Intense Android Trojan on the Loose

Friday, June 7, 2013 @ 02:06 PM gHale


There is a new mobile threat that is one of the most sophisticated Android Trojan one researcher has ever seen.

Backdoor.AndroidOS.Obad.a is capable of performing various malicious tasks, including sending SMSs to premium rate numbers, downloading and installing additional malware, and remotely executing console commands, said researchers at Kaspersky Lab.

RELATED STORIES
Global Cybercrime Botnet Breached
Reworked Trojans a Major Threat
Botnet Used in Huge Spam Plot
P2P Botnets Larger than Thought

This malicious software looks more like a Windows malware than an Android Trojan because it exploits a number of unpublished vulnerabilities and it’s highly complex, Kaspersky’s researchers said.

One vulnerability has the Trojan’s developers abusing an error found in DEX2JAR, a piece of software utilized to convert APK files into JAR files. The error in DEX2JAR allowed the cybercriminals to make the statistical analysis of the Trojan highly difficult.

Furthermore, the developers leveraged a vulnerability in the Android operating system to make it difficult to perform dynamic analysis on the threat.

A different Android vulnerability ended up exploited to gain extended administrator privileges, making it impossible to delete the malicious app from the device.

Obad.a only works in background mode – it doesn’t have any visual interface.

Once it infects a device, Obad.a immediately attempts to gain access to elevated privileges. It abuses its Device Administrator rights to block the screen for up to 10 seconds.

During these 10 seconds, if the smartphone connects to an unsecure Wi-Fi network or via Bluetooth, the Trojan starts sending malicious files to the devices it detects nearby.

The “su id” command also allows the threat to try and obtain root privileges.

When first launched, Obad.a collects various pieces of information on the device – including MAC address, operator name, phone number, IMEI and account balance – and sends it back to its command and control (C&C) server.

Then, it awaits commands from the C&C. The malware can then get an order to send text messages to specific numbers and delete the replies, act as a proxy, download files, connect to a specified address, retrieve a list of apps installed on the device, collect contact data, execute commands and send files via Bluetooth.

For the time being, this threat is not very widespread. Kaspersky researchers said of all the malware installation attempts it detected over a 3-day period, only 0.15 percent were from Obad.a.

Google is aware of the Android vulnerabilities exploited by the threat.



Leave a Reply

You must be logged in to post a comment.