Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Sophisticated Android Trojan Spreads Through Mobile Botnet

Researchers at Kaspersky Lab say a sophisticated piece of Google Android malware is being blasted out via a mobile botnet spamming victims with text messages containing malicious links.

Researchers at Kaspersky Lab say a sophisticated piece of Google Android malware is being blasted out via a mobile botnet spamming victims with text messages containing malicious links.

The Trojan – Backdoor.AndroidOS.Obad.a – is being distributed alongside another Trojan known as SMS.AndroidOS.Opfake.a, Kaspersky Lab reported. To infect users, victims get hit with a text message declaring: “MMS message has been delivered, download from www.otkroi(dot)com.”

“If a user clicks on the link, a file named mms.apk containing Trojan-SMS.AndroidOS.Opfake.a is automatically loaded onto the smartphone or tablet,” explained Roman Unuchek, a security researcher with Kaspersky Lab, in a blog post. “The malware cannot be installed unless users then run it.”

If they do, the command and control (C&C) server can instruct the Trojan to send out the following message to all the contacts in the victim’s address book:

“You have a new MMS message, download at – http://otkroi(dot)net/12”

Following the link automatically loads Backdoor.AndroidOS.Obad.a under the names of mms.apk or mmska.apk, he wrote.

Once on the system, Obad.a steals the user’s data and is capable of sending SMS to premium-rate numbers. It also has the ability to download other malware programs and install them on the infected device or propagate them further via Bluetooth.

“The scale of this activity is clearly illustrated by data we gained from a leading Russian mobile operator, which detected a mass distribution of malicious text messages on its network,” the researcher blogged. “In the space of five hours, 600 messages were sent with one of the Trojan-SMS.AndroidOS.Opfake.a modifications.”

Advertisement. Scroll to continue reading.

“In most cases delivery was via infected devices, while previously similar distributions used SMS gateways,” he continued. “At the same time, only a few devices infected with Trojan-SMS.AndroidOS.Opfake.a distributed links to Backdoor.AndroidOS.Obad.a, so we could conclude that the creators of the dangerous Trojan rented part of a mobile botnet to spread their brainchild.”

But that is not the only way the Obad.a Trojan is spread. It also spreads through traditional SMS spam and fake versions of the Google Play application marketplace.

“As a rule, the creators of such shops copy Google Play’s official content and substitute links to legitimate applications for illegal ones,” Unuchek blogged. “It is easy to run into a fake, with search engines often directing visitors into dubious stores.”

Attackers have also been seen hacking legitimate sites and redirecting users to malicious pages serving the malware. All together, Kaspersky Lab has discovered 120 cracked websites that redirect users to nbelt.ru, which served the Trojan up to anyone who clicked anywhere on the page. For the most part, the Trojan is mostly found in Russia (83 percent). It was also detected in Kazakhstan, Uzbekistan, Belarus and Ukraine.

“Over the past three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a,” the researcher blogged. “All of them had the same function set and a high level of code obfuscation. Each used an Android OS vulnerability that allows the malware to gain DeviceAdministrator rights and made it significantly more complicated to delete. We informed Google of this as soon as we discovered it, so the vulnerability has been closed in the new Android 4.3. Unfortunately, this version is currently available on a limited number of new smartphones and tablets – devices which use earlier versions of the platform are still at risk. However, the latest version of KIS for Android 11.1.4 can delete Backdoor.AndroidOS.Obad.a from any version of Android despite the presence of vulnerabilities.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.