September 30, 2014

At the dawn of the home PC era, most malicious programs were designed for fun or bragging rights rather than for achieving material gain. However, virus makers gradually became more and more interested in illicit income to the point that, today, malicious programs designed for any other purpose are hard to come by. Thus, Doctor Web's security researchers were stunned to get their hands on such a rare and unusual program, one that—on top of everything else—targets Android smart phones and tablets rather than Windows PCs. Despite its academic value, the new malicious program poses a severe threat because it removes all available data from memory cards and blocks the windows of popular messenger programs, preventing users from reading inbound short messages and normal communications.

The new Android Trojan, registered in the Dr.Web virus database under the name Android.Elite.1.origin, belongs to a rare class of malicious programs, namely, vandal programs. Virus makers usually craft such applications not for profit but rather to demonstrate their programming skills, express their opinion about certain events, or for fun or mischief. Programs of this kind often display various messages, corrupt files and interfere with a compromised system’s normal operation. That's exactly what the new Android Trojan, which is disguised as popular applications, does.

Once Android.Elite.1.origin has been launched, it attempts to force the user into granting it access to the mobile device’s administrative features which are supposedly required to complete the application’s installation properly. If successful, the program immediately commences formatting the available SD card by wiping all the data stored on it. After that, the malware waits for popular messengers to be launched.

Whenever the user attempts to start an official Facebook client, WhatsApp Messenger, Hangouts or the standard SMS application, Android.Elite.1.origin will block their active window by displaying the message OBEY or Be HACKED. The malware blocks only these programs and doesn't interfere with the operation of other applications or the OS.

To further hamper the usage of mobile communication tools, the malware hides all notifications about new incoming SMS. At the same time, received messages are saved in the Inbox folder which is actually unavailable because access to the messenger is blocked.

In addition to wiping SD cards and blocking messengers, Android.Elite.1.origin sends short messages to all the contacts found in the device's address book in five-second intervals. The message text is as follows:

HEY!!! [contact_name] Elite has hacked you. Obey or be hacked.

A similar text is sent as a reply to all incoming SMS from valid mobile phone numbers:

Elite has hacked you.Obey or be hacked.

So the mobile account associated with the compromised device can be depleted in minutes or even seconds.

Doctor Web's security experts strongly advise users against downloading applications from dubious sources. Granting administrative privileges to such programs is also a bad idea because it can result in the corruption of data or other unpleasant consequences. An entry for detecting Android.Elite.1.origin has been added to the virus database, so devices running Dr.Web for Android and Dr.Web for Android Light are well protected from this malware.

Protect your Android handheld with Dr.Web now