As mobile malware attacks become more complex and widespread, Kaspersky Labs researchers have discovered what they are calling the “most sophisticated Android Trojan,” noting that the application mimics advanced Windows exploits in its simultaneous targeting of multiple system vulnerabilities.
The application, identified as Backdoor.AndroidOS.Obad.a, or Obad.a for short, sends SMS messages to premium-rate numbers, downloads, installs and shares other malware over Bluetooth connections and allows for remote code execution from a command and control server. Additionally, it exploits a previously unknown vulnerability in Android’s administrator privileges that makes it impossible to delete.
In a recent blog post detailing the Trojan, Kaspersky Lab expert Roman Unuchek noted that Obad.a featured unusually advanced code concealment techniques. All the strings in the DEX file were encrypted and code was obfuscated. In addition to multiple layers of encryption around the code and interactions with the C&C server, the application featured several other quirks that made it particularly hard to detect and delete.
Three vulnerabilities combined
Backdoor.AndroidOS.Obad.a does not have an interface and works in background mode, making it difficult to analyze, but that was only part of the challenge, according to Unuchek. The application exploits an error in the DEX2JAR software – generally used by researchers to convert APK files into the Java Archive (JAR) format) – that disrupts the conversion of Dalvik bytecode into Java bytecode and makes it difficult to run a statistical analysis of the Trojan.
Obad.a also targets an error in Android’s processing of the AndroidManifest.xml file, which exists in every Android application to describe the application’s structure, define its launch parameters and more. Although Obad.a modifies AndroidManifest.xml so that it doesn’t comply with Google standards, the vulnerability enables it to still be processed correctly, complicating any attempt to run dynamic analysis on the application.
A third vulnerability in the Android OS Device Administrator privileges allows an application to enjoy administrator privileges without appearing on the list of applications with such privileges. It is therefore impossible to delete the application once it has gained elevated access. Unuchek noted that Kaspersky had informed Google of the vulnerability.
A laundry list of possibilities
As soon as the application is installed, it tries to obtain device administrator privileges, thus making it impossible to delete. It also can block the device’s screen for up to 10 seconds. It appears to do this most often when connected to a free Wi-Fi network or when Bluetooth is activated, at which point it will attempt to copy itself and other malicious applications to nearby devices.
The Trojan also attempts to obtain root privileges with the “su id” command. It sends information about whether superuser privileges have been successfully obtained to the C&C server when it launches, along with the MAC address of the Bluetooth device, operator information, the phone account balance and more. It continues to send this information to the C&C server every time a connection is established.
In turn, the C&C server can perform instructions from a command list, which includes functions such as the abilities to send a text message, download and install files, send user and application information to the server, execute console commands and send files to detected Bluetooth devices. Even if a connection to the C&C server can’t be established, the Trojan can be controlled via text message.
Determining the significance
Unuchek noted that the Trojan is still relatively rare in the wild, with Kaspersky data showing that just 0.15 percent of all malware installation attempts during a three-day study period involved Obad.a. However, the application’s complexity and targeting of software vulnerabilities may be cause for concern.
“We would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits,” Unuchek wrote. “This means that the complexity of Android malware programs is growing rapidly alongside their numbers.”
Android malware in general is growing rapidly. A study earlier this year from Trend Micro observed that the total number of Android threats had reached 350,000 in three years and could top 1 million by the end of the year. By comparison, it took 14 years for PC malware to reach a similar volume.
As such threats grow not only more numerous but more complex in their manipulation of software security vulnerabilities, developers will have an added challenge to secure their applications and operating systems. Source code analysis tools will be essential for pinpointing weak spots and helping to eliminate potential malware attack vectors.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.