Security researchers analyzed a sample observed that the malware and found it contained two modules, one for distributing itself (XXshenqi.apk) and another for carrying out malicious activities (Trogoogle.apk).
The spreading is conducted via short texts, which will carry a link to the malicious download, sent to the victim’s entire list of contacts, Vigi Zhang from Kaspersky stated.
Once the malware is executed on the device, it will be detected as Trojan.AndroidOS.Xshqi.a by Kaspersky products. If ran successfully it will drop a backdoor that gathers the user’s private ID and name, transmitting them to a command and control server.
It conceals its icon after installation so the user is not aware of its existence. It’ll then answer commands to execute the malicious activity. The commands include:
- “readmessage”
- “sendmessage”
- “test”
- “makemessage”
- “sendlink”
There is a list of commands it can execute, if instructed from the command and control server, some of these commands include reading and sending messages. Zhang noted that the malware can also send the text to its operator either by email or utilizing the short message service.