September 28, 2015
Android.Backdoor.114.origin has been known to Doctor Web analysts for quite some time—it was more than a year ago that this Trojan came into the light for the first time. Since then, the malware continues to present a great threat to Android users, mostly because it gets incorporated directly into mobile device firmware. As a result, it becomes almost impossible to remove the Trojan using ordinary tools. To be able to get rid of the malware, the user needs to acquire root privileges, which can be hard (or even dangerous) to accomplish. Another way is to reinstall the operating system. However, this may lead to permanent loss of all data whose backup copies has not been created.
In the middle of September, Doctor Web security researchers witnessed a new infection incident involving Android.Backdoor.114.origin. This time, owners of Oysters T104 HVi 3G were the ones who fell victim to malicious activities of the backdoor—on their devices, the malware hides in the preinstalled GoogleQuickSearchBox.apk application. Although the manufacturer has been already notified about this issue, to this day, the official firmware version available for download has not undergone any changes and still contains the backdoor.
Android.Backdoor.114.origin gathers and sends the command and control server information about the infected device. Depending on the modification, it can send cybercriminals the following data:
- Infected device's unique identifier
- MAC address of the Bluetooth adapter
- Infected device's type (smartphone or tablet)
- Parameters from the configuration file
- MAC address
- Malicious application version
- OS version
- API version of the device
- Network connection type
- Application package name
- Country ID
- Screen resolution
- Device manufacturer
- Model name
- Occupied SD card space
- Available SD card space
- Occupied internal memory space
- Available internal memory space
- List of applications installed in the system folder
- List of applications installed by the user
However, the main purpose of Android.Backdoor.114.origin is to stealthily download, install, and remove applications upon a command from the command and control server. Moreover, the Trojan can activate the disabled option to install applications from unreliable sources. Thus, even if the user follows recommended security rules, the backdoor can modify appropriate settings to install various adware, unwanted, and dangerous applications.
Doctor Web security researchers advise Android users to perform periodic anti-virus scans of their devices for known malicious programs. If a Trojan or any other malicious program is detected in the firmware, it is recommended to contact the device manufacturer in order to get an updated operating system image, because, in most cases, it is impossible to remove such malware using built-in tools (including anti-virus software).
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.