Researchers at Kaspersky Lab have discovered an Android Trojan so advanced, that during the first examination, the company said, the research team knew it was special. In a blog post describing the function of the latest Android threat, Kaspersky noted that the complexity in the Trojan’s code is similar to Windows malware.
They’ve named the malware Obad.a, and after decrypting the strings in the DEX file, and de-obfuscating the code, Kaspersky learned that the malware is a multi-function Trojan. Obad.a can send SMS messages to toll numbers, download additional malware that can be installed to the Android device or another device connected via Bluetooth, or allow an attacker the ability to perform commands in the console. To make matters worse, the malware runs in background mode and has no interface.
“Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a’s in mobile malware. Moreover, this complete code obfuscation was not the only odd thing about the new Trojan,” commented Kaspersky’s Roman Unuchek.
The other odd bit was the fact that the malware itself leverages three vulnerabilities. The first vulnerability resides in the DEX2JAR software, which allows developers to convert APK files into Java Archives (JAR). Further, the malware’s developers are exploiting a flaw in the Android OS itself, which relates to how the AndroidManifest.xml file is processed. And finally, they target a third vulnerability that allows the attackers to create applications with extended Device Administrator privileges – without appearing on the list of applications that have such privileges.
“As a result of this, it is impossible to delete the malicious program from the smartphone after it gains extended privileges,” Unuchek noted.
Despite such impressive capabilities, Unuchek wrote, Backdoor.AndroidOS.Obad.a is not very widespread. In fact, the malware itself has only been detected inside the Russian Federation.
“[We] would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits. This means that the complexity of Android malware programs is growing rapidly alongside their numbers…”