September 28, 2015

Usually, to infect Android mobile devices, cybercriminals use a rather trivial routine—by employing social engineering methods, they force their victims to install some malicious application by themselves. However, this algorithm is not the only one virus makers have at their disposal—in particular, Doctor Web security researchers continue to register new cases when Android Trojans are already preinstalled on mobile devices as system applications to perform their malicious activities without user knowledge. Recently, a similar incident involving Android.Backdoor.114.origin has been registered by our specialists.

Android.Backdoor.114.origin has been known to Doctor Web analysts for quite some time—it was more than a year ago that this Trojan came into the light for the first time. Since then, the malware continues to present a great threat to Android users, mostly because it gets incorporated directly into mobile device firmware. As a result, it becomes almost impossible to remove the Trojan using ordinary tools. To be able to get rid of the malware, the user needs to acquire root privileges, which can be hard (or even dangerous) to accomplish. Another way is to reinstall the operating system. However, this may lead to permanent loss of all data whose backup copies has not been created.

In the middle of September, Doctor Web security researchers witnessed a new infection incident involving Android.Backdoor.114.origin. This time, owners of Oysters T104 HVi 3G were the ones who fell victim to malicious activities of the backdoor—on their devices, the malware hides in the preinstalled GoogleQuickSearchBox.apk application. Although the manufacturer has been already notified about this issue, to this day, the official firmware version available for download has not undergone any changes and still contains the backdoor.

Android.Backdoor.114.origin gathers and sends the command and control server information about the infected device. Depending on the modification, it can send cybercriminals the following data:

• Infected device's unique identifier
• MAC address of the Bluetooth adapter
• Infected device's type (smartphone or tablet)
• Parameters from the configuration file
• MAC address
• IMSI
• Malicious application version
• OS version
• API version of the device
• Network connection type
• Application package name
• Country ID
• Screen resolution
• Device manufacturer
• Model name
• Occupied SD card space
• Available SD card space
• Occupied internal memory space
• Available internal memory space
• List of applications installed in the system folder
• List of applications installed by the user

However, the main purpose of Android.Backdoor.114.origin is to stealthily download, install, and remove applications upon a command from the command and control server. Moreover, the Trojan can activate the disabled option to install applications from unreliable sources. Thus, even if the user follows recommended security rules, the backdoor can modify appropriate settings to install various adware, unwanted, and dangerous applications.

Doctor Web security researchers advise Android users to perform periodic anti-virus scans of their devices for known malicious programs. If a Trojan or any other malicious program is detected in the firmware, it is recommended to contact the device manufacturer in order to get an updated operating system image, because, in most cases, it is impossible to remove such malware using built-in tools (including anti-virus software).