Dangerous Trojan hides in the official firmware for Android

Typically, cybercriminals use a fairly trivial procedure to infect Android mobile devices - they force their victims to self-install malicious applications. However, this algorithm is not the only one that virus writers have at their disposal. Doctor Web security researchers are continuing to record new cases of Android Trojans that are preinstalled on devices as system applications that perform malicious activity without the user's knowledge. Recently, Doctor Web specialists have registered another incident of this type, triggered by Android.Backdoor.114.

Android.Backdoor.114.origin has been known to Doctor Web analysts for a long time - for the first time this Trojan appeared over a year ago. Since then, it still poses a great threat to Android users, mainly because it is sometimes embedded directly in the firmware of the mobile device. As a result, the Trojan's removal was almost impossible with the usual tools. To get rid of a malicious program, the user must obtain root privileges, which can be difficult (or even dangerous) to implement. Another way is to reinstall the operating system, however this can lead to permanent loss of all data that has not been saved in backups.

In September, Doctor Web security researchers witnessed a new infection caused by Android.Backdoor.114.origin . Owners of the Oysters T104 HVi 3G have become victims of the malicious activity of this backdoor - their malware has been hiding in the pre-installed GoogleQuickSearchBox.apk application. Although the manufacturer has been notified about the problem, the official version available for download until now, the firmware version has not undergone any changes and still contains a backdoor.

Android.Backdoor.114.origin acquires and sends information on the infected device to the control and management server. Depending on the modification, it can send the following data to cybercriminals:

  • The unique ID of the infected device
  • The MAC address of the Bluetooth card
  • Type of infected device (smartphone or tablet)
  • Parameters from the configuration file
  • MAC address
  • IMSI
  • A version of a malicious application
  • The version of the operating system
  • The device's API version
  • The type of network connection
  • The name of the application package
  • Country ID
  • Screen resolution
  • The name of the device manufacturer
  • The name of the model
  • Amount of used space on the SD card
  • The amount of free space on the SD card
  • The amount of used space in the internal memory
  • The amount of free space in the internal memory
  • A list of applications installed in the system folder
  • A list of applications installed by the user

However, the main purpose of Android.Backdoor.114.origin is unseen loading, installing and removing applications after receiving the command from the control and management server. Furthermore, the Trojan can activate the disabled option to install applications from unreliable sources. In this way, even when the user adheres to the recommended security rules, the backdoor can modify settings to install advertising programs as well as unwanted and unsafe applications.

Doctor Web security researchers recommend Android users to perform periodic virus scans of their devices for known malicious programs. If the Trojan or other malicious program is detected in the firmware, it is recommended to contact the device manufacturer in order to get an improved operating system image, because in most cases it is impossible to delete such malware using built-in tools (including antivirus software).

source: Doctor Web

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.