SHA1 hashes:
- ac3dff8e8f58c9e1fc27e48f83819257d6553169—rsota.apk (“Software Update” app, com.redstone.ota.ui)
- 00712a8154c7d399ff1905cdab34a73a1bdbde9d—rsota.odex
Description
The detection name for the trojan code that is built into the Android devices firmware updating system app. This code, for example, was found in the firmware of the Elari Kidphone 4G smart watch. However, it can be present on other device models and types. The main functionality of this code is spread between separate modules that it launches during its operation.
Operating routine
The trojan components, libcore64.jar (Android.DownLoader.812.origin) and libcore.jar (Android.DownLoader.1049.origin), are encrypted and located inside the main app. Upon the device’s first launch, Android.DownLoader.3894 decrypts and launches them. It also controls their integrity: if one of the modules will be missing when the device is powered on again, the trojan will decrypt and activate it again.
The Android.DownLoader.3894 sets the following broadcast receivers to launch the modules automatically:
- android.intent.action.BOOT_COMPLETED—device power on
- android.net.conn.CONNECTIVITY_CHANGE—network connection change
- More details on Android.DownLoader.812.origin
- More details on Android.DownLoader.1049.origin
- News about the trojan