![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/24.png\")
<\/p>\nThis malware has\u00a0all basic functionalities of the Android banker along with additional features like call forwarding, sound recording, keylogging and ransomware activities. It has the ability to launch user’s browser with URL received from the C&C server.<\/p>\n
It repeatedly opens the accessibility setting page until the user\u00a0switches\u00a0ON the ‘AccessibilityService’. The AccessibilityService allowing the Trojan to enable and abuse any required permission without user concern.<\/p>\n
<\/p>\n
Fig.1 Malicious app icon and accessibility setting page opened by malware<\/p>\n
Overlays on targeted Apps<\/b><\/strong><\/p>\n After launching one of the targeted application, the Trojan displays an overlay phishing login form of confidential information over its window where it asks the user to enter a username, password, and\u00a0other sensitive data.<\/p>\n Following are some\u00a0overlays displayed by Trojan :<\/p>\n Fig.2 Overlay on banking Apps<\/p>\n Fig.3 Overlay on Play store and zebpay<\/p>\n Commands and respective features are shown in below table<\/b><\/strong><\/p>\n The malware performs activity according to commands received from the C&C server. Following list shows the commands used by the malware-<\/p>\n <\/p>\n Technical analysis<\/b><\/strong><\/p>\n The main APK file is highly obfuscated and all strings are encrypted. It also contains the extra junk code to make it difficult for reverse engineering. The main APK contains ‘image\/files’ encrypted file. The ‘image\/files’ file is decrypted at runtime and drops\u00a0another file ‘app_files\\driqoy.jar’. Further malicious activities are performed by that file.<\/p>\n Fig.4 The main APK file code<\/p>\n Fake alert to disable <\/b><\/strong>G<\/b><\/strong>oogle <\/b><\/strong>P<\/b><\/strong>lay protect service<\/b><\/strong><\/p>\n It checks whether a user’s Google Play protection service is ON or OFF. If it is ON then it displays the fake alert to disable it with the message”The system does not work correctly, disable Google Play Protect!”<\/p>\n Fig.5 Fake alert to disable google play protect service<\/p>\n Prevent from uninstalling the malicious App<\/b><\/strong><\/p>\n If user goes\u00a0to uninstall the application from the setting then malware shows the alert with “System Error 495” message.<\/p>\n Fig.6 Fake alert code<\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0 Fig.7 The fake alert when user tries\u00a0to uninstall<\/p>\n Used Twitter for malicious purpose<\/b><\/strong><\/p>\n The malware author uses the Twitter to get C&C server address. The malware takes the encrypted server address from the specified Twitter account that starts with <zero> and ends with <\/zero>.<\/p>\n Twitter accounts used in this malware are \u201chxxps:\/\/twitter.com\/KeremTu81270252\u201d and \u201chxxps:\/\/twitter.com\/JackCorne\u201d.<\/p>\n Fig.8 Code to take server address from twitter<\/p>\n Fig.9 Tweet on the specified\u00a0account<\/p>\n It Encrypts and Decrypts the files<\/b><\/strong><\/p>\n Whenever the client receives a command “cryptokey” from the server, it encrypts all the files. All the\u00a0encrypted files are\u00a0renamed with the extension “.AnubisCrypt”. It\u00a0deletes\u00a0all the original files whereas when the client receives a command “decryptokey” from the server, it decrypts all files.<\/p>\n Fig.10 Code for files Encryption and Decryption<\/p>\n After\u00a0it\u00a0encrypts all the files it shows the ransom screen. It blocks the screen of the device by Window WebView, which shows the content received from the server. Below Fig. shows the htmllocker\u00a0code which is received from the server.<\/p>\n Fig.11 HTML locker code<\/p>\n Quick Heal detection<\/b><\/strong><\/p>\n Quick Heal successfully detects this Android Trojan as Android.Banker.L<\/b><\/strong><\/p>\n Indicator of compromise<\/b><\/strong><\/p>\n App Name: sistemguncelle<\/i><\/em> App Name: Adobe Flash Player<\/i><\/em> Targeted Apps<\/b><\/strong><\/p>\n com.csam.icici.bank.imobile<\/p>\n com.snapwork.hdfc<\/p>\n hdfcbank.hdfcquickbank<\/p>\n com.sbi.SBIFreedomPlus<\/p>\n com.axis.mobile<\/p>\n org.bom.bank<\/p>\n com.idbi.mpassbook<\/p>\n com.amazon.mShop.android.shopping<\/p>\n com.paypal.android.p2pmobile<\/p>\n com.mobikwik_new<\/p>\n com.ebay.mobile<\/p>\n zebpay.Application<\/p>\n pl.ideabank.mobilebanking<\/p>\n wos.com.zebpay<\/p>\n at.easybank.mbanking<\/p>\n at.bawag.mbanking<\/p>\n com.idbibank.abhay_card<\/p>\n src.com.idbi<\/p>\n com.citibank.mobile.au<\/p>\n com.citibank.mobile.uk<\/p>\n ru.sberbank.mobileoffice<\/p>\n com.grppl.android.shell.BOS<\/p>\n ru.sberbank.spasibo<\/p>\n com.bitcoin.ss.zebpayindia<\/p>\n com.comarch.security.mobilebanking<\/p>\n pl.pkobp.ipkobiznes<\/p>\n com.coins.ful.bit<\/p>\n com.bbva.bbvacontigo<\/p>\n com.quickmobile.anzirevents15<\/p>\n com.bankinter.launcher<\/p>\n com.scotiabank.mobile<\/p>\n pl.ing.mojeing<\/p>\n com.portfolio.coinbase_tracker<\/p>\n com.oxigen.oxigenwallet<\/p>\n finansbank.enpara.sirketim<\/p>\n au.com.ingdirect.android<\/p>\n com.fusion.ATMLocator<\/p>\n de.comdirect.android<\/p>\n de.fiducia.smartphone.android.banking.vr<\/p>\n com.usbank.mobilebanking<\/p>\n com.phyder.engage<\/p>\n pl.allegro<\/p>\n com.isis_papyrus.raiffeisen_pay_eyewdg<\/p>\n com.vakifbank.mobile<\/p>\n com.empik.empikapp<\/p>\n com.crypter.cryptocyrrency<\/p>\n es.bancosantander.apps<\/p>\n com.localbitcoins.exchange<\/p>\n com.garanti.cepbank<\/p>\n com.commbank.netbank<\/p>\n com.cibc.android.mobi<\/p>\n ccom.tmob.denizbank<\/p>\n tr.com.sekerbilisim.mbank<\/p>\n com.barclays.android.barclaysmobilebanking<\/p>\n com.thunkable.android.santoshmehta364.UNOCOIN_LIVE<\/p>\n com.rbs.mobile.investisir<\/p>\n info.blockchain.merchant<\/p>\n com.coins.bit.local<\/p>\n pl.millennium.corpApp<\/p>\n com.yinzcam.facilities.verizon<\/p>\n org.banksa.bank<\/p>\n it.volksbank.android<\/p>\n com.ziraat.ziraatmobil<\/p>\n pl.bph<\/p>\n me.doubledutch.hvdnz.cbnationalconference2016<\/p>\n wit.android.bcpBankingApp.millenniumPL<\/p>\n com.imb.banking2<\/p>\n com.unionbank.ecommerce.mobile.commercial.legacy<\/p>\n eu.eleader.mobilebanking.pekao<\/p>\n com.dbs.hk.dbsmbanking<\/p>\n ru.alfabank.oavdo.amc<\/p>\n nz.co.bnz.droidbanking<\/p>\n com.kutxabank.android<\/p>\n com.clairmail.fth<\/p>\n may.maybank.android<\/p>\n jp.co.aeonbank.android.passbook<\/p>\n eu.inmite.prj.kb.mobilbank<\/p>\n cz.sberbankcz<\/p>\n fr.banquepopulaire.cyberplus<\/p>\n pl.mbank<\/p>\n com.idamob.tinkoff.android<\/p>\n pl.fmbank.smart<\/p>\n com.scb.breezebanking.hk<\/p>\n pl.ceneo<\/p>\n pl.bzwbk.ibiznes24<\/p>\n eu.newfrontier.iBanking.mobile.Halk.Retail<\/p>\n com.bankofamerica.cashpromobile<\/p>\n com.magiclick.odeabank<\/p>\n com.akbank.android.apps.akbank_direkt_tablet_20<\/p>\n hr.asseco.android.jimba.mUCI.ro<\/p>\n at.psa.app.bawag<\/p>\n com.starfinanz.smob.android.sfinanzstatus<\/p>\n com.cleverlance.csas.servis24<\/p>\n com.DijitalSahne.EnYakinHalkbank<\/p>\n com.bawagpsk.securityapp<\/p>\n in.co.bankofbaroda.mpassbook<\/p>\n com.ifs.banking.fiid4202<\/p>\n com.usaa.mobile.android.usaa<\/p>\n au.com.mebank.banking<\/p>\n nz.co.anz.android.mobilebanking<\/p>\n com.citi.citimobile<\/p>\n fr.lcl.android.customerarea<\/p>\n com.rbs.mobile.android.natwest<\/p>\n ru.sberbank.sberbankir<\/p>\n com.akbank.android.apps.akbank_direkt_tablet<\/p>\n hk.com.hsbc.hsbchkmobilebanking<\/p>\n com.pozitron.vakifbank<\/p>\n it.secservizi.mobile.atime.bpaa<\/p>\n ru.alfabank.mobile.android<\/p>\n de.schildbach.wallet<\/p>\n jp.co.rakuten_bank.rakutenbank<\/p>\n com.htsu.hsbcpersonalbanking<\/p>\n pl.orange.mojeorange<\/p>\n com.garanti.cepsubesi<\/p>\n com.anz.android<\/p>\n com.bmo.mobile<\/p>\n com.matriksmobile.android.ziraatTrader<\/p>\n com.magiclick.FinansPOS<\/p>\n sk.sporoapps.accounts<\/p>\n ru.bm.mbm<\/p>\n pl.bzwbk.bzwbk24<\/p>\n com.tmob.tabletdeniz<\/p>\n pl.bzwbk.mobile.tab.bzwbk24<\/p>\n com.grppl.android.shell.CMBlloydsTSB73<\/p>\n com.matriksdata.finansyatirim<\/p>\n at.spardat.netbanking<\/p>\n ru.alfabank.sense<\/p>\n com.ing.diba.mbbr2<\/p>\n com.blockfolio.blockfolio<\/p>\n at.easybank.securityapp<\/p>\n com.getingroup.mobilebanking<\/p>\n com.ideomobile.hapoalim<\/p>\n com.moneybookers.skrillpayments.neteller<\/p>\n com.bbva.netcash<\/p>\n com.coin.profit<\/p>\n com.db.mm.deutschebank<\/p>\n jp.co.netbk<\/p>\n com.mtel.androidbea<\/p>\n com.caisseepargne.android.mobilebanking<\/p>\n fr.axa.monaxa<\/p>\n fr.laposte.lapostetablet<\/p>\n com.bankaustria.android.olb<\/p>\n com.cba.android.netbank<\/p>\n com.binance.odapplications<\/p>\n com.anzspot.mobile<\/p>\n org.westpac.banknz.co.westpac<\/p>\n com.cm_prod.epasal<\/p>\n jp.mufg.bk.applisp.app<\/p>\n com.akbank.android.apps.akbank_direkt<\/p>\n com.empik.empikfoto<\/p>\n sk.sporoapps.skener<\/p>\n com.rbc.mobile.android<\/p>\n com.tecnocom.cajalaboral<\/p>\n ru.vtb24.mobilebanking.android<\/p>\n au.com.bankwest.mobile<\/p>\n nz.co.kiwibank.mobile<\/p>\n cz.airbank.android<\/p>\n com.grppl.android.shell.halifax<\/p>\n com.fragment.akbank<\/p>\n jp.co.smbc.direct<\/p>\n com.pozitron.albarakaturk<\/p>\n com.barclays.ke.mobile.android.ui<\/p>\n ro.btrl.mobile<\/p>\n com.kuveytturk.mobil<\/p>\n com.edsoftapps.mycoinsvalue<\/p>\n ru.sberbankmobile<\/p>\n com.moneybookers.skrillpayments<\/p>\n com.bssys.VTBClient<\/p>\n com.rbs.mobile.android.natwestoffshore<\/p>\n pl.com.rossmann.centauros<\/p>\n au.com.suncorp.SuncorpBank<\/p>\n com.cm_prod.bad<\/p>\n fr.creditagricole.androidapp<\/p>\n com.jackpf.blockchainsearch<\/p>\n com.ykb.android<\/p>\n com.finanteq.finance.ca<\/p>\n com.rbs.mobile.android.rbs<\/p>\n de.postbank.finanzassistent<\/p>\n com.binance.dev<\/p>\n eu.eleader.mobilebanking.raiffeisen<\/p>\n pl.pkobp.iko<\/p>\n com.btcturk<\/p>\n com.rbs.mobile.android.rbsbandc<\/p>\n com.pozitron.iscep<\/p>\n com.localbitcoinsmbapp<\/p>\n com.ing.mobile<\/p>\n com.ziraat.ziraattablet<\/p>\n com.bankia.wallet<\/p>\n com.anz.SingaporeDigitalBanking<\/p>\n com.crowdcompass.appSQ0QACAcYJ<\/p>\n de.fiducia.smartphone.android.securego.vr<\/p>\n pl.bps.bankowoscmobilna<\/p>\n com.anz.android.gomoney<\/p>\n at.easybank.tablet<\/p>\n pl.bosbank.mobile<\/p>\n com.ykb.android.mobilonay<\/p>\n mobi.societegenerale.mobile.lappli<\/p>\n nz.co.westpac<\/p>\n es.cm.android.tablet<\/p>\n com.boursorama.android.clients<\/p>\n finansbank.enpara<\/p>\n com.wf.wellsfargomobile.tablet<\/p>\n com.teb<\/p>\n com.garantibank.cepsubesiro<\/p>\n com.unocoin.unocoinwallet<\/p>\n com.arubanetworks.atmanz<\/p>\n at.volksbank.volksbankmobile<\/p>\n com.starfinanz.mobile.android.pushtan<\/p>\n com.rsi<\/p>\n com.konylabs.capitalone<\/p>\n com.amazon.windowshop<\/p>\n de.commerzbanking.mobil<\/p>\n es.lacaixa.mobile.android.newwapicon<\/p>\n com.unionbank.ecommerce.mobile.android<\/p>\n com.aff.otpdirekt<\/p>\n ru.tcsbank.c2c<\/p>\n com.orangefinanse<\/p>\n uk.co.bankofscotland.businessbank<\/p>\n org.stgeorge.bank<\/p>\n com.finansbank.mobile.cepsube<\/p>\n piuk.blockchain.android<\/p>\n fr.laposte.lapostemobile<\/p>\n ru.mw<\/p>\n com.infrasofttech.indianBank<\/p>\n de.dkb.portalapp<\/p>\n com.matriksdata.ziraatyatirim.pad<\/p>\n io.getdelta.android<\/p>\n mobile.santander.de<\/p>\n com.bbva.bbvawallet<\/p>\n com.cm_prod.nosactus<\/p>\n alior.bankingapp.android<\/p>\n com.fi6122.godough<\/p>\n com.wellsFargo.ceomobile<\/p>\n com.ykb.androidtablet<\/p>\n com.vakifbank.mobilel<\/p>\n com.entersekt.authapp.sparkasse<\/p>\n com.rbs.mobile.android.natwestbandc<\/p>\n com.td<\/p>\n com.kryptokit.jaxx<\/p>\n com.bankofqueensland.boq<\/p>\n tr.com.tradesoft.tradingsystem.gtpmobile.halk<\/p>\n com.mobillium.papara<\/p>\n com.vipera.ts.starter.QNB<\/p>\n com.orangefinansek<\/p>\n com.monitise.isbankmoscow<\/p>\n au.com.newcastlepermanent<\/p>\n com.tmobtech.halkbank<\/p>\n com.snapwork.IDBI<\/p>\n cz.csob.smartbanking<\/p>\n com.coinbase.android<\/p>\n es.cm.android<\/p>\n org.westpac.bank<\/p>\n com.MobileTreeApp<\/p>\n au.com.nab.mobile<\/p>\n au.com.cua.mb<\/p>\n com.yurtdisi.iscep<\/p>\n es.bancopopular.nbmpopular<\/p>\n com.rbs.mobile.android.ubr<\/p>\n com.garantiyatirim.fx<\/p>\n com.vtb.mobilebank<\/p>\n com.bendigobank.mobile<\/p>\n com.softtech.isbankasi<\/p>\n com.thunkable.android.manirana54.LocalBitCoins<\/p>\n de.consorsbank<\/p>\n pl.aliorbank.aib<\/p>\n com.palatine.android.mobilebanking.prod<\/p>\n es.evobanco.bancamovil<\/p>\n ru.tinkoff.sme<\/p>\n com.comarch.mobile.banking.bgzbnpparibas.biznes<\/p>\n com.de.dkb.portalapp<\/p>\n com.advantage.RaiffeisenBank<\/p>\n com.tmob.denizbank<\/p>\n com.thunkable.android.manirana54.LocalBitCoins_unblock<\/p>\n com.FubonMobileClient<\/p>\n eu.eleader.mobilebanking.pekao.firm<\/p>\n com.mal.saul.coinmarketcap<\/p>\n ru.tinkoff.goabroad<\/p>\n ru.alfadirect.app<\/p>\n com.SifrebazCep<\/p>\n com.sovereign.santander<\/p>\n com.infonow.bofa<\/p>\n com.softtech.iscek<\/p>\n uk.co.santander.businessUK.bb<\/p>\n eu.eleader.mobilebanking.invest<\/p>\n net.bnpparibas.mescomptes<\/p>\n com.akbank.softotp<\/p>\n com.redrockdigimark<\/p>\n com.unocoin.unocoinmerchantPoS<\/p>\n com.hangseng.rbmobile<\/p>\n MyING.be<\/p>\n com.cm_prod_tablet.bad<\/p>\n com.bssys.vtb.mobileclient<\/p>\n ru.tinkoff.mgp<\/p>\n com.ykb.avm<\/p>\n pl.ipko.mobile<\/p>\n jp.co.sevenbank.AppPassbook<\/p>\n com.jamalabbasii1998.localbitcoin<\/p>\n at.spardat.bcrmobile<\/p>\n com.veripark.ykbaz<\/p>\n uk.co.santander.santanderUK<\/p>\n com.wf.wellsfargomobile<\/p>\n ru.sberbank_sbbol<\/p>\n com.starfinanz.smob.android.sfinanzstatus.tablet<\/p>\n com.chase.sig.android<\/p>\n nz.co.asb.asbmobile<\/p>\n biz.mobinex.android.apps.cep_sifrematik<\/p>\n com.tnx.apps.coinportfolio<\/p>\n com.santander.app<\/p>\n by.st.alfa<\/p>\n com.starfinanz.smob.android.sbanking<\/p>\n com.suntrust.mobilebanking<\/p>\n Conclusion<\/b><\/strong><\/p>\n For Android version 7 and 8, previously used overlay techniques were rendered inaccessible, but malware authors find a new way to use overlays in their banking malware. The implementation of the overlay attack abuses the Usage Access permission in order to run on all versions\u00a0of the Android operating system including the latest Android 7 and 8.<\/p>\n Tips to stay safe from Android Trojans<\/b><\/strong><\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" This malware has\u00a0all basic functionalities of the Android banker along with additional features like call forwarding, sound recording, keylogging and ransomware activities. It has the ability to launch user’s browser with URL received from the C&C server. It repeatedly opens the accessibility setting page until the user\u00a0switches\u00a0ON the ‘AccessibilityService’. The AccessibilityService allowing the Trojan to […]<\/p>\n","protected":false},"author":52,"featured_media":86716,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1611,910],"tags":[380,972,1139,207],"class_list":["post-86679","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-banking-trojan","category-ransomware","tag-android-malware","tag-android-ransomware","tag-banking-trojan","tag-keylogger"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86679"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/52"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86679"}],"version-history":[{"count":7,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86679\/revisions"}],"predecessor-version":[{"id":86715,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86679\/revisions\/86715"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86716"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/25.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/26.png\")
<\/p>\n\n\n
\n Commands<\/b><\/strong><\/td>\n Meaning<\/b><\/strong><\/td>\n<\/tr>\n \n Send_GO_SMS<\/td>\n Send SMS\u00a0from the infected device<\/td>\n<\/tr>\n \n nymBePsG0<\/td>\n Upload all numbers from the phone book to C&C server<\/td>\n<\/tr>\n \n GetSWSGO<\/td>\n Upload all\u00a0SMS to C&C server<\/td>\n<\/tr>\n \n telbookgotext<\/td>\n Send the SMS to all numbers saved in the infected\u00a0device<\/td>\n<\/tr>\n \n getapps<\/td>\n Upload the list of all installed applications<\/td>\n<\/tr>\n \n ALERT<\/td>\n Show alert whose contents are specified in the command<\/td>\n<\/tr>\n \n PUSH<\/td>\n show notification whose contents are specified in the command<\/td>\n<\/tr>\n \n startAutoPush<\/td>\n Show notification whose contents are set in the Trojan’s code<\/td>\n<\/tr>\n \n ussd<\/td>\n Calls a USSD number from the infected device<\/td>\n<\/tr>\n \n sockshost<\/td>\n Start Server Socket<\/td>\n<\/tr>\n \n stopsocks5<\/td>\n Stop Server Socket<\/td>\n<\/tr>\n \n recordsound<\/td>\n Start record sound<\/td>\n<\/tr>\n \n replaceurl<\/td>\n Replace URL Panel<\/td>\n<\/tr>\n \n startapplication<\/td>\n Start application specified in the commands<\/td>\n<\/tr>\n \n killBot<\/td>\n Clear the C&C server address<\/td>\n<\/tr>\n \n getkeylogger<\/td>\n Upload keystrokes logs on the server<\/td>\n<\/tr>\n \n startrat<\/td>\n Start Remote Administration Tool<\/td>\n<\/tr>\n \n startforward<\/td>\n Start call forwarding to the number specified in the commands<\/td>\n<\/tr>\n \n stopforward<\/td>\n Stop call forwarding<\/td>\n<\/tr>\n \n openbrowser<\/td>\n Open URL in the browser<\/td>\n<\/tr>\n \n openactivity<\/td>\n Open URL in WebView<\/td>\n<\/tr>\n \n cryptokey<\/td>\n Encrypts all files<\/td>\n<\/tr>\n \n decryptokey<\/td>\n Decrypts all files<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n ![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/14.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/27.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/17.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/28.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/20.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/21-650x339.jpg\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/22.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/08\/23.jpg\")
<\/p>\n
\nPackage name: com.qvgstiwjsndr.jktqnsyc<\/i><\/em>
\nMD5: b0ff12e875d1c32bd05dde6bb34e9805
\nSize: 344\u00a0KB<\/i><\/em><\/p>\n
\nPackage name: com.fzuhnorsz.xgvmhdztawmg<\/i><\/em>
\nMD5: bc53a5857b1e29bef175d64fbec0c186<\/i><\/em>
\nSize: 383\u00a0KB<\/i><\/em><\/p>\n\n