Android Trojans spread by Bluetooth, hijack bank codes

A Trojan that spreads itself via Bluetooth and another that's received a mobile upgrade to steal SMS banking codes have been discovered by security researchers.

"Backdoor.AndroidOS.Obad.a" was recently discovered by Kaspersky Lab in an Android application. The malware is a multi-functional Trojan that can send SMS messages to premium rate numbers, download malware to a phone and infect other phones through Bluetooth.

After receiving a command from a server operated by a cyber criminal, the malware scans for devices around it with open Bluetooth connections and attempts to send a bad app to them, Kaspersky Lab Expert Roman Unuchek explained in a blog.

When Bluetooth was introduced, there were some experiments with using it to infect machines, but nothing similar to what Kaspersky has discovered. "In this incarnation, it's definitely novel," Ken Baylor, research vice president for NSS Labs, said in an interview. "It's something we haven't seen in Bluetooth before, other than a proof concept," he said, "and we've never seen it in an Android implementation."

The Obad backdoor is one of the most complex Android malware programs yet and rivals bad apps written for Windows PCs. "Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek wrote.

"Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts," he added. "However, it is rare to see concealment as advanced as Obad.a's in mobile malware."

As complex as Obad is, the added sophistication doesn't seem to be making the Trojan very infectious. "Despite such impressive capabilities, Backdoor.AndroidOS.Obad.a is not very widespread," Unuchek wrote. "Over a 3-day observation period using Kaspersky Security Network data. Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware."

Obad's kind of complexity wasn't stuffed into the new mobile add-on for the Bugat banking Trojan discovered by researchers at RSA. The add-on, called BitMo by RSA, hijacks security codes sent through SMS messages to bank customers to authenticate their identities.

"It's a simple SMS forwarder," Limor Kessem, a cybercrime specialist with RSA, the security division of EMC, said in an interview. "It's not a rogue. It asks for permissions just like any other application."

What is interesting about the malware is how its authors get people to download it. They persuade them they need malware protection and request their mobile phone number and platform type. Then they get the person to download the malware.

Once installed on a phone, the bad app operates in the background monitoring SMS messages. If it sees a message containing a bank code, it will hide it from the phone's owner and ship the message to the byte robber.

Bugat has been tardy coming to the SMS code-snatching game, Kessem explained.

Bank Trojan writers began focusing their attention on mobile devices in 2012, as the use of SMS authentication codes began cutting into the effectiveness of their malware. "They saw that they needed to get into mobile because it's where their transactions were failing and their fraud rates falling," Kessem said in an interview.

"Bugat has been around for quite a while, so it's getting into the SMS game a little late," she added.

That's surprising since Bugat is a widespread banking Trojan, ranking behind the infamous Zeus banking Trojan in popularity among cyber bank robbers.

The addition of an SMS redirector could boost Bugat's popularity in the bank Trojan market, which is now divided among Zeus, Bugat and Citadel. "When Citadel began getting attention in the Western press, it began decreasing its availability," Baylor, of NSS, explained."So we may see an ascendance of Bugat."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags NSS LabsapplicationsAndroidData Protection | Wirelessdata protectionmalwarekaspersky labconsumer electronicssecuritymobile securitysmartphoneskasperskyBackdoor.AndroidOS.Obad.asoftware

More about CitadelEMC CorporationKasperskyKasperskyRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place