Researchers say they have discovered a sophisticated trojan that targets Android smartphones – exploiting two previously unknown vulnerabilities in the mobile platform and a third flaw in separate software – to send text messages to premium-rate numbers and download other malware onto victims' phones.
Roman Unuchek, a Kaspersky researcher, on Thursday published an analysis about the trojan, dubbed Obad. According to Unuchek, a device administrator flaw in the Android operating system makes it impossible for a user to delete the malware once it gains extended administrator privileges on the phone. In addition, a second Android vulnerability inhibits the platform's ability to process an Android .xml file, called “AndroidManifest,” making it difficult for the malware to be detected.
Obad also exploits a third flaw in separate software, called DEX2JAR, which is popularly used by researchers to convert Android executable files into Java Archive (JAR) format. This component of the attacks also makes it more difficult for the malware to be analyzed by researchers, according to Unuchek.
Along with downloading other malware on victims' phones and sending SMS to premium-rate numbers, Obad also receives instructions from its command-and-control server that allows it to spread malicious files to other devices via unsecure Wi-Fi networks or Bluetooth connection.
“On a [command-and-control server] command, the malicious program scans for nearby devices with enabled Bluetooth connection, and attempts to send the downloaded file to them,” Unuchek said in the blog post.
However, while the trojan is sophisticated and comparable to Windows malware because of its complexity and use of unknown exploits, it is not currently widespread, researchers found.
After observing the malware over a three-day period, Kaspersky found that, in its network of customers, Obad attacks consisted of fewer than 0.15 percent of all attempts by malware to infect mobile devices.
Kaspersky notified Google about Obad's Android exploits. SCMagazine.com reached out to Google to inquire about the bugs, but did not immediately hear back.
Obad's tricks make the trojan a rarity in Android malware, and a standout threat as researchers more often deem legitimate apps or app stores a bigger security concern to users than advanced mobile malware.
News of the findings comes as several participants at a Federal Trade Commission mobile security forum downplayed the threat posed by malware on these devices and even applauded third-party app stores for becoming more trustworthy from which to download.
In a summary of the forum, Ryan Pretzer, the awareness campaigns program manager for the National Cyber Security Alliance (which runs StaySafeOnline.org), wrote that in actuality, crooks prefer compromising legitimate mobile apps – or creating phony versions of popular apps that look close enough to the real thing – to infect smartphone users.
“Undeterred, cyber criminals are now attempting to exploit the trust U.S. users have shown in well-regarded apps and app stores,” Pretzer wrote, explaining that the real emerging threats highlighted in the forum were these "imposter apps," or those that had been reverse-engineered to harm users' devices.
An attacker can exploit a legitimate app by simply obtaining the credentials of a certified developer. "Bad guys" often upload their malicious version of the app to trusted app stores and disguise them as security updates to fool users into installing the malware.