Pierluigi Paganini June 11, 2013

Security researchers at Kaspersky Lab detected a new instance of Android trojan, dubbed Obad, that they have judged as the most sophisticated malware found since now.

Security experts at Kaspersky Lab detected a new instance of Android trojan that has been classified as the most sophisticated malware seen since now. The researcher Roman Unuchek described the Android trojan, dubbed Backdoor.AndroidOS.Obad.a or “Obad”, in a post on Kaspersky Lab’s Securelist blog.

The malicious code appears very similar to Windows malware respect typical mobile threats, authors of Android trojan Obad implemented multiple layers of encryption and code obfuscation to hide its operation and they also exploited various zero-day vulnerabilities in Google’s OS. The exploits allow the attackers to obtain total control over the victim’s device, the Android trojan is able to gain Device Administrator privileges to take advantage of an Android vulnerability to hide its presence from the list of applications that have such privileges.

The privileges make impossible for the user to remove the malicious application from the device.

It must be clarified that Android OS has two distinct levels of admin privileges, Root and Device Administrator. Root one is never given out on a normal user’s Android device, Device Administrator is specifically for applications that require the access to various device functionalities such as “disabling lock screen”.

“This Android trojan Obad will not be listed in Device Administrator list, so if user will not have SU, he won’t be able to delete this app”

Once infected the victim, the Android trojan run in stealth mode, he operates in background remaining in direct contact with Command and Control (C&C) receiving commands also via SMS text messages.

The Android trojan allows the attacker to perform various activities such as download and install files from servers, connect to internet addresses, send SMS messages and of course send stolen data from victims back to the C&C servers.

The agent is able to send to the C&C server information on victim’s mobile, the list of installed applications, the user’s contact data and any type of data stored in the device.

The mobile threat is able also of more complex operations, typically of desktop malware, Obad in fact is able to allow hackers to execute console commands via remote shell, send files to all detected Bluetooth devices around the victims, it can operate as a proxy server and it is also able to block the device’s screen for up to ten seconds, to mask its activities.

Following the complete list of commands:

• Send text message. Parameters contain number and text. Replies are deleted.
• PING.
• Receive account balance via USSD.
• Act as proxy (send specified data to specified address, and communicate the response).
• Connect to specified address (clicker).
• Download a file from the server and install it.
• Send a list of applications installed on the smartphone to the server.
• Send information about an installed application specified by the C&C server.
• Send the user’s contact data to the server.
• Remote Shell. Executes commands in the console, as specified by the cybercriminal.
• Send a file to all detected Bluetooth devices.

It is not clear the nature of the Android trojan, Kaspersky has already alerted Google on the zero-day exploited by the authors of Obad, fortunately according security firm the mobile malware is still rare, over a three-day observation period, Kaspersky Lab found that Obad accounted for no more than 0.15% of all attempts to infect mobile devices with malware.

Pierluigi Paganini

(Security Affairs – Android trojan, Malware)