September 30, 2014
The new Android Trojan, registered in the Dr.Web virus database under the name Android.Elite.1.origin, belongs to a rare class of malicious programs, namely, vandal programs. Virus makers usually craft such applications not for profit but rather to demonstrate their programming skills, express their opinion about certain events, or for fun or mischief. Programs of this kind often display various messages, corrupt files and interfere with a compromised system’s normal operation. That's exactly what the new Android Trojan, which is disguised as popular applications, does.
Once Android.Elite.1.origin has been launched, it attempts to force the user into granting it access to the mobile device’s administrative features which are supposedly required to complete the application’s installation properly. If successful, the program immediately commences formatting the available SD card by wiping all the data stored on it. After that, the malware waits for popular messengers to be launched.
Whenever the user attempts to start an official Facebook client, WhatsApp Messenger, Hangouts or the standard SMS application, Android.Elite.1.origin will block their active window by displaying the message OBEY or Be HACKED. The malware blocks only these programs and doesn't interfere with the operation of other applications or the OS.
To further hamper the usage of mobile communication tools, the malware hides all notifications about new incoming SMS. At the same time, received messages are saved in the Inbox folder which is actually unavailable because access to the messenger is blocked.
In addition to wiping SD cards and blocking messengers, Android.Elite.1.origin sends short messages to all the contacts found in the device's address book in five-second intervals. The message text is as follows:
HEY!!! [contact_name] Elite has hacked you. Obey or be hacked.
A similar text is sent as a reply to all incoming SMS from valid mobile phone numbers:
Elite has hacked you.Obey or be hacked.
So the mobile account associated with the compromised device can be depleted in minutes or even seconds.
Doctor Web's security experts strongly advise users against downloading applications from dubious sources. Granting administrative privileges to such programs is also a bad idea because it can result in the corruption of data or other unpleasant consequences. An entry for detecting Android.Elite.1.origin has been added to the virus database, so devices running Dr.Web for Android and Dr.Web for Android Light are well protected from this malware.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.