Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.20
Downloads the following detected threats from the Web:
- Android.Xiny.20
Network activity:
Connecting to:
- s####.####.com
- d####.####.cn
- w####.####.cn
- a####.####.cn
- w####.cn
- t####.####.cn
- pass####.####.com
HTTP GET requests:
- a####.####.cn/oauth/authenticate?oauth_token=####
- t####.####.cn/t35/appstyle/opent/images/oauth/btn_at.gif?id=####
- a####.####.cn/oauth/js/oauthSSO.js
- a####.####.cn/oauth/request_token
- d####.####.cn/jarFile/SDKAutoUpdate/hyjwan.jar
- pass####.####.com/js/visitor/mini_original.js?v=####
- t####.####.cn/t35/appstyle/opent/css/oauth/oauth.css?1330394####
- w####.####.cn/square/6874b367gw1djr5gpjyd1j.jpg
- t####.####.cn/open/site/js/oauth/vdun.js
- t####.####.cn/t35/appstyle/opent/images/oauth/logo.png
- w####.cn/dpool/ttt/h5/reg.php?wm=####
- t####.####.cn/t35/appstyle/opent/images/oauth/img_arr.png
- a####.####.cn/oauth/js/sso/ssologin.js
- w####.cn/reg/index?jp=####&wm=####
- pass####.####.com/visitor/visitor
HTTP POST requests:
- s####.####.com/cw/interface!u2.action?protocol=####&version=####&cid=####
- pass####.####.com/visitor/genvisitor
- s####.####.com/cw/cp.action?requestId=####&g=####
- a####.####.cn/oauth/access_token
Modified file system:
Creates the following files:
- <Package Folder>/shared_prefs/mobclick_agent_header_<Package>.xml
- <Package Folder>/shared_prefs/mobclick_agent_state_<Package>.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/a.xml
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/cache/webviewCacheChromium/data_2
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/downloadswc
- <Package Folder>/shared_prefs/st.xml
- <Package Folder>/databases/downloadswc-journal
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/W_Key.xml
- <Package Folder>/files/mobclick_agent_cached_<Package>
- <Package Folder>/cache/webviewCacheChromium/data_3
- <Package Folder>/cache/webviewCacheChromium/index
- <Package Folder>/cache/webviewCacheChromium/data_1
- <Package Folder>/cache/webviewCacheChromium/data_0
Miscellaneous:
Executes next shell scripts:
- logcat -d -v raw -s AndroidRuntime:E -p ####
- logcat -d -v raw -s AndroidRuntime:E -p <Package>
- <dexopt>
- logcat -c
Contains functionality to send SMS messages automatically.
