Recently discovered malware targeting Android smartphones exploits previously unknown vulnerabilities in the Google operating system and borrows highly advanced functionality more typical of malicious Windows applications, making it the world's most sophisticated Android Trojan, a security researcher said.
The infection, named Backdoor.AndroidOS.Obad.a, isn't very widespread at the moment. The malware gives an idea of the types of smartphone malware that are possible, however, according to Kaspersky Lab expert Roman Unuchek in a blog post published Thursday. Sharply contrasting with mostly rudimentary Android malware circulating today, the highly stealthy Obad.a exploits previously unknown Android bugs, uses Bluetooth and Wi-Fi connections to spread to near-by handsets, and allows attackers to issue malicious commands using standard SMS text messages.
"To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek wrote. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."
Google representatives didn't respond to an e-mail seeking comment for this post. The trojan is initially distributed through spammed text messages. There's no indication it's hosted in the Google Play market for Android apps, so it appears to infect only phones that have been configured to "sideload" apps available from alternative sources.
The malware exploits a previously unknown Android bug that allows it to gain stealthy, persistent, and highly privileged access to the phone's inner workings. "By exploiting this vulnerability, malicious applications can enjoy extended Device Administrator privileges without appearing on the list of applications which have such privileges," Unuchek said. "As a result of this, it is impossible to delete the malicious program from the smartphone after it gains extended privileges."
Obad.a exploits two additional undocumented bugs—one in a component known as DEX2JAR and the other related to the AndroidManifest.xml file. Those exploits are designed to make it harder for researchers to reverse engineer the malware. The backdoor also has no interface and works in background mode, further complicating analysis by whitehats or competing malware developers.
The malware offers a variety of highly advanced features, most notably the ability to be remotely controlled by SMS messages sent by malware operators. Among the commands it receives through text messages are those instructing it to connect to new command and control servers, where infected phones upload sensitive user data and receive app updates. The ability to receive commands by SMS seems particularly useful if a command server is taken down, since the feature would allow the Obad.a operators to quickly regain control over orphaned handsets.
The command servers also receive detailed data from infected devices, including their phone numbers, carrier names, IMEI numbers, the phone users account balances, local times, and MAC addresses of the connected Bluetooth device. Unuchek uncovered 11 distinct commands that can be sent to an infected phone, including sending expensive text messages to premium phone numbers, uploading a user's contact data, opening a remote shell and issuing commands, and sending files to all detected Bluetooth devices.
Obad.a's roster of advanced features and its ability to gain high-level privileges and remain undetected to casual observers still pale in comparison to the most sophisticated Windows trojans, such as those based on the ZeuS and Citadel crimeware kits or the TDL, aka Alureon, rootkits. Still, the amount and time and skill that went into engineering the newly discovered malware is an indication that Android malware is likely to grow increasing sophisticated in the coming years.
reader comments
88