Android Trojans gain botnet distribution, new code

A dangerous Trojan that targets Google's Android mobile operating system has gained new nefarious capabilities even as a new banking malware takes aim at the OS, according to security researchers.

Kaspersky Lab reported that mobile botnets are being used to distribute the Obad.a Trojan, which can gain administrative rights on an Android device -- allowing its masters to do pretty much anything they want with a handset.

Meanwhile, Eset revealed that a bad app it discovered earlier this month -- Hespernet -- is actually a mobile banking Trojan along the lines of Zeus and SpyEye, but with significant implementation differences that make it a new malware family.

The Obad.a Trojan has been closely watched by Kaspersky since the beginning of the summer, but it wasn't until recently that researchers uncovered the unusual distribution method its handlers have been deploying.

"For the first time, malware is being distributed using botnets that were created using completely different mobile malware," Kaspersky researcher Roman Unuchek wrote in a blog.

Such distribution techniques are common in the desktop world, but their arrival in the mobile space is another indicator that Android is becoming the mobile equivalent of Windows for hackers.

"This approach, like other aspects of the Obad operation, mimics what we've been seeing in the desktop ecosystem," Roel Schouwenberg, a senior researcher at Kaspersky, said in an email.

"In the Windows and Linux world, it's very common for malware and botnets to install other types of malware for pay," he added. "So it's likely that we'll see further adoption of this strategy in the mobile space as well."

Handsets are initially infected with the botnet software SMS.AndroidOS.Opfake.a through a poisoned link in an SMS message.

The link promises to deliver a new MMS message to the target. If clicked, the botware will be downloaded and the target asked to run it. If the target complies, SMS messages with the same MMS pitch will be sent to everyone on the target's contact list. In addition, the botware will download Obad.a, which sets up a backdoor on the handset that allows a botmaster to remotely control the device.

Other more conventional means are also used to distribute Obad.a, including SMS spam, links to fake Google Play stores and redirection from poisoned websites.

That kind of multi-vector infection strategy isn't common yet in the mobile world. "Right now, Obad is setting a new standard," Schouwenberg said. "We're still quite a bit away from multiple infection vectors being the norm rather than the exception."

Up to now, Obad.a activity has been directed at populations in the states of the old Soviet Union, although there has been some spillover into other countries. "For now, other countries are not where the attackers' focus seems to be," Schouwenberg said.

Hesperbot also appears to have a limited geographic distribution -- primarily Turkey and the Czech Republic. However, the campaign, may expand. "It's quite likely we'll see more instances of this as time goes by," Eset Security Evangelist Stephen Cobb said in an interview. "I would expect we'll see more attacks in more countries."

Hesperbot is spread by luring targets to an infected website with a poisoned link embedded in an email or SMS message. The Czech scam sent targets to a website closely modeled on the landing page of the country's postal service.

"The aim of the attackers is to obtain login credentials giving access to the victim's bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone," Eset researcher Robert Lipovsky wrote in a blog.

He described Hesterbot as a very potent banking Trojan with features such as keystroke logging, creation of screenshots and video capture, setting up a remote proxy, creating a hidden VNC server on an infected system, intercepting network traffic and HTML injection.

Other banking Trojans, like Zeus and SpyEye, perform those functions, too; what sets Hesperbot apart is its use of new code to do those tasks. "It's not made with SpyEye or Zeus code," Evangelist Cobb said. "That might sound like a technical distinction, but the fact that someone went to the trouble to write a brand-new banking Trojan is indicative of the appeal that remains for the software."

That appeal will likely grow. "As more mobile capabilities are rolled out and mobile payments become more widespread and ubiquitous, malware is going to follow," said George Tubin, senior security strategist at Trusteer, an IBM company. "We're right at the beginning of it now."

He explained that improved security measures at larger banks have been driving cyber robbers downstream to mid- and small-sized banks. "Now, they'll also be moving into the mobile channel, because banks haven't deployed very sophisticated fraud detection technologies there yet," Tubin said.

Nevertheless, mobile infections can be avoided if a user is willing to avoid high-risk behavior. "They're not going to get infected if they stick to downloading apps from Google Play or their employer's app store," Randy Abrams, a research director at NSS Labs, said in an interview.

"There have been exceptions, and Google has allowed infected apps into their store," he continued, "but the majority of apps on Google Play are going to be very safe -- as long as you don't consider compromising your privacy a safety issue."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Obadapplicationsmobile securitysmartphonesAndroidsoftwareHesperbotData Protection | Wirelessdata protectionkaspersky labconsumer electronicssecurity

More about EsetGoogleIBM AustraliaKasperskyKasperskyLinuxSymbianTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts