January, 2015


Bootkit malware, Premium SMS sending, phone information leakage

GroDDViewer graphs:


This malware blongs to the bootkit familly. It is mostly installed during Android OS upgrade and setup itself. After ELF execution, this malware creates background services and perform malicious behaviors like: sends and intercepts SMS, sends premium SMS, collects phone info and upload to remote server, downloads other malicious files and is able to update itself. PoisonCake is defined by three parts: initialization, core framework and plugins. DM (ELF executable) is the executable file performing setup and environment initialization. It runs reactor.dex.jar in a main thread. reactor.dex.jar is the core framework which is in charge of scheduling plugins, new events and commands in an endless loop. The last part deals with the plugins installation. PoisonCake contains 8 plugins and installs them through the main thread (reactor.dex.jar). Plugins are able to perform malicious events as described upper

Other resources


Create /data/.3q directory, push in dm executable on device, and also run dm


Malware type :

Attacks :

Infection technique :

Malicious code type :

Hidding techniques :

Triggering techniques :


Java source code extracts: