Technical information
Malicious functions:
Sends SMS messages:
- 15532479431: <SMS Content> 广播:<SMS Address>
- 15532479431: 激活成功
- 15532479431: 软件安装完毕 识别码:<IMEI> 型号:<System Property>; 手机:<System Property>; 系统版本:4.3.1
Executes code of the following detected threats:
- Android.SmsSpy.651.origin
Removes its shortcut from the home screen.
Intercepts incoming SMS messages and terminates the process of their transmission to handlers of other applications
Network activity:
Connecting to:
- a####.####.com
- a####.####.com:8011
- and####.####.com
HTTP POST requests:
- a####.####.com/rqd/async
- a####.####.com:8011/rqd/async
- and####.####.com/rqd/async
Modified file system:
Creates the following files:
- <Package Folder>/databases/bugly_db_legu-journal
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/local_crash_lock (deleted)
- <Package Folder>/files/native_record_lock (deleted)
- <Package Folder>/files/security_info
- <Package Folder>/mix.dex
- <Package Folder>/shared_prefs/configurations_data.xml
- <Package Folder>/tx_shell/libnfix.so
- <Package Folder>/tx_shell/libshella-2.10.4.1.so
- <Package Folder>/tx_shell/libufix.so
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- chmod 700 /data/data/com.Sgtgggxxddo.s6keesdddp/tx_shell/libnfix.so
- chmod 700 /data/data/com.Sgtgggxxddo.s6keesdddp/tx_shell/libshella-2.10.4.1.so
- chmod 700 /data/data/com.Sgtgggxxddo.s6keesdddp/tx_shell/libufix.so
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.10.4.1.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
Loads the following dynamic libraries:
- Bugly
- libnfix
- libshella-2.10.4.1
- libufix
- nfix
- ufix
Uses the following algorithms to encrypt data:
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-GCM-NoPadding
Uses administrator priveleges.
Uses special library to hide executable bytecode.
Changes volume and vibration settings
Gains access to telephone information (number, imei, etc.)
Gains access to information about active device administrators
Adds tasks to the system scheduler
Displays its own windows over windows of other applications
Parses information from SMS messages
Gains access to information about sent/received SMS messages
