Android

How and how to reverse the Chinese virus?

The story is as follows: I ordered my sister a phone from China cubot echo, it came, it works fine, but after some time of using doctor web, it finds a virus in the file /system/app/CallerIdSearch/CallerIdSearch.apk. I downloaded the directory to my computer, there was this file and another one ./oat/armCallerIdSearch.odex. virustotal also shows that the virus https://virustotal.com/en/file/a6e09048369cdff4f09... https://virustotal.com/en/file/801d5d45507a2257565... The file utility showed

CallerIdSearch.odex: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (GNU/Linux), dynamically linked, stripped

strings CallerIdSearch.odex |grep http
finds

http://alog.umeng.co/app_logs
http://alog.umeng.com/app_logs
http://ciddb.iappgame.com/
http://log.umsns.com/
http://log.umsns.com/share/api/
http://www.google-analytics.com/collect
https://ssl.google-analytics.com/collect

I am not strong in Chinese, in translating the text translated by Google Translate into Russian, too, but it looks like some kind of data processing service. This address ciddb.iappgame.com is generally strange, it opens an xml file with some strange data.
Then I decided to disassemble the apk, decompiled it with jadx and got partially obfuscated sources. There were lines in the AndroidManifest.xml file

<meta-data android:name="UMENG_APPKEY" android:value="56259ea3e0f55a5c17006ab0" />
<meta-data android:name="UMENG_CHANNEL" android:value="" />
<meta-data android:name="MP_FY_APPKEY" android:value="ZW26RFW7883RDVXCGV38" />

probably api keys from those sites. The file structure is as follows https://pastebin.com/wzNVVKqX
or if you look only at directories

A light grep on the source finds the same urls, one of them is in the file /com/umeng/analytics/AnalyticsConstants.java

package com.umeng.analytics;

/* renamed from: com.umeng.analytics.a */
public class AnalyticsConstants {
    public static final String f1289a = "Android";
    public static final String f1290b = "Android";
    public static final String f1291c = "5.6.1";
    public static final String f1292d = "5.6.1.0";
    public static final String f1293e = "MobclickAgent";
    public static final String[] f1294f;
    public static final long f1295g = 86400000;
    public static final long f1296h = 3600000;
    public static final boolean f1297i = false;
    public static final int f1298j = 64;
    public static final int f1299k = 32;
    public static final int f1300l = 64;

    static {
        f1294f = new String[]{"http://alog.umeng.com/app_logs", "http://alog.umeng.co/app_logs"};
    }
}

How else can you dissect this Chinese gift? Maybe there are sandboxes that will show what the application does?
PS If there are those who want to do the reverse, welcome
to itm.d3d.info/static/core/somethinginteresting/app.zip
itm.d3d.info/static/core/somethinginteresting/sour...