BaseBridge comes in a series of pirated, trojanized, host applications that are designed to appear legitimate to an Android user. BaseBridge infected applications leverage the "udev" (BID 34536) vulnerability in Android 2.2 devices and below in order to obtain root privileges on an infected device.
Once root privilege has been obtained, BaseBridge infected applications will drop its payload, which is "SMSApp.apk", which is stored in the application package in "/res/raw/anservb". Once successfully installed, "SMSApp.apk connects to a remote server of port 8080 in order to send device identifying information, such as: "Subscriber ID", "Manufacturer and Model", and "Android version".
Secondarily, BaseBridge infected apps are configured to send a series of SMS messages to premium rate SMS numbers that will charge the user's mobile account per message. These funds are almost always unrecoverable. BaseBridge can also remove SMS messages from the mobile device's inbox, so as to reduce the chances of the user noticing the premium SMS messages being sent, and can dial phone numbers without the caller's consent.
2、执行payload
与payload A 不同,payload B不是在手机上安装的,而是当宿主app运行活在 payload A 运行时进行动态加载。它利用了 Dalvik virtual machine的动态加载功能,与Plankton spyware比较相似,不过相比 Plankton spyware,它更进一层,它对敏感的寒数调用都进行了加密(也就是说静态分析不能够分析出来,只能够进行动态分析)