“The malware owners have developed a technique which we have never encountered before,” said Roman Unuchek, an anti-virus expert at Kaspersky Lab, in a blog. “For the first time malware is being distributed using botnets that were created using completely different mobile malware.”
The most interesting alien distribution model saw various versions spread with the Trojan-SMS.AndroidOS.Opfake.a malware. This double infection attempt starts with a text message to users, urging them to download a recently received text message. If the victim clicks the link, a file containing Opfake.a is automatically downloaded onto the smartphone or tablet. But it still doesn’t unleash Obad.a at that point.
The malicious Opfake.a file can only be installed if the user then launches it; should that happen, the Trojan sends further messages to all the contacts on the newly infected device. Clicking the link in these messages then, finally, downloads Obad.a.
“It’s a well-organized system: one Russian mobile network provider reported more than 600 messages containing these links within just five hours, pointing to a mass distribution,” Unuchek said. “In most cases, the malware was spread using devices that were already infected.
The multi-functional Trojan is capable of the following: sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. Apart from using mobile botnets, this highly complex Trojanalso offers a mix of more time-worn propagation techniques, like spam messages.
“This is a major carrier of the Obad.a Trojan,” Unuchek noted. “Typically, a message warning the user of unpaid ‘debts’ lures victims to follow a link which automatically downloads Obad.a onto the mobile device. Again, though, users must run the downloaded file in order to install the Trojan.”
Fake application stores also spread Obad.a. They copy the content of Google Play pages, replacing legitimate links with malicious ones. When legitimate sites are cracked and users are redirected to dangerous ones, Obad.a exclusively targets mobile users – if potential victims enter the site from a home computer nothing happens, but smartphones and tablets of any operation system could be redirected to those fake sites (although only Android users are at risk). In total Kaspersky has discovered 120 cracked websites that redirected mobile users to nbelt.ru, a malicious domain that infects users after clicking anywhere on the page.
Obad.a is mostly found in Eastern European countries: In total, 83% of attempted infections were recorded in Russia, while it was also detected on mobile devices in Ukraine, Belarus, Uzbekistan and Kazakhstan.
“In three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation, and each used an Android OS vulnerability that gives the malware DeviceAdministrator rights and made it much more difficult to delete,” Unuchek said, adding that Kaspersky has informed Google and that the loophole has been closed in Android 4.3. But, older devices running earlier versions of the OS are still under threat.
“Obad.a, which uses a large number of unpublished vulnerabilities, is more like Windows malware than other Trojans for Android,” Unuchek explained.