Library
My library

+ Add to library

Profile

Android.Backdoor.114.origin

Added to the Dr.Web virus database: 2015-09-19

Virus description added:

SHA1: 0fa5de0dab4d140d2aaec74279ffbae89ab90429
de52bed8e2c5e0198f379098d4fd3ce433a8d81d

A backdoor targeting Android devices. Not only can it be distributed via harmless applications modified by cybercriminals, but it can also be preinstalled on tablets and smartphones sold to users. Some modifications of Android.Backdoor.114.origin can spread with the help of other malware, in particular, Android.Backdoor.213.origin that attempts to replace some original application residing in the system folder with a malicious version containing a modification of Android.Backdoor.114.origin.

Depending on the type of the compromised device and the modification of the malicious program itself, Android.Backdoor.114.origin gathers and sends cybercriminals the following data:

  • ("andorid_id", MyUtils.getAndroidId(ctx)))—infected device's unique identifier;
  • ("bt_mac", MyUtils.getBluetoothMac()))—MAC address of the Bluetooth adapter;
  • ("is_pad", "y" ))—type of the infected device (“y” indicates a tablet, and “n” indicates a smartphone);
  • ("seq", cf.seq)), ("from", cf.from))—parameters from the configuration file;
  • ("mac", MyUtils.getMacAddress(ctx)))—MAC address of the device;
  • ("imsi", pad.getIMSI()))—IMSI;
  • ("version", "v20140806"))—malicious application version;
  • ("android_ver", pad.getSysVersion()))—OS version;
  • ("api_level", String.valueOf(MyUtils.getApiLevel())—API version of the device;
  • ("wifi", "1")—network connection type (“1” indicates that the connection is established via Wi-Fi; otherwise, “0” is used);
  • ("apk_name", ApkUtils.getAppName(ctx))—application package name;
  • ("sim_country", pad.getCountry())—country ID;
  • ("resolution", pad.getResolution()))—screen resolution;
  • ("brand", pad.getManufacturerName()))—device manufacturer;
  • ("model", pad.getModelName()))—model name;
  • ("sdcard_count_spare", String.valueOf(pad.getSDCardCountSpare())))—occupied SD card space;
  • ("sdcard_available_spare", String.valueOf(pad.getSDCardAvailableSpare())))—available SD card space;
  • ("system_count_spare", String.valueOf(pad.getSystemCountSpare())))—occupied internal memory space;
  • ("system_available_spare", String.valueOf(pad.getSystemAvailableSpare())))—available internal memory space;
  • ("sys_apps", MyUtils.getAppListToJson(ctx, MyUtils. getSystemAppList(ctx))))—list of applications installed in the system folder;
  • ("user_apps", MyUtils.getAppListToJson(ctx, MyUtils.getUserAppList(ctx))))—list of applications installed by the user.

When operating on Android smartphones, the Trojans gathers the following additional information:

  • ("imei", infos.getIMEI()))—IMEI;
  • ("mcc", infos.getMCC()))—Mobile Country Code;
  • ("mnc", infos.getMNC()))—Mobile Network Code;
  • ("operator_name", infos.getNetWorkOperatorName()))—mobile network operator name.

Upon a command issued by the command and control server, the Trojan can activate the disabled option to install applications from unreliable sources. Moreover, it can download, install, and remove programs without user knowledge.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android