28 February 2012

The Russian anti-virus vendor Doctor Web warns Internet users of a new backdoor for Android. Android.Anzhu can implement a variety of directives received from a remote server, covertly install other applications and change browser bookmarks.

Android.Anzhu is distributed from Chinese sites offering free software for Android. The backdoor is built into the legitimate program Screen Off And Lock, designed to lock the screen and turn off the mobile device with one touch without using an animated slider and the power button. If the program is downloaded from Android Market, only Screen Off And Lock components will be installed and the Configure Screen Off And Lock icon will be created to launch the application. However, if the program is obtained from a Chinese site, the backdoor will be launched. It will connect to a remote server and stand by for further instructions.

In addition to implementing various directives, Android.Anzhu is also able to covertly download and install other programs listed in the instructions file sent to the backdoor by intruders. After downloading the specified application, Android.Anzhu can change its system privileges and run it. The backdoor can also change bookmarks in several most popular browsers for Android. It doesn't simply add bookmarks from a downloaded list but also changes their attributes, marks them as visited to make the user believe that they've added them themselves. Another Android.Anzhu feature is monitoring the Android system log, particularly, for events related to the launch and opening windows for other applications. Finally, the backdoor is able to collect information on the mobile device (the list of installed applications, IMEI), and send it to criminals.

It is difficult to overestimate the malicious potential of a program that can download and install other applications on mobile devices. Of course, Android.Anzhu poses the greatest danger to rooted phones—devices on which the user has administrative privileges. The backdoor signature has been addded into the virus databases used by Dr.Web for Android Light and Dr.Web for Android Anti-virus + Anti-spam.