Security experts at Kaspersky Lab detected a new instance of Android trojan that has been classified as the most sophisticated malware seen since now. The researcher Roman Unuchek described the Android trojan, dubbed Backdoor.AndroidOS.Obad.a or “Obad”, in a post on Kaspersky Lab’s Securelist blog.
The malicious code appears very similar to Windows malware respect typical mobile threats, authors of Android trojan Obad implemented multiple layers of encryption and code obfuscation to hide its operation and they also exploited various zero-day vulnerabilities in Google’s OS. The exploits allow the attackers to obtain total control over the victim’s device, the Android trojan is able to gain Device Administrator privileges to take advantage of an Android vulnerability to hide its presence from the list of applications that have such privileges.
The privileges make impossible for the user to remove the malicious application from the device.
It must be clarified that Android OS has two distinct levels of admin privileges, Root and Device Administrator. Root one is never given out on a normal user’s Android device, Device Administrator is specifically for applications that require the access to various device functionalities such as “disabling lock screen”.
“This Android trojan Obad will not be listed in Device Administrator list, so if user will not have SU, he won’t be able to delete this app”
Once infected the victim, the Android trojan run in stealth mode, he operates in background remaining in direct contact with Command and Control (C&C) receiving commands also via SMS text messages.
The Android trojan allows the attacker to perform various activities such as download and install files from servers, connect to internet addresses, send SMS messages and of course send stolen data from victims back to the C&C servers.
The agent is able to send to the C&C server information on victim’s mobile, the list of installed applications, the user’s contact data and any type of data stored in the device.
The mobile threat is able also of more complex operations, typically of desktop malware, Obad in fact is able to allow hackers to execute console commands via remote shell, send files to all detected Bluetooth devices around the victims, it can operate as a proxy server and it is also able to block the device’s screen for up to ten seconds, to mask its activities.
Following the complete list of commands:
It is not clear the nature of the Android trojan, Kaspersky has already alerted Google on the zero-day exploited by the authors of Obad, fortunately according security firm the mobile malware is still rare, over a three-day observation period, Kaspersky Lab found that Obad accounted for no more than 0.15% of all attempts to infect mobile devices with malware.
(Security Affairs – Android trojan, Malware)