Security researchers at Kaspersky have discovered what appears to be the most advanced form of malware to hit the Android OS yet. Called Backdoor.AndroidOS.Obad.a, the malware is said to be capable of many malicious actions that only malware on Windows or Mac OS X have been able to pull off.
Obad.a sets up a backdoor on the Android devices it infects, allowing access to attackers. It also installs more malware, and infects nearby devices with Wi-Fi or Bluetooth, and can even text premium numbers on the infected phones – potentially generating revenue for the attack.
At a glance, we knew this one was special, – Roman Unuchek, security researcher, Kaspersky Lab.
Obad.a’s code has been written keeping in mind the purpose of avoiding detection. The Trojan has no interface, and runs in the background, showing no signs of its existence. Once installed, the Trojan gains “extended Device Administrator privileges” without appearing on the list of applications which have such privileges. With these privileges, the Trojan can disable the device’s screen for up to 10 seconds, during which it can perform malicious actions.
Armed & Dangerous
According to Kaspersky, Obad.a can perform the following functions:
- Send text messages. Parameters contain number and text. Replies are deleted.
- Receive account balance via USSD.
- Act as proxy (send specified data to specified address, and communicate the response).
- Connect to specified address (clicker).
- Download a file from the server and install it.
- Send a list of applications installed on the smartphone to the server.
- Send information about an installed application specified by the C&C server.
- Send the user’s contact data to the server.
- Remote Shell. Executes commands in the console, as specified by the cybercriminal.
- Send a file to all detected Bluetooth devices.
Obad.a takes advantage of multiple vulnerabilities in Android to perform its actions. One such vulnerability is in the AndroidManifest.xml file – which contains information about every app installed on the system. The malware has been designed to avoid analysis and detection but still gets installed anyway.
Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a’s in mobile malware. Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits.
The source of the malware has not been identified as of now. It hasn’t spread wide yet, with most infections occurring in devices located in Russia. It has not been detected on any app on the Play Store, so it appears to be infecting devices installing apps from ‘other sources’. Google has been informed of Obad.a, so chances of the malware showing up on the Play Store are reduced.
With malware getting increasingly complex on Android, rivalling Windows malware capabilities, this is a new area of concern for Google. The threat is only going to rise in the coming times.
Android malware has been rising exponentially in recent times, both in terms of quality and quantity. According to Kaspersky, more than 30% of all Android malware was detected in the first quarter of 2013 itself. To ensure your device’s security, always be careful when installing apps from ‘other sources’. There was recently a case of a number of apps on the Play Sore being malware-infected. But as long as you ensure you absolutely know what you’re installing and trust the source, it can go a long way in protecting your Android device.