Android.Backdoor.114.origin

SHA1: 0fa5de0dab4d140d2aaec74279ffbae89ab90429
de52bed8e2c5e0198f379098d4fd3ce433a8d81d

A backdoor targeting Android devices. Not only can it be distributed via harmless applications modified by cybercriminals, but it can also be preinstalled on tablets and smartphones sold to users. Some modifications of Android.Backdoor.114.origin can spread with the help of other malware, in particular, Android.Backdoor.213.origin that attempts to replace some original application residing in the system folder with a malicious version containing a modification of Android.Backdoor.114.origin.

Depending on the type of the compromised device and the modification of the malicious program itself, Android.Backdoor.114.origin gathers and sends cybercriminals the following data:

• ("andorid_id", MyUtils.getAndroidId(ctx)))—infected device's unique identifier;
• ("bt_mac", MyUtils.getBluetoothMac()))—MAC address of the Bluetooth adapter;
• ("is_pad", "y" ))—type of the infected device (“y” indicates a tablet, and “n” indicates a smartphone);
• ("seq", cf.seq)), ("from", cf.from))—parameters from the configuration file;
• ("mac", MyUtils.getMacAddress(ctx)))—MAC address of the device;
• ("imsi", pad.getIMSI()))—IMSI;
• ("version", "v20140806"))—malicious application version;
• ("android_ver", pad.getSysVersion()))—OS version;
• ("api_level", String.valueOf(MyUtils.getApiLevel())—API version of the device;
• ("wifi", "1")—network connection type (“1” indicates that the connection is established via Wi-Fi; otherwise, “0” is used);
• ("apk_name", ApkUtils.getAppName(ctx))—application package name;
• ("sim_country", pad.getCountry())—country ID;
• ("resolution", pad.getResolution()))—screen resolution;
• ("brand", pad.getManufacturerName()))—device manufacturer;
• ("model", pad.getModelName()))—model name;
• ("sdcard_count_spare", String.valueOf(pad.getSDCardCountSpare())))—occupied SD card space;
• ("sdcard_available_spare", String.valueOf(pad.getSDCardAvailableSpare())))—available SD card space;
• ("system_count_spare", String.valueOf(pad.getSystemCountSpare())))—occupied internal memory space;
• ("system_available_spare", String.valueOf(pad.getSystemAvailableSpare())))—available internal memory space;
• ("sys_apps", MyUtils.getAppListToJson(ctx, MyUtils. getSystemAppList(ctx))))—list of applications installed in the system folder;
• ("user_apps", MyUtils.getAppListToJson(ctx, MyUtils.getUserAppList(ctx))))—list of applications installed by the user.

When operating on Android smartphones, the Trojans gathers the following additional information:

• ("imei", infos.getIMEI()))—IMEI;
• ("mcc", infos.getMCC()))—Mobile Country Code;
• ("mnc", infos.getMNC()))—Mobile Network Code;
• ("operator_name", infos.getNetWorkOperatorName()))—mobile network operator name.

Upon a command issued by the command and control server, the Trojan can activate the disabled option to install applications from unreliable sources. Moreover, it can download, install, and remove programs without user knowledge.