These malicious programs are uad.apk and uac.dex components of Android.Becu.1.origin.
The component uad.apk (com.system.outapi) is downloaded by the Trojan from the command and control server located at http://[xxxxxxx]qs.mobi/.
The uac.dex component is located in the installation directory of Android.Becu.1.origin (data/data/com.cube.activity/files/).
These modules are loaded into Android device's memory by means of the DexClassLoader method and implement the Trojan's features to perform covert actions with applications.
The uac.dex component connects to the command and control server at http://[xxxxxxx]qs.mobi/houtai_4/apkload.php?status= &vid= , where it can get commands in the json format (JavaScript Object Notation):
JSONObject v3 = new JSONObject(v2_3);
JSONArray v6 = v3.getJSONArray("install");
JSONArray v3_1 = v3.getJSONArray("uninstall");
String v7 = v3.getString("url");
String v8 = v3.getString("deletepack");
String v9 = v3.getString("pack");
String v10 = v3.getString("service");
String v11 = v3.getString("ver");
String v12 = v3.getString("vid");
int v13 = v3.getInt("delay");
int v14 = v3.getInt("reinstall");
v4 = v3.getString("city");