The threat exploits vulnerabilities in the Android OS

Jun 7, 2013 08:50 GMT  ·  By

Kaspersky Lab researchers have come across a threat which they say is the most sophisticated Android Trojan they’ve ever seen.

Backdoor.AndroidOS.Obad.a is capable of performing various malicious tasks, including sending SMSs to premium rate numbers, downloading and installing additional malware, and remotely executing console commands.

Experts say that Backdoor.AndroidOS.Obad.a looks more like a Windows malware than an Android Trojan because it exploits a number of unpublished vulnerabilities and it’s highly complex.

For instance, the Trojan’s developers have abused an error found in DEX2JAR, a piece of software utilized to convert APK files into JAR files. The error in DEX2JAR has allowed the cybercriminals to make the statistical analysis of the Trojan highly difficult.

Furthermore, the developers have leveraged a vulnerability in the Android operating system to make it difficult to perform dynamic analysis on the threat.

A different Android vulnerability has been exploited to gain extended administrator privileges, making it impossible to delete the malicious app from the device.

Another noteworthy thing about Obad.a is that it only works in background mode – it doesn’t have any visual interface.

Once it infects a device, Obad.a immediately attempts to gain access to elevated privileges. It abuses its Device Administrator rights to block the screen for up to 10 seconds.

During these 10 seconds, if the smartphone is connected to an unsecure Wi-Fi network or via Bluetooth, the Trojan starts sending malicious files to the devices it detects nearby.

The “su id” command also allows the threat to try and obtain root privileges.

When first launched, Obad.a collects various pieces of information on the device – including MAC address, operator name, phone number, IMEI and account balance – and sends it back to its command and control (C&C) server.

Then, it awaits commands from the C&C. The malware can be ordered to send text messages to specific numbers and delete the replies, act as a proxy, download files, connect to a specified address, retrieve a list of apps installed on the device, collect contact data, execute commands and send files via Bluetooth.

For the time being, this sophisticated threat is not very widespread. Kaspersky says that of all the malware installation attempts it detected over a 3-day period, only 0.15% were made by Obad.a.

Google has been notified of the Android vulnerabilities exploited by the threat.