As the Trojan makes a routine check of the emulator. If the test does not show the application work in the emulator, it runs a background timer. Hence, the timer ceaselessly opens the dialogs activation administrative access to the device until it obtained the administrator privileges. After clicking on the “Cancel” button a new window appears immediately. The process continues until the receipt of administrative access. The malware sends device information and intercepted SMS to C & C-server from where the criminals receive the further commands. The information which was sent to the server, includes the serial number of the mobile device, the country code, the name of the mobile operator, Android version of the device, the phone number, the serial number of SIM-card, the current version number of the Trojan and the unique identification number of the infected device. In addition to receiving the data about your contacts, SMS, calls, and applications installed, the malware receives the GPS coordinates of the device. The Trojan also sends data to the server about the presence of administrative rights, hence, the altered SMS Manager becomes the “default” SMS Manager of your device. Administrator rights also enable the Trojan remotely lock the infected device. For the credit cards, the Trojan opens the victim to a fake Google Play window on the infected device. However, on closer examination of the window it shows that the word Play is written in small letters. In addition, the malware team supports to download APK, which allows the user to lock the screen and redirect calls. Moreover, the Avast antivirus solutions company identified this Android Trojan as Banker-IR. In the case of infection, users of the infected device will have to reset their device to factory settings.
Δ