Mobile (and especially Android) malware is on the rise and according to researchers from Kaspersky Lab, its complexity is also increasing.
Case in point: Backdoor.AndroidOS.Obad.a.
This newly discovered Trojan has obviously been constructed by someone who knows quite a bit about the Android platform, as the creator has taken advantage of multiple known and previously unknown errors and vulnerabilities in the OS to make the analysis of the file difficult.
An error in the software program used by analysts to convert APK files into the (for the analysis) more convenient JAR format has been used to prevent such a transformation and make the statistical analysis of the Trojan more difficult.
Two bugs in the Android operating system itself have been used to modify a file that makes dynamic analysis of the malware harder, and to extend Device Administrator privileges to the app, but without making it obvious (i.e. adding it to the list of applications that have such privileges).
This, and the fact that the Trojan does not have an interface, makes it impossible to delete it once the device is compromised.
The creators have also done a good job with encrypting and obfuscating most of the code – strings, names of classes and methods, and so on.
The Trojan is able to do a number of things: block the device’s screen for up to 10 seconds; harvest information such as the name of operator, phone number, IMEI, phone user’s account balance, whether Device Administrator privileges have been obtained and send it to a remote C&C server; download additional malware; send messages to premium-rate numbers; send the download malware to other nearby devices via Bluetooth, and so on.
“Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans,” the researchers noted, referring both to its intricacy and the number of unpublished vulnerabilities it exploits – the existence of which has now been shared with Google researchers.