Kaspersky discovers ‘Obad’ ‘most sophisticated’ Android trojan
Kaspersky Labs has announced the discovery of what it is calling the “most sophisticated” Android trojan yet. Kaspersky identifies the trojan as “Backdoor.AndroidOS.Obad.a” and notes that the trojan is capable of many different functions with the added ability to be extremely hard to remove.
Obad.a is capable of sending SMS to premium-rate numbers, downloading other malware, sending malware over Bluetooth, and remote console commands. Obad.a makes use of code obfuscation and several previously undiscovered security holes in Android to make itself hard to remove or analyze.
Once it gains Device Administrator privileges, it’s nearly impossible to remove:
One feature of this Trojan is that the malicious application cannot be deleted once it has gained administrator privileges: by exploiting a previously unknown Android vulnerability, the malicious application enjoys extended privileges, but is not listed as an application with Device Administrator privileges.
Google has been informed by Kaspersky of the various security holes discovered and the security company notes that the trojan only amounts to 0.15 percent of all malware infection attempts, making it a rather minor threat for now.
From : www.securelist.com
C&C instructions
The Trojan receives instructions from the C&C and records them in the database. Each instruction recorded in this database contains the instruction’s sequence number; the time when it must be executed, as ordered by C&C; and parameters.
Command list:
- Send text message. Parameters contain number and text. Replies are deleted.
- PING.
- Receive account balance via USSD.
- Act as proxy (send specified data to specified address, and communicate the response).
- Connect to specified address (clicker).
- Download a file from the server and install it.
- Send a list of applications installed on the smartphone to the server.
- Send information about an installed application specified by the C&C server.
- Send the user’s contact data to the server.
- Remote Shell. Executes commands in the console, as specified by the cybercriminal.
- Send a file to all detected Bluetooth devices.
This command list for Obad.a enables the malicious program to spread files via Bluetooth. The C&C server sends the Trojan receives the local address of the file to be downloaded to the infected devices. On a C&C command, the malicious program scans for nearby devices with enabled Bluetooth connection, and attempts to send the downloaded file to them.
Despite such impressive capabilities, Backdoor.AndroidOS.Obad.a is not very widespread. Over a 3-day observation period using Kaspersky Security Network data, Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware.
To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits. This means that the complexity of Android malware programs is growing rapidly alongside their numbers.