Obad Android Trojan distributed via mobile botnets

When first unearthed three months ago, the Obad Android Trojan has fascinated researchers with its sophistication.

Difficult to analyze, using a bug in the Android OS to extend Device Administrator privileges to itself without being listed in the list of apps that have them, and lacking an interface, the Trojan is extremely stealthy and persistent, and can perform a variety of data stealing, premium-rate messaging, additional malware downloading actions.

At the time, Kaspersky Lab researchers didn’t know how the malware was getting on the mobile devices, and were curious about the fact that despite its impressive capabilities the malware was not very widespread.

But that will likely soon change, as its owners have been taking advantage of four distinct distribution methods, one of which has never been detected before: dissemination via mobile botnet created by using different mobile malware.

It goes like this:

1. The victim receives a text message saying “MMS message has been delivered, download from www.otkroi.xxx
2. By clicking on the link the users downloads the Opfake SMS Trojan which, once run, contacts a C&C server that instructs it to send a message saying “You have a new MMS message, download at – hxxp://otkroi.xxx/” to all he contacts in the victim’s address book.
3. By clicking on the link, the recipients automatically download the Obad Trojan. Again, the user must run the file in order for the malware to be installed and start functioning.

According to the researchers and the data they received from a leading Russian mobile operator, the initial messages are spreading fast, but not all lead to the Obad Trojan, leaving them to conclude that its creators have rented only part of the mobile botnet to spread the malware.

Instead of putting all their eggs into one basket, they have opted for three more distribution methods: traditional SMS spam, fake Google Play stores advertising popular legitimate apps but linking to the Obad Trojan, and legitimate but compromised sites (currently around 120 of them), which are booby-trapped to redirect them to the malicious download sites. In this last case, users who visit the site via their computers do not experience the redirection.

“Over the past three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation. Each used an Android OS vulnerability that allows the malware to gain DeviceAdministrator rights and made it significantly more complicated to delete,” shared Kaspersky Lab expert Roman Unuchek.

Google has, of course, been notified of the vulnerability and has already fixed it. Unfortunately, not all users have upgraded to the patched 4.3 version of the OS. Those who haven’t and wonder if they have been affected can download version 11.1.4 of Kaspersky’s Internet Security for Android or Trend Micro’s Hidden Device Admin Detector app and deal with the problem.

Currently most of the infection attempts detected by Kaspersky Lab were in Russia, and a small amount in Kazakhstan, Uzbekistan, Belarus and Ukraine. Still, that doesn’t mean that they are limited to those countries.

Don't miss