Malware installed if user launches it; trojan sends further messages to all contacts on infected device
Loophole closed in Android 4.3, but older devices running earlier versions still under threat
OVER the last three months Kaspersky Lab analysts have been investigating how the Obad.a trojan, a malicious app for Android, is being distributed.
It transpires that the criminals behind the trojan have adopted a new technique to spread their malware, Kaspersky Lab said in a statement. For the first time in the history of mobile cybercrime, a trojan is being spread using botnets controlled by other criminal groups, the company said.
It also became clear that Obad.a is mostly found in CIS (Commonwealth of Independent States) countries. In total, 83% of attempted infections were recorded in Russia, and also detected on mobile devices in Ukraine, Belarus, Uzbekistan and Kazakhstan.
The most interesting distribution model saw various versions of Obad.a spread with Trojan-SMS.AndroidOS.Opfake.a, Kaspersky Lab said.
This double infection attempt starts with a text message to users, urging them to download a recently received text message. If the victim clicks the link, a file containing Opfake.a is automatically downloaded onto the smartphone or tablet.
The malicious file can only be installed if the user then launches it; should that happen, the trojan sends further messages to all the contacts on the newly-infected device. Clicking the link in these messages downloads Obad.a.
It’s a well-organised system, Kaspersky said: One Russian mobile network provider reported more than 600 messages containing these links within just five hours, pointing to a mass distribution.
In most cases the malware was spread using devices that were already infected.
Apart from using mobile botnets, this highly complex trojan is also distributed by spam messages. This is a major carrier of the Obad.a trojan. Typically a message warning the user of unpaid ‘debts’ lures victims to follow a link which automatically downloads Obad.a onto the mobile device.
Again, though, users must run the downloaded file in order to install the trojan.
Fake application stores also spread Backdoor.AndroidOS.Obad.a. They copy the content of Google Play pages, replacing legitimate links with malicious ones. When legitimate sites are cracked and users are redirected to dangerous ones, Obad.a exclusively targets mobile users – if potential victims enter the site from a home computer nothing happens.
“In three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a.” said Roman Unuchek, an antivirus expert at Kaspersky Lab.
“All of them had the same function set and a high level of code obfuscation, and each used an Android OS vulnerability that gives the malware DeviceAdministrator rights and made it much more difficult to delete.
“As soon as we discovered this, we informed Google and the loophole has been closed in Android 4.3. However, only a few new smartphones and tablets run this version, and older devices running earlier versions are still under threat.
“Obad.a, which uses a large number of unpublished vulnerabilities, is more like Windows malware than other Trojans for Android,” Unuchek added.
Symbian malware disappearing, Android malware surges: F-Secure report
Bitcoin botnet ZeroAccess tops threat list: Fortinet
Juniper: Mobile threats more rampant as attackers become more ‘entrepreneurial’
Android 'solar charging' app actually steals contact data: Symantec
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.