November 7, 2014

Doctor Web security researchers have discovered a new malicious trojan embedded directly in the firmware of numerous Android handhelds. Dubbed Android.Becu.1.origin, this malicious program can download, install and remove programs without user consent and block inbound short messages from specified numbers.

The discovered malware is comprised of several closely interacting modules. The file Cube_CJIA01.apk is Android.Becu.1.origin‘s main module. It resides in the system directory and is digitally signed by the operating system, which provides it with all the privileges it needs to perform all actions without user consent. Also, being firmware-embedded, the program is very hard to remove by conventional methods.

The malware springs into action as soon as an infected device is turned on or a new SMS is received. As soon as one of these events occurs, Android.Becu.1.origin in accordance with its configuration file downloads an encrypted package from a remote server. After decryption occurs, the acquired data is saved in the malware installation directory as the file uac.apk. Then the DexClassLoader routine is used to load the data into the device's memory. Following this, the malicious program launches its second component, uac.dex, which is also stored in the directory. These two modules bear the main payload and enable the malware to covertly download, install and delete applications when commanded to do so by a remote server.

Once the modules are activated successfully, this malicious program checks whether its third module is available in the system. This module is stored in the file com.zgs.ga.pack. If not found, the module is downloaded and installed on the device. Then it registers the smart phone or tablet on the remote server by relaying information about active copies of Android.Becu.1.origin to the intruders. Should a user delete any of its modules, the program’s main file will be used to reinstall them.

In addition to its principal tasks—the covert installation and removal of other programs—the malware can also block all inbound SMS messages from specified numbers.

As of now, Doctor Web's security researchers have discovered the malicious code on many models of common inexpensive Android handhelds. These include UBTEL U8, H9001, World Phone 4, X3s, M900, Star N8000, and ALPS H9500. The firmware infected with Android.Becu.1.origin is either downloaded by users themselves or installed by unscrupulous smartphone and tablet suppliers participating in a criminal scheme.

Because Android.Becu.1.origin is embedded in the operating system, its complete removal by standard methods is extremely difficult, so "freezing" the malware in the application management menu is the easiest and safest way to deal with it. To do this, find the trojan’s main file on the list of installed programs (the package com.cube.activity), and tap Disable. As a result, the malicious application will become inactive and will not be able to operate. After that you will need to remove the auxiliary components (the packages com.system.outapi and com.zgs.ga.pack), which may have been installed previously.

Removing the principal malware component manually on a device with an enabled root account and reflashing the handheld with malware-free firmware (the latter of which will result in the loss of all the stored information) are more radical approaches to neutralising Android.Becu.1.origin. Both procedures can potentially damage the device and, therefore, should only be performed by experienced users at their own risk, and if you do opt for either of them, make sure that you first back up all the important information.

Dr.Web Anti-virus for Android and Dr.Web for Android Light successfully detect this threat, so users are encouraged to perform a full scan of their mobile devices for Android.Becu.1.origin and its components.

Protect your Android handheld with Dr.Web now