In a recent end of year summary published by antivirus company Kaspersky Labs, the firm officially named Obad as its Villain of the Year 2013.
Obad was discovered during the summer and it was quickly recognized as a sophisticated piece of malware. The technical name for the Trojan is Backdoor.AndroidOS.Obad and this nasty little fellow is capable of sending SMS to premium-rate numbers, as well as downloading other malware programs, installing them on the infected device, and sending them on via Bluetooth.
But the nastiest thing about Obad is that its creators used a previously unknown vulnerability in Android that allowed it to gain extended Device Administrator privileges and then remove itself from the list of applications with such privileges. This means that once a device is infected it is almost impossible to delete it.
Obad was also very tricky for the security guys to pick apart as the code was obfuscated and all the strings were encrypted. The malware is controlled by a remote server, often known as a command and control server (C&C server), and the address for the server was double encrypted. The reason why the malware writers went through such extremes to hide the server address is because one way law enforcement agencies fight cyber crime is by shutting down the servers, but if the server is harder to find they can’t shut it down.
The threat posed by Obad remains very real.Roman Unuchek - Kaspersky Lab Expert
While chatting with the C&C server the malware gets a list of premium numbers where it will send SMS messages. By sending messages to these numbers the cyber criminals make money, lots of money!
Since its discovery Obad has also been improved by its creators and it is now distributed via several different methods including via a mobile botnet, via SMS (with links to the malware) and via a fake Google Play Store. Not only is it the most sophisticated piece of Android malware this year, but it is the first Trojan to be spread by mobile botnets that were created using different malware.
Google has patched the bug that allows Obad to hide in the Device Admins list in Android 4.3. If you don’t have Android 4.3 or Android 4.4 then McAfee has a Hidden Device Admin Detector tool which comes as part of its McAfee Security Innovations app. Kaspersky Lab is also reporting that many attempts to install Obad have been thwarted by its free Internet Security app.
Like this post? Share it!
This malware needs moar apostrophies!!!!!!
or… you’ll know when you have racked up high bills via expensive sms :P
That’s why it’s important to read the permissions. At least until they find a way to not having to list them.
can’t they just using sniffer / man in the middle attack to get that server address ?
true, but maybe they use proxies and maybe even encrypted data, or maybe they even use the best security measures, like on Tor-browser.
Article says “address for the server was double encrypted”.
Tricky devs have pretty tricky techniques, and this is part of why it’s called “the nastiest… in 2013″.
sorry, i either didn’t notice that, or i’ve forgotten reading this part.
i was more interested in the part of what it can actually do.
Oh my goodness, are you joking me? Virus on android is fictioned by stupid newbies and antivirus companies
yes, it’s not a virus. it’s a trojan.
viruses can’t really exist on android , IOS and WP(unless you have a rooted device), since viruses are spread across apps, changing their codes, while both android and IOS (and WP) have sandboxed their apps
Don’t install from untrusted sources, that’s what I think.. no need for antivirus etc.
By that do youean never install apps from other sources, even places like XDA, or just random pirate sites?
Yes indeed, I mean pirated apps from pirate sites. Or from none trusted sources like someone sharing it on some website.
I do install from sources like xda, android police, google developer sites. or beta apps from the developer’s website.
They’re untrusted sources too. ;)
You mean like the NSA? :) We now know that governments can be behind such malware too, so while your advice is sound – it’s not all encompassing. Things are a lititle more complicated these days. What I like about Kaspersky is that they’ll attempt to attack U.S. government and Israeli malware – something I’m not convinced that U.S. anti-malware companies will do.
how does it install apps without confirmation from the user?
this can only be done via system apps (like the play store) or root, no?
Well. There is a permission that lets apps install other apps without user interaction.
That’s what had everyone that was getting random beta Facebook updates up at arms. Facebook was using this to leverage their beta updates to a small subset of users without their interaction, which, of course, had lots of people upset.
i am not aware of such a permission for user apps. i’m only aware of this one:
this requires the app to be a system app (or have root).
the only way for a normal app to install another app is by opening the normal dialog that asks the user to install the app (via an intent).
this can also be seen on the amazon-appstore. they just download the apk and let the user install the app.
You’re right. I screwed up. Long night combined with next to no sleep. My bad.
The permission I was talking about was “download files without user interaction” which is the one that the Facebook beta app was leveraging for beta updates outside of the Google Play Store, but of course, you’d still have to go through the “install app” dialog and choose to install it. Here’s a picture of it: http://i.imgur.com/GGory5r.png . So, yeah. Basically, ignore my above post because there is no way to install a user app without a user’s interaction.
@disqus_eVSuLoTmRL:disqus not aware of this permission either, as they could simply use the network and download things themselves…
guess it’s easier to use what they’ve used though.
where can you find this permission on the list of permissions?
I found that permission in the regular Facebook app if that helps you. But you’re right, about the “full network access” permission basically negating the need for this permission, especially in this case.
If you’re talking permissions in the manifest, I’m sure it’s on developer.android.com somewhere. Hope that helps.
@disqus_eVSuLoTmRL:disqus i meant this list:
it includes all of the official permissions of android apps.
Yup. That’s what I figured and that’s where I was looking originally for this permission.
I don’t know why it’s not in the list. But, as you can see, it’s a genuine permission (hence the picture).
Might pay to lay off on the exclamation marks in future, I felt like I was being yelled at the whole time :P
If the phone has the malware, can a factory reset restore the phone and get rid of it?
To be safe a factory reset isn’t enough. You need to do a full wipe, clear all the contents of your internal SDcard and reflash the factory ROM or a custom ROM.
The article said that even anti-malware vendors have had a tricky time removing it – so not sure if a complete wipe will do it – depends. Just like on the desktop some nasty apps were able to get into the firmware, in which case a “wipe” or factory reset wouldn’t do much.
if this Trojans sole purpose is to send premium texts then if one has prepaid it can’t do nothing right?
and why don’t these text services have confirmations? verifications?