Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.343.origin
- Android.DownLoader.255.origin
Network activity:
Connecting to:
- j####.####.cn
- ope####.####.cn
- b####.com
- sh####.####.com
HTTP GET requests:
- ope####.####.cn/index/d/sid/3204933
- sh####.####.com/170512/e88785f54cc0751d82afb1389cafedfd/com.qcleaner_22....
- b####.com/
HTTP POST requests:
- j####.####.cn/app/init
- j####.####.cn/ts/list_icons
- j####.####.cn/ts/image
Modified file system:
Creates the following files:
- <Package Folder>/cache/volley/646368540-1866955315
- <Package Folder>/databases/COMZXHSBAPPYEYINGERQIP-journal
- <Package Folder>/files/yxsdk.jar
- <Package Folder>/shared_prefs/class com.util.DatabaseUtil.xml
- <Package Folder>/databases/bmuljmyb.bz-journal
- <Package Folder>/shared_prefs/INITSP.xml
- <Package Folder>/shared_prefs/ukdib.xml
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/.lib/libexecmain.so
- <Package Folder>/shared_prefs/comZXHSBappYEyingerqi.xml
- <Package Folder>/shared_prefs/keySP.xml
- <Package Folder>/databases/yingerqi.db-journal
- <Package Folder>/.lib/libexec.so
- <Package Folder>/databases/yingerqi.db
- <Package Folder>/uwvdyp.t
- <Package Folder>/databases/dxt_yx_sdk-journal
- <Package Folder>/cache/volley/6463685402036957018
- <Package Folder>/cache/volley/-16100876281558011522
- <Package Folder>/databases/downmodel.db-journal
Miscellaneous:
Executes next shell scripts:
- /data/data/####/uwvdyp -p #### -r am start --user 0 -n ####/qqnds.akorm.i.k -a zbaidu -h http://127.0.0.1:7123/report/allData -i 2108
- chmod 705 /data/data/####/files
- chmod 604 /storage/emulated/0/Android/data/<Package>
- chmod 604 /storage/emulated/0/Android/data/####
- sh <Package Folder>/uwvdyp -p <Package> -r am start --user 0 -n <Package>/qqnds.akorm.i.k -a zbaidu -h http://127.0.0.1:7123/report/allData -i 2108
- getprop ro.product.cpu.abi
- chmod 705 <Package Folder>/files
- chmod 777 /data/data/####/uwvdyp
- <dexopt>
- chmod 777 <Package Folder>/uwvdyp
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
