In a recent end of year summary published by antivirus company Kaspersky Labs, the firm officially named Obad as its Villain of the Year 2013.
Obad was discovered during the summer and it was quickly recognized as a sophisticated piece of malware. The technical name for the Trojan is Backdoor.AndroidOS.Obad and this nasty little fellow is capable of sending SMS to premium-rate numbers, as well as downloading other malware programs, installing them on the infected device, and sending them on via Bluetooth.
But the nastiest thing about Obad is that its creators used a previously unknown vulnerability in Android that allowed it to gain extended Device Administrator privileges and then remove itself from the list of applications with such privileges. This means that once a device is infected it is almost impossible to delete it.
Obad was also very tricky for the security guys to pick apart as the code was obfuscated and all the strings were encrypted. The malware is controlled by a remote server, often known as a command and control server (C&C server), and the address for the server was double encrypted. The reason why the malware writers went through such extremes to hide the server address is because one way law enforcement agencies fight cyber crime is by shutting down the servers, but if the server is harder to find they can’t shut it down.
Once a hapless victim has installed an app with Obad buried inside of it, the malware tries to obtain Device Administrator privileges. It does this by asking the user to grant it control over the lock screen, something that some apps can reasonably ask for. As a word of warning for those who have rooted devices, Obad also tries to gain root access and increase its super powers.
The threat posed by Obad remains very real.
Roman Unuchek - Kaspersky Lab Expert
While chatting with the C&C server the malware gets a list of premium numbers where it will send SMS messages. By sending messages to these numbers the cyber criminals make money, lots of money!
Since its discovery Obad has also been improved by its creators and it is now distributed via several different methods including via a mobile botnet, via SMS (with links to the malware) and via a fake Google Play Store. Not only is it the most sophisticated piece of Android malware this year, but it is the first Trojan to be spread by mobile botnets that were created using different malware.
Google has patched the bug that allows Obad to hide in the Device Admins list in Android 4.3. If you don’t have Android 4.3 or Android 4.4 then McAfee has a Hidden Device Admin Detector tool which comes as part of its McAfee Security Innovations app. Kaspersky Lab is also reporting that many attempts to install Obad have been thwarted by its free Internet Security app.