This malware contains a malicious library file that when executed, turns the infected device into a zombie device. It also hides its routines in the dynamic library, which makes it hard to analyze.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This malware connects to certain URLs to listen to its commands.
It displays ads as well as pushes notifications, and terminates certain processes to prevent detection and removal.
This Trojan may be manually installed by a user.
File size: 32,432 bytes
File type: ELF
Memory resident: Yes
Initial samples received date: 23 May 2012
Payload: Compromises system security, Terminates processes
Arrival Details
This Trojan may be manually installed by a user.
Backdoor Routine
This Trojan opens the following ports:
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}d.{BLOCKED}ew.com
- {BLOCKED}d.{BLOCKED}o8.com
- {BLOCKED}d.my968.com
NOTES:
It may arrive using the following package names and installed as the following applications:
| Package Name |
Application Name After Installation |
| com.fantasmosoft.new |
FMR Memory Cleaner |
| eu.chainfire.newsupersu |
SuperSU |
| eu.chainfire.newsupersu |
签名点ME |
| com.iozhu.zyl |
Move2SD Enabler |
| eu.chainfire.new |
Chainfire3D |
| com.northpark.newsquats |
Squats |
| net.szym.barnacle |
无线探测器 |
| com.northpark.new |
Sit Ups |
| ccn.andflyt.new |
程序隐藏器 |
| com.nyzv.shotux |
Screenshot UX |
It connects to the following C&C servers to listen to commands:
- ad.{BLOCKED}ew.com
- ad.{BLOCKED}o8.com
- ad.{BLOCKED}8.com
As of this writing, the said servers are inaccessible.
This malware may display ads or push notifications.
It terminates the following processes:
This is done to prevent easy detection and removal from the affected device.
Connect with us on
| | | |