Dangerous Trojan hiding in official Android firmware

[212eta]

Usually, to infect Android mobile devices, cybercriminals use a rather trivial routine—

by employing social engineering methods, they force their victims to install some malicious

application by themselves.

However, this algorithm is not the only one virus makers have at their disposal—in particular,

Doctor Web security researchers continue to register new cases when Android Trojans are

already preinstalled on mobile devices as system applications to perform their malicious activities

without user knowledge. Recently, a similar incident involving Android.Backdoor.114.origin has

been registered by our specialists.

Android.Backdoor.114.origin has been known to Doctor Web analysts for quite some time—

it was more than a year ago that this Trojan came into the light for the first time.

Since then, the malware continues to present a great threat to Android users, mostly because it

gets incorporated directly into mobile device firmware. As a result, it becomes almost impossible

to remove the Trojan using ordinary tools. To be able to get rid of the malware, the user needs to

acquire root privileges, which can be hard (or even dangerous) to accomplish. Another way is to

reinstall the operating system. However, this may lead to permanent loss of all data whose backup

copies has not been created.

In the middle of September, Doctor Web security researchers witnessed a new infection incident

involving Android.Backdoor.114.origin. This time, owners of Oysters T104 HVi 3G were the ones

who fell victim to malicious activities of the backdoor—on their devices, the malware hides in the

preinstalled GoogleQuickSearchBox.apk application. Although the manufacturer has been already

notified about this issue, to this day, the official firmware version available for download has not

undergone any changes and still contains the backdoor.

Android.Backdoor.114.origin gathers and sends the command and control server information

about the infected device. Depending on the modification, it can send cybercriminals the following data:

• Infected device's unique identifier
• MAC address of the Bluetooth adapter
• Infected device's type (smartphone or tablet)
• Parameters from the configuration file
• MAC address
• IMSI
• Malicious application version
• OS version
• API version of the device
• Network connection type
• Application package name
• Country ID
• Screen resolution
• Device manufacturer
• Model name
• Occupied SD card space
• Available SD card space
• Occupied internal memory space
• Available internal memory space
• List of applications installed in the system folder
• List of applications installed by the user

However, the main purpose of Android.Backdoor.114.origin is to stealthily download, install,

and remove applications upon a command from the command and control server.

Moreover, the Trojan can activate the disabled option to install applications from unreliable sources.

Thus, even if the user follows recommended security rules, the backdoor can modify appropriate

settings to install various adware, unwanted, and dangerous applications.

Doctor Web security researchers advise Android users to perform periodic anti-virus scans

of their devices for known malicious programs. If a Trojan or any other malicious program is

detected in the firmware, it is recommended to contact the device manufacturer in order to get

an updated operating system image, because, in most cases, it is impossible to remove such

malware using built-in tools (including anti-virus software).

Source

[GRiM]

Story title is misleading. It's not official Android firmware at all, it's OEM edited firmware.

[212eta]

Story title is misleading. It's not official Android firmware at all, it's OEM edited firmware.

I guess the Dr.Web experts are Not aware of it... :unsure:

[jtmulc]

Story title is misleading. It's not official Android firmware at all, it's OEM edited firmware.

All the more reason to run a Nexus and/or custom rom.