In-depth analysis by Huorong engineers found that the spy Trojan carried by "Kuwo Music" will collect users' private information and other malicious behaviors in the background:

1. Collect the QQ login information of the user's host Number.

2. Summarize user characteristics through browser browsing history and then send back to the background.

3. Send commands to the user’s computer through cloud control configuration, such as downloading audio files and sending them back to the server background.

In addition, the Trojan can also perform other operations through the remote server at any time. We do not rule out the possibility of delivering other risk modules by modifying the cloud control configuration in the future.

At the same time, “KuWo Music” will deliver two sets of spy Trojans through cloud control: one set will be delivered to the software installation directory; the other will be delivered to a non-software installation directory, and Even after "Kuwo Music" is uninstalled, it still resides in the user's system and continues to respond to cloud control commands.

In fact, as early as 2015, the above-mentioned spy Trojan carried by "Kuwo Music" was reported as a "Potentially Unwanted Program (PUA/PUP)" by foreign security manufacturers (see user feedback link below ). Perhaps because this reporting law is different from the industry's definition of malware, it failed to attract the attention of other security vendors. Until today, Huorong engineers discovered it at the user site and analyzed it in detail, believing that the function of this set of components has exceeded the definition of "PUA/PUP" and meets the definition of a spy Trojan.

It is worth mentioning that Huorong engineers also found that the link to the cloud control configuration of the spy Trojan is in a directory called "bigdata" (big data). It is speculated that the spy Trojan is used for so-called big data. Data collection purposes.