07
Jun
Capture

A new piece of Android malware has been discovered by security researchers at Kaspersky Labs. That by itself wouldn't be big news, but this Trojan does things no other malicious app has done. It exploits multiple vulnerabilities, blocks uninstall attempts, attempts to gain root access, and can execute a host of remote commands. Backdoor.AndroidOS.Obad.a, as it has been dubbed, is the most sophisticated piece of Android malware ever seen.

android_trojan_08 android_trojan_07 android_trojan_06

There are two previously unknown Android vulnerabilities exploited by Obad. The malware installer contains a modified AndroidManifest.xml file, which is a part of every Android apps. The first big vulnerability is in the processing of this file by the system – it shouldn't be processed at all, but the app installs just fine. Once Obad is on a device it uses a second Android exploit to gain extended Administrator access. The Android Administrator feature allows apps to read notifications and perform other advanced operations (a lot of security apps use it). When this command is executed, Obad can not be unsinstalled and it doesn't even show up in the list of Administrator-approved apps.

When it is in place, Obad starts probing the system and checking for internet and root access. It slurps up data and reaches out to its command and control servers. Here is the full list of command functions described by Kaspersky:

  • Send text message. Parameters contain number and text. Replies are deleted.
  • PING.
  • Receive account balance via USSD.
  • Act as proxy (send specified data to specified address, and communicate the response).
  • Connect to specified address (clicker).
  • Download a file from the server and install it.
  • Send a list of applications installed on the smartphone to the server.
  • Send information about an installed application specified by the C&C server.
  • Send the user’s contact data to the server.
  • Remote Shell. Executes commands in the console, as specified by the cybercriminal.
  • Send a file to all detected Bluetooth devices.

When it arrives on a device most of the package is encrypted, and some of the most important components are not decrypted until it gains internet access. This makes analysis and detection much more difficult. The Trojan doesn't even have an interface – it works entirely in background mode. The level of sophistication and new exploits in this one piece of malware looks more like a Windows virus than other Android Trojans. Backdoor.AndroidOS.Obad.a is still very limited in scope, but it is floating around alternative app stores and fishy websites.

[Kaspersky SecureList, via Security Ledger]

Ryan Whitwam
Ryan is a tech/science writer, skeptic, lover of all things electronic, and Android fan. In his spare time he reads golden-age sci-fi and sleeps, but rarely at the same time. His wife tolerates him as few would.

  • Michael Ta

    Good guy Kaspersky.

    • BhanuChawla

      It rhymes.

      • Mr E

        i think you're saying "guy" wrong ;)

        • BhanuChawla

          No, I pronounce "Kaspersky" wrong. ;)

          • Mr E

            ha. you did make me question myself if i'm saying "kapersky" the right way

          • Guest

            lol

      • Hayden Bridges

        As an English major: "I rebuke thee, Satan! I need an old priest and a young priest!"

        • Alex Lees

          Rebuke or repudiate?

  • Andrei

    I take it none of the so-called 'security suites' can do anything about it, right?

    • http://www.about.me/FHL09 Troy

      You would think Kaspersky can...

    • themiddaysun

      The article only states they have identified it, nothing in the article states it can be blocked or removed as of yet. So we don't have that answer yet.

  • Michael Panzer

    So wait. Does the user have to install it himself? If yes, where is the problem?
    If somebody just installs random stuff, shame on him or her.

    • anywherehome

      Yes, just FUD
      iOS is more dangerous if you install just from market...... if a user is stupid not any anti virus helps you

      "iPhones most vulnerable among smartphones"

      • Michael Panzer

        What is FUD? I only know fudge!

        • Sqube

          FUD is an acronym that stands for "fear, uncertainty and doubt." It's basically a way of communicating the fact that you shouldn't trust something when you don't have a logical leg to stand on.

          As far as this is concerned... while unscrupulous users might be the first wave to be infected, look at that "send a file to all detected Bluetooth devices" part. You can get quite nicely screwed without ever having known. A lot of technology users in general aren't as security-conscious as they need to be.

          This isn't the end-times for Android, but it is something to take note of. It's impressive in scope.

          • Michael Panzer

            To the BT point: you have to accept the incoming file and install it. That should be hard enough...

          • RvLeshrac

            It isn't "impressive in scope." You can send a malicious file to all bluetooth users in range with any device ever made which has bluetooth data.

            This is another example of "Being on the wrong end of an airtight hatch." Unless someone intentionally opens the hatch, there's no danger.

          • Sqube

            You don't think the most advanced android malware is impressive in scope? Umm... okay. That said, I guess I just have a lower opinion of what the "average" user is and isn't likely to do.

          • Michael Panzer

            This is what you before installing this
            http://www.securelist.com/en/images/vlweblog/android_trojan_01.png
            Do you see the point where it says spend money? Would you click install?

          • RvLeshrac

            a) It requests access to su. Why are you granting the request? That's like giving your house keys and address to a hobo who walks up to you in the subway.

            b) It requests Administrator access. Why are you granting the request? That's like giving your house keys and address to a hobo who walks up to you in the subway, then providing them with a book containing all of your banking information, your debit and credit cards, and passwords for every service you use.

          • Cerberus_tm

            Unless it is disguised as an application that would need SU access, like a virus scanner or whatever...

            As to the requests for permission to access personal data, people get numb from all the "normal" applications that demand this. I'm glad at least I'm using LBE to block access to the most important permissions (unless LBE itself turns out to be malware, which is always possible...)

          • RvLeshrac

            People are randomly installing random applications from random sources randomly? Then they deserve what they get.

          • Cerberus_tm

            Why random? Have you nave made a wrong judgement call? Or do you only install applications from the Play Store?

          • RvLeshrac

            I've never installed ANYTHING sent via SMS, or by someone I don't know.

            My "judgement call" is that I do not ever install anything without knowing what it is, what it intends to do, who it came from, and why I need it.

          • Cerberus_tm

            Well, you can never be sure. I sometimes install applications from "trusted" users on XDA, like LBE, but that is far from a 100 % guarantee. And it (rightly) requires some very invasive permissions. But at that moment I decide that it's worth the risk. Are you telling me I "deserve" a virus? I agree that installing something from an SMS is highly dubious, of course...

          • RvLeshrac

            So you're the first person to install an app from an untrusted user on XDA?

          • Cerberus_tm

            What do you mean? I said "trusted".

          • RvLeshrac

            "Trusted" invalidates your point entirely. Have you ever been infected by malware by a truly "trusted" source? Because there have been painfully few documented examples of that.

          • Cerberus_tm

            Those quotations marks were there for a reason. When someone appears to be a "trusted" user on XDA, it means he is a moderator, or he has received lots of "thanks", or many people comment approvingly on the software he posts, or whatever you think makes him trustworthy. Most new, innovative applications appear on XDA first. So it is a bit of a grey area: it's not just any user, but you can't be 100 % sure either. But it is far from "random".

          • Shaquelle O’soleil

            FUD actually stands for Fully UnDetectable.

          • Adrian Meredith

            Thats not how acronyms work

    • APerssonBN

      It comes through an sms.

      • RvLeshrac

        And then the user has to install it, and grant all of the permissions.

  • http://www.about.me/FHL09 Troy

    So as a preventative having Kaspersky installed well ensure I don't accrue this advanced Trojan?

    Did they say what to look out for Ryan or is it just be vigilant as usual because from what I gather it's not as simple as watching for suspicious permissions, correct me if I'm wrong.

  • Mr E

    So do you have to install the "obad" (lol great name btw) app specifically, or is it getting injected into other apks?

    • http://gamingirl.com Twinkling82

      Yeah this I'd like to know as well. I don't download anything that's now in the Playstore (apart from Scribblenauts which I found elsewhere because it wasn't in the Playstore) so in general, I should be safe, but...

      • Michael Lee

        It doesn't inject itself into existing Play Store apps. The hackers have to copy apps and then inject the trojan into that. Any app you find on the to 200 should be safe. Downloading from other sources, however, is even more dangerous.

    • Justin Case

      Its an apk in and of itself, it does nto ride on the back of other apps

    • APerssonBN
  • Paul_Werner

    Ha the day after I remove any antivirus on my N4 & 7 this article is released. I really only had it because Avast had anti-theft packaged in with it but was happy to get rid of it when Cerberus was free yesterday.

    Still doubt I'd get this on my phone given how I use it though. Hopefully 4.3 or the update after has a fix for something this advanced.

    • Ryuuie

      Seriously, you're fine. If you're not going around installing APKs from XDA or other app stores, you are 100% fine.

      This is what antivirus companies don't tell you. They let you think the entire Play Store is infested and you can get a virus just by going to your favorite website.

      • Paul_Werner

        I know, that's why I was saying I "doubt I'd get this on my phone given how I use it though"

        Thanks for the reply though

      • squiddy20

        Ummm hate to burst your bubble, but I (and many others) have downloaded quite a few apps directly from XDA and have never had any problems. It's the Chinese knock-off app stores where you can get paid apps for free that you need to be wary of.

        • Ryuuie

          Hate to burst yours but XDA isn't exactly the safest of places. You're still better off getting an app direct from the Play Store if you want to be 100% sure you're safe.

          Even if you pull from just XDA and from the Play Store, you don't know what kind of crap someone else had on their own computer that you just passed to yourself.

          It's kind of like the P2P argument all over again.

  • Paul Smith

    Please stop giving these Malware "solution" providers free advertising with their scareware stories.

    Any company scareing people into buying it's products are themselves part of the problem.

    • http://www.androidpolice.com/ Artem Russakovskii

      I don't care for giving or not giving the Kaspersky product itself coverage. It's the analysis and mind blowing complexity of this malware that prompted this article. Credit should be given where it's due, and in this case it mist definitely belongs to Kaspersky's malware team.

      • Michael Panzer

        Maybe I didn't get it but what about this app is not part of the Android framework?

      • Matt

        Credit seems to belong to the Trojan author. He found multiple previously undiscovered vulnerabilities to make it work as it does. That's pretty badass.

      • Dan

        It seems like it would be pretty easy to analyze if you helped write it in the first place. Of course, that would be a crazy conspiracy theory. That would be as weird as a government pulling all phone records from an entire carrier.

      • Paul Smith

        But is it real.... Kaspersky and others are famous for exeragting and scaremongering this sorta thing, as it's their buisness to sell a solution..

        Snakeoil at it's finest...

      • RvLeshrac

        "Mind blowing complexity"? What "mind blowing complexity"? ANY APK CAN DO ALL OF THIS WITH SU AND ADMIN RIGHTS.

      • Ryuuie

        I'm sorry, but I have to agree with everyone else. Posting this doesn't help Android's situation with "malware" and "security problems" one bit. You may have not intended for this to happen but it's what's going to happen.

        You may be impressed or whatever, but by reporting on every single supposed "virus" and "trojan", Android Police is simply causing more and more people to distrust Android as a whole.

        Don't get me wrong, it's not just this site and it IS impressive what APKs can do if given enough permission and it's not like AP is the only site doing this, but it's simply not helping anyone in the long run of popular websites like this continue to give stories like this their day in the sun.

        My college doesn't allow Android devices on the private Wi-Fi network. You MUST have an iOS device or you simply must use the slower and much less secure public network.

        • squiddy20

          "Android Police is simply causing more and more people to distrust Android as a whole." Riiight. Cause everyone goes to sketchy 3rd party markets to download their apps. Grab apps from trusted sources (Google, XDA, App Brain, Amazon, etc) and you will have a heavily reduced chance of ever getting infected.

          "My college doesn't allow Android devices on the private Wi-Fi network. You MUST have an iOS device or you simply must use the slower and much less secure public network." That's his own ignorance talking. Go to any college campus and you'll find hundreds of different devices (Android, iOS, OS X, Windows, maybe even Linux) all using the same wifi networks daily and very few instances of any virus or malware being spread.

          • Ryuuie

            You seem to think that "normal people" aren't very gullible and, even if they DON'T go to sketchy websites they won't still think they can easily be infected with a virus.

            Hint: They do actually think Android is filled with viruses just as people already have it set in their heads that Windows is filled with them as well.

            Also, considering you've never been to the college I go to nor have you most likely even been in my state, you seem to be just assuming that everyone allows certain types of devices. So I'm just gonna ignore that part. :v

            You really give normal people far too much credit though.

          • squiddy20

            "They do actually think Android is filled with viruses just as people already have it set in their heads that Windows is filled with them as well." And yet the vast majority of population of the US, and possibly even the world, has an Android powered device. If everyone thought as you describe, why then are there so many people with these "virus infested" devices?

    • Sean

      Please stop doubting the work of InfoSec engineers by insisting a report exposing some complex malware is to promote the vested interests of an individual security firm. It isn't. This is how the security works (the opposite of "security by obscurity").

    • Christopher Lee

      If the vulnerability exists and is disclosed, that someone stands to make a profit out of it is really not of much concern.

    • squiddy20

      Show me where Ryan (the author) even implied, "Hey, Kaspersky researchers found this really scary malware! You should go download their app to keep your Android phone/tablet safe!" smh

      • Ryuuie

        It doesn't matter if it's implied or not. You don't seem to get how gullible and stupid some "non-techies" can be. They take one look at this and either decide Android is a malware infested piece of crap and then tell their friends OR they install some "antivirus" app they simply don't need.

        We already have workplaces refusing people to connect Android devices to their protected networks just because of supposed "virus outbreaks" that we hear from sites all over.

        Implications or not, this still makes impressions on the masses and it's not good.

        • squiddy20

          I'd like to see the percentage of "non-techies" that actually read this site, and other websites like it. My bet? It's a very very low percentage, and most major news networks won't pick up and circulate a story this small.

          • Ryuuie

            Yet people DO read Engadget and then there's NBC, ABC, CBS, and Fox who pick these "breaking news" stories up.

            I can't tell you how many times the Bloomberg Business Report has posted on the Apple v Samsung trials or "new malware has been found on Android!" stories.

            There's also the Conficker scare that went around and there were people OFFLINE worrying about it because Symantec did a huge story on it on 60 Minutes.

            So yes, while the percentage of people reading it offline might be low, there are other ways to get news.

            Not to mention if this story gets picked up by Yahoo! News or even Google's news.

  • http://www.androidpolice.com/ Artem Russakovskii

    I am absolutely fascinated by both the malware developer in this case and the reverse engineering by Kaspersky's team. It's like reading a computer science detective novel.

  • Paul

    Well I always hated having Avast on my phone, seemed silly, all I cared about was their cool anti-theft part, which they got by buying a different company. But Avast does have installation protection and warning about malicious apps. A feature I thought was useless, even annoying when it began detecting my Network Spoofer App as malware, even though it's not, it's just a fun gag I do at Starbucks or a friends house, and there was no way to whitelist it, but I do hope that for once it'll come in handy for me and anyone else using it, by warning and/or blocking this obad POS SW.

  • Jason

    As nasty as this is I notice there's no mention of how one would get infected with this. It wouldn't be by sideloading some cracked app would it?

    • Matthew Fry

      It would and it does say so... implicitly. " it is floating around alternative app stores and fishy websites."

      • Jason

        Oh for crying out loud, if it had been anymore obvious in the article it would have bit me. Seeing as it's sideloading crap I say you get what you deserve.

  • milksop held

    Is there somewhere I can download the apk I want to see if avast picks it up

    • Mike Harris

      "Obad can not be unsinstalled and it doesn't even show up in the list of Administrator-approved apps."

      That's like injecting yourself with the HIV just to see if another machine will detect the virus. Putting aside the result of that test, what's the next step? Dying a slow, painful death?

      • milksop held

        I have an old nexus s I can test it on and will factory reset after anyway

        • Ulrik Djurtoft

          If you use a physical phone remember to re-flash it afterwards, as a factoryreset might not be enough. If an app has root permissions, there are ways to make an installed app factory reset proof.

      • Shawn

        You can install it on a emulator, and trash the emulator once you're finished.
        To the best of my knowledge, that's how most malware analysis is performed.

    • Justin Case

      Samples are on the mobile malware group

  • Justin Case

    This is more or less your basic Android malware wrapped with Dexguard http://www.saikoa.com/dexguard. The "manifest" exploit is just apktool failing in handling an oddly encoded manifest, most other tools work fine. The second "exploit" is not declaring a name for the app, so that it does not show up in the device admin panel.

    The only interesting aspect is the author was stupid enough to use a tool that leaves a watermark identifying him.

  • Matthew Fry

    So I'm guessing this sneaks right past Google's verify & install?

  • Eric James Salcido

    You should probably mention what they stated in the Article: "Despite such impressive capabilities, Backdoor.AndroidOS.Obad.a is not very widespread. Over a 3-day observation period using Kaspersky Security Network data, Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware."

  • didibus

    Wasn't it Kaspersky who also found out about those two crazy super Windows viruses made by the U.S. government?

    • Jaymoon

      ...and how long after it was first deployed? 2 years?! Great product. Every anti-virus is a joke because none of them picked up on it ...even as sloppy as it was written (considering the impact it had once it hit the public internet, which it was *supposedly* never supposed to do).

      http://en.wikipedia.org/wiki/Flame_(malware)

  • Guest

    Is there a download link for the APK? I wan't to try it in Manymo

    • Justin Case

      Mila's malware repo has them

  • APerssonBN

    I read it comes through an sms.

    • Justin Case

      it doesnt

      • APerssonBN

        How does work then?

        • Justin Case

          What aspect of it? "comes through an sms" has nothing to do with how it functions. I do not know the original distribution point but I assure you its not installed through an SMS

  • master94

    Wouldn't only a idiot be stupid enough to install it? It says clearly that it spends money without asking.