Upon installing, the malicious repackaged application will exploit the compromised user device and it elevate the device to the root privilege.
The malicious applications has four files bundled along with the legit application which can be found in the asset folder of the apk package. The file names are:
The malicious applications then renames the .png extension to .sh extension and executes the exploit as shell script.
When the device is successfully rooted, it will run the "install.sh" script which will set the appropriate file permissions [chmod 4775] to the system partition and then it copies the shell from the bin folder "/system/bin/sh" to the folder created by the malicious application "/system/xbin/appmaster" so that, the shell can be accessed whenever it wishes and the system partition is remounted.
The exploit will work only when the device have an SD card mounted on it. If not, it simply refuses to run.