Obad was the nastiest piece of Android malware discovered in 2013

by: Gary SimsDecember 16, 2013

virus 1

In a recent end of year summary published by antivirus company Kaspersky Labs, the firm officially named Obad as its Villain of the Year 2013.

Obad was discovered during the summer and it was quickly recognized as a sophisticated piece of malware. The technical name for the Trojan is Backdoor.AndroidOS.Obad and this nasty little fellow is capable of sending SMS to premium-rate numbers, as well as downloading other malware programs, installing them on the infected device, and sending them on via Bluetooth.

But the nastiest thing about Obad is that its creators used a previously unknown vulnerability in Android that allowed it to gain extended Device Administrator privileges and then remove itself from the list of applications with such privileges. This means that once a device is infected it is almost impossible to delete it.

Obad was also very tricky for the security guys to pick apart as the code was obfuscated and all the strings were encrypted. The malware is controlled by a remote server, often known as a command and control server (C&C server), and the address for the server was double encrypted. The reason why the malware writers went through such extremes to hide the server address is because one way law enforcement agencies fight cyber crime is by shutting down the servers, but if the server is harder to find they can’t shut it down.

[quote qtext=”The threat posed by Obad remains very real.” qperson=”Roman Unuchek – Kaspersky Lab Expert” qsource=”” qposition=”left”]Once a hapless victim has installed an app with Obad buried inside of it, the malware tries to obtain Device Administrator privileges. It does this by asking the user to grant it control over the lock screen, something that some apps can reasonably ask for. As a word of warning for those who have rooted devices, Obad also tries to gain root access and increase its super powers.

While chatting with the C&C server the malware gets a list of premium numbers where it will send SMS messages. By sending messages to these numbers the cyber criminals make money, lots of money!

Since its discovery Obad has also been improved by its creators and it is now distributed via several different methods including via a mobile botnet, via SMS (with links to the malware) and via a fake Google Play Store. Not only is it the most sophisticated piece of Android malware this year, but  it is the first Trojan to be spread by mobile botnets that were created using different malware.

Google has patched the bug that allows Obad to hide in the Device Admins list in Android 4.3. If you don’t have Android 4.3 or Android 4.4 then McAfee has a  Hidden Device Admin Detector tool which comes as part of its McAfee Security Innovations app. Kaspersky Lab is also reporting that many attempts to install Obad have been thwarted by its free Internet Security app.

  • hugrr

    This malware needs moar apostrophies!!!!!!

  • Islay banishing


  • APai

    or… you’ll know when you have racked up high bills via expensive sms :P

  • Lisandro O Oocks

    That’s why it’s important to read the permissions. At least until they find a way to not having to list them.

  • Boonlumsion Piyapon

    can’t they just using sniffer / man in the middle attack to get that server address ?

    • Android Developer

      true, but maybe they use proxies and maybe even encrypted data, or maybe they even use the best security measures, like on Tor-browser.

      • Mike Reid


        Article says “address for the server was double encrypted”.

        Tricky devs have pretty tricky techniques, and this is part of why it’s called “the nastiest… in 2013”.

        • Android Developer

          sorry, i either didn’t notice that, or i’ve forgotten reading this part.
          i was more interested in the part of what it can actually do.

  • Roman Vasilev

    Oh my goodness, are you joking me? Virus on android is fictioned by stupid newbies and antivirus companies

    • Android Developer

      yes, it’s not a virus. it’s a trojan.
      viruses can’t really exist on android , IOS and WP(unless you have a rooted device), since viruses are spread across apps, changing their codes, while both android and IOS (and WP) have sandboxed their apps

  • Maher Salti

    Don’t install from untrusted sources, that’s what I think.. no need for antivirus etc.

    • Ivan Myring

      By that do youean never install apps from other sources, even places like XDA, or just random pirate sites?

      • Maher Salti

        Yes indeed, I mean pirated apps from pirate sites. Or from none trusted sources like someone sharing it on some website.

        I do install from sources like xda, android police, google developer sites. or beta apps from the developer’s website.

    • You mean like the NSA? :) We now know that governments can be behind such malware too, so while your advice is sound – it’s not all encompassing. Things are a lititle more complicated these days. What I like about Kaspersky is that they’ll attempt to attack U.S. government and Israeli malware – something I’m not convinced that U.S. anti-malware companies will do.

  • Android Developer

    how does it install apps without confirmation from the user?
    this can only be done via system apps (like the play store) or root, no?

    • Simon Belmont

      Well. There is a permission that lets apps install other apps without user interaction.

      That’s what had everyone that was getting random beta Facebook updates up at arms. Facebook was using this to leverage their beta updates to a small subset of users without their interaction, which, of course, had lots of people upset.

      • Android Developer

        i am not aware of such a permission for user apps. i’m only aware of this one:

        this requires the app to be a system app (or have root).

        the only way for a normal app to install another app is by opening the normal dialog that asks the user to install the app (via an intent).
        this can also be seen on the amazon-appstore. they just download the apk and let the user install the app.

        • Simon Belmont

          You’re right. I screwed up. Long night combined with next to no sleep. My bad.

          The permission I was talking about was “download files without user interaction” which is the one that the Facebook beta app was leveraging for beta updates outside of the Google Play Store, but of course, you’d still have to go through the “install app” dialog and choose to install it. Here’s a picture of it: http://i.imgur.com/GGory5r.png . So, yeah. Basically, ignore my above post because there is no way to install a user app without a user’s interaction.

          • Android Developer

            @disqus_eVSuLoTmRL:disqus not aware of this permission either, as they could simply use the network and download things themselves…
            guess it’s easier to use what they’ve used though.
            where can you find this permission on the list of permissions?

          • Simon Belmont

            I found that permission in the regular Facebook app if that helps you. But you’re right, about the “full network access” permission basically negating the need for this permission, especially in this case.

            If you’re talking permissions in the manifest, I’m sure it’s on developer.android.com somewhere. Hope that helps.

          • Android Developer

            @disqus_eVSuLoTmRL:disqus i meant this list:

            it includes all of the official permissions of android apps.

          • Simon Belmont

            Yup. That’s what I figured and that’s where I was looking originally for this permission.

            I don’t know why it’s not in the list. But, as you can see, it’s a genuine permission (hence the picture).

  • Ben Edwards

    Might pay to lay off on the exclamation marks in future, I felt like I was being yelled at the whole time :P

  • Jaleel Muhammad

    If the phone has the malware, can a factory reset restore the phone and get rid of it?

    • gommer strike

      To be safe a factory reset isn’t enough. You need to do a full wipe, clear all the contents of your internal SDcard and reflash the factory ROM or a custom ROM.

    • The article said that even anti-malware vendors have had a tricky time removing it – so not sure if a complete wipe will do it – depends. Just like on the desktop some nasty apps were able to get into the firmware, in which case a “wipe” or factory reset wouldn’t do much.

  • Arturo Raygoza

    two things,

    if this Trojans sole purpose is to send premium texts then if one has prepaid it can’t do nothing right?

    and why don’t these text services have confirmations? verifications?