Android Malware Alert – Anatomy of the Most Sophisticated Mobile Trojan Ever Found

By on Nov 2, 2013 in Blog

Security firm Kaspersky has reported what they claim to be the most sophisticated Trojan ever found targeting a mobile platform. Google has already been informed of the details and a new fix can be swiftly expected.

Nicknamed the “Backdoor.AndroidOS.Obad.a” – this Trojan has caused some serious concern among security professionals due to its complexity. What makes this particular Trojan so interesting is the sheer amount of (previously) unknown vulnerabilities that it exploits, the multiple functions it’s capable of performing, as well as the highly advanced methods used to disguise its activities and prevent removal.

Some of the things this malware can do on your Android smartphone is download other malware programs, infect other smartphones via WiFi and BlueTooth, send SMSs to premium-rate numbers, and allow remote commands to be executed on the phone.

So far the infection rates of this malware are still relatively low, with the majority of infections taking place in Russia. This may change of course – but the most important thing to understand about this development is that we are now finally seeing a level of complex malware never before seen on mobile platforms.

Let’s go over some of the particulars of this security threat:

  1. The malware first uses a hole in the code packaging system to create an executable file that would normally be found invalid – however this Trojan manages to get the Android OS to process the request by writing deliberate errors into the AndroidManifest.xml file (thanks to an Android vulnerability). This effect makes dynamic analyses of the malware difficult to perform.
  2. Once entrenched in your smartphone, it can start downloading more malware or sending expensive text messages to foreign numbers. It will also start receiving updates from the command and control system, so that its code can be modified on the fly to thwart attempts to remove it.
  3. The malware gives itself Device Administrator privileges without appearing on the list of applications that are supposed to have these privileges (another exploited vulnerability). This makes it impossible to detect the malware using standard smartphone tools.
  4. Backdoor.AndroidOS.Obad does not have an interface and works in background mode – and cannot be deleted once it gains administrator privileges (due to another previously unknown vulnerability).
  5. The malware code itself is encrypted – sometimes in multiple stages – including all strings, classes, and call methods. This makes it very difficult to detect, analyze, and disable even once found.
  6. If it detects internet access – it will attempt to spread itself among all nearby phones.

After the first launch, the malware will also attempt to collect and transmit the following information:

  • MAC address of the Bluetooth device
  • Name of operator
  • Telephone number
  • IMEI (International Mobile Station Equipment Identity number)
  • Phone user’s account balance
  • Whether or not Device Administrator privileges have been obtained
  • Local time

You could also say that mobile has finally grown to the point where it has become a juicy enough target for the most sophisticated cybercriminals. Ergo – we can all expect this trend to continue over time, and this should be a cause for concern for all mobile users.

You can read a more detailed technical analysis of this malware from Kaspersky on the SecureList blog.

Post a Reply