Loads dropped Dex/Jar

Runs executable file dropped to the device during analysis.

Requests enabling of the accessibility settings.

Creates a large amount of network flows

This may indicate a network scan to discover remotely running services.

Looks up external IP address via web service

Uses a legitimate IP lookup service to find the infected system's external IP.

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).