New Android Trojan app exploits previously unknown flaws, researchers say

The malware is the most sophisticated Android Trojan program found to date, researchers from Kaspersky Lab said

A newly discovered Trojan program exploits previously unknown flaws in Android and borrows techniques from Windows malware in order to evade detection and achieve persistence on infected devices.

Security researchers from antivirus firm Kaspersky Lab named the new malicious application Backdoor.AndroidOS.Obad.a and labeled it the most sophisticated Android Trojan program to date.

The malware is designed to send SMS messages to premium-rate numbers and allows attackers to execute rogue commands on infected devices by opening a remote shell. Attackers can use the malware to steal any kind of data stored on compromised devices or to download additional malicious applications that can be installed locally or distributed to other devices over Bluetooth.

The Obad.a Trojan program makes heavy use of encryption and code obfuscation in order to hinder analysis efforts, Kaspersky researcher Roman Unuchek said Thursday in a blog post.

"Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts," the researcher said. "However, it is rare to see concealment as advanced as Odad.a's in mobile malware."

In addition to using encryption and code obfuscation techniques, the malware also exploits previously unknown bugs in Android and third-party software, Unuchek said.

For example, the malicious application exploits an error in a piece of software called DEX2JAR that's used by malware analysts to convert Android application packages (APKs) into Java Archive (JAR) files.

"This vulnerability spotted by the cybercriminals disrupts the conversion of Dalvik bytecode into Java bytecode, which eventually complicates the statistical analysis of the Trojan," Unuchek said.

The malware also abuses a bug in the way Android processes AndroidManifest.xml files. These files are found in every application and contain information about the application's structure and launch parameters.

The Trojan program contains a specifically crafted AndroidManifest.xml that doesn't conform to Google's specification, but is still processed correctly by the Android OS, Unuchek said. This makes dynamic analysis of the malware extremely difficult, he said.

When first executed, Obad.a prompts users for device administrator privilege. Applications that gain this privilege can no longer be uninstalled through the regular apps menu until they are removed from the administrators list in the security settings menu.

The Obad.a malware exploits a previously unknown flaw in the Android OS in order to hide itself from the administrators list, leaving users unable to revoke the privilege and uninstall the app. "We have already informed Google about the Device Administrator vulnerability in Android," Unuchek said.

In addition, on rooted devices, the malware tries to gain root privileges by executing the "su id" command, said Denis Maslennikov, a senior malware analyst at Kaspersky Lab, Friday via email. Like gaining administrative privileges, gaining root access requires user permission, he said.

"Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek said.

The new Trojan program is distributed through SMS spam, but is not very widespread at the moment. According to detection statistics from Kaspersky Lab, installation attempts for Obad.a amounted to only 0.15 percent of the total number of malware infection attempts on mobile devices over a three-day period.

That said, Maslennikov believes that other Android malware threats will adopt advanced techniques like the ones used by this malware in the future. "We think that similar techniques are going to be more widespread very soon," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Android OSGooglesecuritymobile securityspywareExploits / vulnerabilitiesmalwarekaspersky lab

More about GoogleKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts