Sophisticated Android Trojan Spreads Through Mobile Botnet

Researchers at Kaspersky Lab say a sophisticated piece of Google Android malware is being blasted out via a mobile botnet spamming victims with text messages containing malicious links.

The Trojan – Backdoor.AndroidOS.Obad.a – is being distributed alongside another Trojan known as SMS.AndroidOS.Opfake.a, Kaspersky Lab reported. To infect users, victims get hit with a text message declaring: “MMS message has been delivered, download from www.otkroi(dot)com.”

“If a user clicks on the link, a file named mms.apk containing Trojan-SMS.AndroidOS.Opfake.a is automatically loaded onto the smartphone or tablet,” explained Roman Unuchek, a security researcher with Kaspersky Lab, in a blog post. “The malware cannot be installed unless users then run it.”

If they do, the command and control (C&C) server can instruct the Trojan to send out the following message to all the contacts in the victim’s address book:

“You have a new MMS message, download at – http://otkroi(dot)net/12”

Following the link automatically loads Backdoor.AndroidOS.Obad.a under the names of mms.apk or mmska.apk, he wrote.

Once on the system, Obad.a steals the user’s data and is capable of sending SMS to premium-rate numbers. It also has the ability to download other malware programs and install them on the infected device or propagate them further via Bluetooth.

“The scale of this activity is clearly illustrated by data we gained from a leading Russian mobile operator, which detected a mass distribution of malicious text messages on its network,” the researcher blogged. “In the space of five hours, 600 messages were sent with one of the Trojan-SMS.AndroidOS.Opfake.a modifications.”

“In most cases delivery was via infected devices, while previously similar distributions used SMS gateways,” he continued. “At the same time, only a few devices infected with Trojan-SMS.AndroidOS.Opfake.a distributed links to Backdoor.AndroidOS.Obad.a, so we could conclude that the creators of the dangerous Trojan rented part of a mobile botnet to spread their brainchild.”

But that is not the only way the Obad.a Trojan is spread. It also spreads through traditional SMS spam and fake versions of the Google Play application marketplace.

“As a rule, the creators of such shops copy Google Play’s official content and substitute links to legitimate applications for illegal ones,” Unuchek blogged. “It is easy to run into a fake, with search engines often directing visitors into dubious stores.”

Attackers have also been seen hacking legitimate sites and redirecting users to malicious pages serving the malware. All together, Kaspersky Lab has discovered 120 cracked websites that redirect users to nbelt.ru, which served the Trojan up to anyone who clicked anywhere on the page. For the most part, the Trojan is mostly found in Russia (83 percent). It was also detected in Kazakhstan, Uzbekistan, Belarus and Ukraine.

“Over the past three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a,” the researcher blogged. “All of them had the same function set and a high level of code obfuscation. Each used an Android OS vulnerability that allows the malware to gain DeviceAdministrator rights and made it significantly more complicated to delete. We informed Google of this as soon as we discovered it, so the vulnerability has been closed in the new Android 4.3. Unfortunately, this version is currently available on a limited number of new smartphones and tablets – devices which use earlier versions of the platform are still at risk. However, the latest version of KIS for Android 11.1.4 can delete Backdoor.AndroidOS.Obad.a from any version of Android despite the presence of vulnerabilities.”