February 17, 2014

Information security specialists are well aware of the danger posed by malicious programs distributed with Android firmware, but many users are not. Meanwhile, the neutralisation of such threats can be complicated and may involve the risk of voiding the warranty, damaging the data or disrupting the device’s operation. Doctor Web is reminding Android users that such malicious programs can penetrate a system not only through firmware upgrades but also through brand new devices on which the programs have been pre-installed. Many of our users have had to deal with the latter problem.

The malicious program that entered the Dr.Web virus database as Android.SmsSend.1081.origin was incorporated into Android firmware as an audio player that had an undocumented feature to forward the user's IMSI to a specified number. The program’s creators intended for this forwarding activity to result in users being subscribed to an online music service located in China. However, the feature’s operation is not controlled by verifying the device's location or by limiting the number of messages sent whenever the player is launched. For example, this bug costs Russian users about 5-7 rubles per one SMS. Thus, although meant to be useful by design, the program eventually became undesirable, which is why virus analysts have classified it as a Trojan.

It bears mentioning that Trojans in OS firmware are not particularly widespread. However, they are as dangerous as other malignant applications distributed via software catalogues. In particular, one of the recent incidents involving such a Trojan was covered in Doctor Web's January review. During that month,Android.Oldboot.1 was discovered on hundreds of thousands of mobile devices. The malicious code resided in the protected memory area and would reinfect the device each time it was turned on. It was designed to install and remove various programs. Later, the virus database was expanded to include the definition of the Trojan designed to send an SMS containing a device's IMEI to a specified number. This malware is a modified version of the standard system SMS processing package, and it is detected by Dr.Web for Android as Android.SmsSend.1067.origin.

Regardless of the payload, the main danger of such malicious programs arises from the inability to remove them by conventional methods―one must gain privileged access to the operating system’s features and system files (root access) or reflash the device with firmware that doesn't include the program. All these measures entail risks because they involve file system modification which may void the warranty, cause data losses or break the device.

To minimise the probable negative impact, owners of Android devices should avoid dubious firmware and refrain from purchasing handhelds of unknown origin. However, if you do encounter this issue, do the following:

• Check whether your firmware was provided by the device's manufacturer. To do this, contact the manufacturer's support service. If the firmware was provided by a third party, reflash the device with firmware from the device's manufacturer.
• If you have reflashed the device with third-party firmware on your own, and it contains a Trojan, switch back to the manufacturer’s firmware.
• If your device is using the manufacturer’s firmware but a Trojan is found in the system, contact the manufacturer to resolve the situation.
• If you have sufficient technical knowledge and skills, you can try to delete the malicious program by acquiring root access, but in this case you risk voiding the warranty or rendering your mobile device non-operational, so do this at your own risk.
• If the current firmware incorporates a malicious program, you can try to disable it: go into the application management menu and select "Disable" for the respective application.

Protect your Android handheld with Dr.Web now