I am sure it comes from the factory, I noticed this activity from day 1, guy in the shop promised to bring me a new phone to test it out of the pack and disappeared on me, my problem is solved by freezing that app but I would pretty much want to know where is my data is residing right now, I will open the apk archive and inspect the code carefully tonight, I also have the IP address of the master but once you visit it redirects you to google.com.
so I will watch packets of this apk on a virtual device, to see if there is a condition that would let the botnet access the server, and possibly get some of the commands, or better gain access and see whats going on.
Regards
I dont understand if you mean you bought a phone which was already opened in the shop ? But if you bought one which was originally packed and unopened before you bought it, consider contacting manufacturer with the modified APK SHA and MD5 hashes to ask whether they can detect those in some of the ready to ship phones in order to catch the person who doing this inside job. And dont worry, manufacturer itselves would not do it so amateurisch and only to some phones, and it would be hardware solution most likely, not a software one.
