Trojanized Android firmware found on inexpensive handhelds

It’s unfortunate, but true: we live in a world where even if we buy a brand new mobile phone, it’s no guarantee that it’s malware-free.

Researchers from Russian AV company Dr. Web have unearthed a Trojan embedded directly in the firmware of numerous Android handhelds.

Becu, as they dubbed the malware, can download, install and remove software from the handheld with the user being none the wiser. It is triggered into life either by turning on the affected device or via a specially crafted SMS.

The malware is modular in nature.

“The file Cube_CJIA01.apk is Android.Becu.1.origin”s main module. It resides in the system directory and is digitally signed by the operating system, which provides it with all the privileges it needs to perform all actions without user consent,” the researchers explained. “Also, being firmware-embedded, the program is very hard to remove by conventional methods.”

The main module downloads the rest of them, which make it possible for a remote attacker to install and deinstall additional malware or software on the device, and to intercept inbound SMS messages from specified numbers.

The researchers discovered the malicious code on a number of common inexpensive Android devices: UBTEL U8, H9001, World Phone 4, X3s, M900, Star N8000, and ALPS H9500.

“The firmware infected with Android.Becu.1.origin is either downloaded by users themselves or installed by unscrupulous smartphone and tablet suppliers participating in a criminal scheme,” they say.

The Trojan can be removed by disabling its main file (com.cube.activity) on the list of installed programs (the package ), then manually removing the other components (com.system.outapi and com.zgs.ga.pack).

“Removing the principal malware component manually on a device with an enabled root account and reflashing the handheld with malware-free firmware (the latter of which will result in the loss of all the stored information) are more radical approaches to neutralising Android.Becu.1.origin,” they noted and advised users to do this only if they know what they are doing, and if they have backed up all the files that they would be loathe to lose.