June 6, 2013

Android Malware To The Next Level

By Matt Mosley

The most sophisticated piece of Android malware has been discovered by security researchers at Kaspersky Labs. The Trojan does things no other Android malware has done before. During their analysis they found that it exploits multiple vulnerabilities, blocks uninstall attempts, attempts to gain root access, and can execute a host of remote commands.

They are calling this the Backdoor.AndroidOS.Obad.a. There are two previously unknown Android vulnerabilities exploited by Obad. The malware installer contains a modified AndroidManifest.xml file, which can be found in every Android app. However, the first big vulnerability is in the processing of this file by the system – it shouldn’t be processed at all. Once installed on the device it exploits second Android vulnerability to gain escalated Administrator privileges. The Android Administrator feature allows apps to read notifications and perform other advanced operations. Some of the scariest things this malware does, Obad can not be unsinstalled and it doesn’t even show up in the list of Administrator-approved apps.

When it is in place, Obad starts probing the system and checking for internet and root access. It slurps up data and reaches out to its command and control servers. Here is the full list of command functions described by Kaspersky:

  • Send text message. Parameters contain number and text. Replies are deleted
  • PING
  • Receive account balance
  • Act as proxy
  • Connect to specified address
  • Download a file from the server and install it
  • Send a list of applications installed on the smartphone to the server
  • Send information about an installed application specified by the C&C server
  • Send the user’s contact data to the server
  • Remote Shell
  • Send a file to all detected Bluetooth devices

When it arrives on a device most of the package is encrypted, and some of the most important components are not decrypted until it gains internet access. This makes analysis and detection much more difficult. The level of sophistication and new exploits in this one piece of malware looks more like a Windows virus rather than other Android Trojans. Backdoor.AndroidOS.Obad.a is still very limited in scope, but it is floating around alternative app stores and untrustworthy websites.