Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.657.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(TLS/1.0) api.e####.cn:443
DNS requests:
- api.e####.cn
File system changes:
Creates the following files:
- /data/data/####/ACCS_SDK.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/cn.ecook.xml
- /data/data/####/info.xml
- /data/data/####/jg_so_upgrade_setting.xml
- /data/data/####/jg_so_upgrade_setting.xml.bak
- /data/data/####/libjiagu.so
- /data/data/####/lonLat.xml
- /data/data/####/multidex.version.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_message_state.xml
- /data/data/####/webview.db-journal
Miscellaneous:
Executes the following shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- ls /sys/class/thermal
Loads the following dynamic libraries:
- libjiagu
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Uses special library to hide executable bytecode.
Accesses camera interface.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Manages Wi-Fi connectivity.
