The bad guys’ increased level of sophistication continues to rise and the Obad Android Trojan is no exception.
Difficult to analyze, using a bug in the Android OS to extend Device Administrator privileges to itself, the Trojan is extremely stealthy and persistent, and can perform a variety of data stealing, premium-rate messaging, additional malware downloading actions.
When they first discovered the Trojan, Kaspersky Lab researchers didn’t know how the malware was getting on the mobile devices, and were curious about why the malware was not very widespread.
But that will likely soon change, as its owners have been taking advantage of four distinct distribution methods, one of which researchers never detected before: Dissemination via mobile botnet created by using different mobile malware.
This new distribution method comes together when:
1. The victim receives a text message saying “MMS message has been delivered, download from www.otkroi.xxx.”
2. By clicking on the link the users downloads the Opfake SMS Trojan which, once run, contacts a C&C server that instructs it to send a message saying “You have a new MMS message, download at – hxxp://otkroi.xxx/” to all he contacts in the victim’s address book.
3. By clicking on the link, the recipients automatically download the Obad Trojan. Again, the user must run the file in order for the malware to install and start functioning.
The initial messages are spreading fast, but not all lead to the Obad Trojan, leaving researchers to conclude that its creators have rented only part of the mobile botnet to spread the malware.
Instead of putting all their eggs into one basket, they have opted for three more distribution methods: Traditional SMS spam, fake Google Play stores advertising popular legitimate apps but linking to the Obad Trojan, and legitimate but compromised sites, which end up booby-trapped to redirect them to the malicious download sites. In this last case, users who visit the site via their computers do not experience the redirection.
“Over the past three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation. Each used an Android OS vulnerability that allows the malware to gain Device Administrator rights and made it significantly more complicated to delete,” said Kaspersky Lab expert Roman Unuchek.
Google is aware of the vulnerability and has already fixed it. Unfortunately, not all users have upgraded to the patched 4.3 version of the OS.
Currently most of the infection attempts detected by Kaspersky Lab were in Russia, and a small amount in Kazakhstan, Uzbekistan, Belarus and Ukraine. But the Trojan is growing.