index/5910e0f7b8c12?gaid=####&idfa=####&andid=##...
- a####.####.net/call/v2/ad/click?ads_id=####&aff_id=####&ak_id=####&local...
- a####.####.net/applnk/826227844?src_section_id=####
- a####.####.net/stat/v2/request?aff_id=####&ak_id=####&local=####&from_sd...
- c####.####.com/v1/ad/click?subsite_id=####&transaction_id=####&id=####&o...
- c####.####.com/csdk/tcl_vd_1.txt
- c####.####.com/cdown/finalname.apk
HTTP POST requests:
- a####.####.net/scene/v2/recommend
- a####.####.com/app_logs
- a####.####.net/native/v2/recommend
- a####.####.com/oversea_adjust_and_download_write_redis/notify/download/app
- m####.####.com/errorview/api/601
Modified file system:
Creates the following files:
- /data/data/####/files/.snow/.dico.apk
- /data/data/####/databases/cc.db-journal
- /data/data/####/shared_prefs/sharedpreferences_batmobi_ad_clicks_offers.xml
- /data/data/####/databases/ua.db
- /data/data/####/files/.snow/.zip/r2
- /data/data/####/files/.snow/.zip/r4
- /data/data/####/databases/cc.db
- /data/data/####/files/.snow/.zip/r1
- /data/data/####/files/.snow/.service
- /data/data/####/files/.snow/.zip/r3
- /data/data/####/files/.snow/busybox
- /data/data/####/files/.snow/.dg
- /data/data/####/files/.snow/b.png
- /data/data/####/databases/ua.db-journal
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/files/.help/.abc.apk
- /data/data/####/files/.snow/myshell
- /data/data/####/files/.snow/.ir
- /data/data/####/databases/bat_statistics.db
- /data/data/####/files/.snow/checkFile0
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/files/.snow/.dsmt.apk
- /data/data/####/files/.umeng/exchangeIdentity.json
- /data/data/####/files/.imprint
- /data/data/####/databases/webview.db
- /data/data/####/files/.snow/.zip/mkdevsh
- /data/data/####/files/.snow/.client
- /data/data/####/files/.snow/.zip/rt8
- /data/data/####/files/exid.dat
- /data/data/####/files/.snow/.dlme.apk
- /data/data/####/databases/webview.db-journal
- /data/data/####/files/.snow/.center.tapk
- /data/data/####/files/.snow/.zip/rsh
- /data/data/####/shared_prefs/sharedpreferences_batmobi_ad_marketurl.xml
- /data/data/####/databases/bat_statistics.db-journal
- /data/data/####/databases/webviewCookiesChromium.db
- /data/data/####/files/umeng_it.cache
- /data/data/####/files/.snow/.catr.apk
- /data/data/####/shared_prefs/sharedpreferences_batmobi_offers.xml
- /data/data/####/files/.snow/a.xml
- /data/data/####/files/.snow/.ukd
- /data/data/####/shared_prefs/sharedpreferences_batmobi_settings.xml
- /data/data/####/files/.snow/.uok
- /data/data/####/files/.snow/.dlsb.apk
- /data/data/####/shared_prefs/sharedpreferences_batmobi_ad_clicks.xml
- /data/data/####/files/.help/.abc.dex
- /data/data/####/files/.snow/supolicy
- /data/data/####/files/.snow/.uks
Sets the 'executable' attribute to the following files:
- /data/data/####/files/.snow/.catr.apk
- /data/data/####/files/.snow/.ir
- /data/data/####/files/.snow/.zip/rsh
- /data/data/####/files/.snow/busybox
- /data/data/####/files/.snow/.zip/mkdevsh
- /data/data/####/files/.snow/b.png
Miscellaneous:
Executes next shell scripts:
- chmod 777 /data/data/####/files/.snow/myshell
- chown 0.0 /system/bin/.author
- app_process /system/bin com.android.commands.pm.Pm disable org.app.info.grate
- chown 0.0 /system/app/Treese.apk
- mount -wo remount,rw /system
- chown 0:0 /system/xbin/.cp
- app_process /system/bin com.android.commands.pm.Pm enable com.fly.me.ssp.be
- chmod 777 /data/data/####/files/.snow/.dg
- chmod 777 /data/data/####/files/.snow/.service
- chown 0:0 /system/bin/.author
- chcon u:object_r:system_file:s0 /system/bin/.author
- mount -wo remount rw /system
- chown 0.0 /system/xbin/supolicy
- chmod 777 /data/data/####/files/.snow/.zip/r1
- sh
- chmod 777 /data/data/####/files/.snow/b.png
- chown 0.0 /system/app/Banner.apk
- chmod 777 /data/data/####/files/.snow/.uok
- chown 0:0 /system/app/oneshs.apk
- chown 0:0 /system/xbin/supolicy
- chmod 777 /data/data/####/files/.snow/.ukd
- chown 0.0 /system/xbin/.ci.pm
- chmod 777 /data/data/####/files/.snow/.client
- chmod 777 /data/data/####/files/.snow/.zip/r4
- chown 0.0 /system/app/oneshs.apk
- chmod 777 /data/data/####/files/.snow/.zip/r3
- chmod 777 /data/data/####/files/.snow/.zip/r2
- mount -o remount rw /system
- chcon u:object_r:system_file:s0 /system/xbin/.cp
- mount -o remount,rw /system
- chown 0.0 /system/xbin/.cp
- chown 0:0 /system/xbin/.ci.pm
- chmod 777 /data/data/####/files/.snow/a.xml
- df /system
- chmod 777 /data/data/####/files/.snow/busybox
- chmod 777 /data/data/####/files/.snow/.uks
- chmod 777 /data/data/####/files/.snow/.catr.apk
- chmod 777 /data/data/####/files/.snow/supolicy
- chmod 777 /data/data/####/files/.snow/.zip/rsh
- app_process /system/bin com.android.commands.pm.Pm enable org.app.info.grate
- /system/bin/dexopt --dex 27 50 40 2540796 /data/data/####/files/.help/.abc.apk 1252233543 889159778 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/frame
- chcon u:object_r:system_file:s0 /system/xbin/.ci.pm
- chcon u:object_r:system_file:s0 /system/xbin/supolicy
- chmod 777 /data/data/####/files/.snow/.zip/mkdevsh
- app_process /system/bin com.android.commands.pm.Pm disable com.fly.me.ssp.be
- chown 0:0 /system/app/Treese.apk
- chmod 777 /data/data/####/files/.snow/.zip/rt8
- /system/bin/sh ./mkdevsh
- chmod 777 /data/data/####/files/.snow/.zip/
- chown 0:0 /system/app/Banner.apk
Contains functionality to send SMS messages automatically.
