A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google’s mobile operating system to extend the application’s permissions on the infected device, and to block attempts to remove the malicious application.
Writing on securelist.com, Kaspersky Lab’s research blog, malware researcher Roman Unuchek called the newly discovered Trojan the “most sophisticated” malicious program yet detected that works with Android phones. He cited the Trojan’s advanced features, including complex obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allowed it to take control of and maintain a foothold on infected Android devices.
Kaspersky said it has contacted Google regarding the malware and the alleged vulnerabilities in Android. Google was unable to confirm that prior to publication.
The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a “multi function Trojan.” Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. SMS Trojans are the most common form of mobile malware, according to data from Kaspersky and other security vendors.
According to the report, the Obad authors discovered and exploited a previously unknown vulnerability in the Android OS relating to how Android processes a file called AndroidManifest.xml, a standard component of all applications that describes the application’s structure and operation to the operating system. According to Kaspersky, Obad “modifies AndroidManifest.xml in such a way that it does not comply with Google standards, but is still correctly processed on a smartphone.”
A second vulnerability allowed Obad’s authors to obtain extended Device Administrator privileges on infected devices, without appearing on the list of applications which have such privileges. As a result, Unuchek said that it wasn’t possible to delete Obad from the infected Android device after it gained the extended privileges.
Once running on an Android device, the Obad malware collects a wealth of information from the device, which is passed back to Internet-based command and control (C&C) servers, Kaspsersky said. Among the information gathered is the phone’s number, IMEI (unique identifier), the operator’s name and account balance, as well as whether or not the phone was able to obtain Device Administrator privileges on the device.
Like many modern malicious programs, Obad is modular, with the ability to receive software updates directly from C&C servers controlled by the attackers. They can update the malware automatically using text messages to prompt it to connect to its C&C servers or send a message to pre-determined addresses.
Mobile malware is relatively rare, at least compared to malicious programs for the Windows platform. However, the population of mobile malware is growing rapidly. Vendors such as Kaspersky Lab and McAfee have reported a surge in mobile malware in 2012 and 2013 – almost all of it targeting Android. In February, McAfee counted 36,699 mobile malware samples, 95% of which were identified in the preceding 12 months.
Android’s rapid gains in the mobile space have raised concerns that the mobile OS will become a target, as Microsoft’s Windows was in the PC space. Unlike Microsoft, Google maintains only lose control over Android, trusting to a complex web of business partners to brew their own flavor of Android to power everything from phones and tablet computers to unmanned aerial vehicles and personal satellites.
At a conference on mobile device security sponsored by the Federal Trade Commission (FTC), a Google representative said that the company employed more than 300 security engineers and was comfortable with the attention it gave to mobile security. He said Google was reluctant to take too prominent a role in policing the contents of is Google Play app store. Users should have choices about what to put on their phone, and be able to choose between official and unofficial application stores, said Adrian Ludwig of Google’s Android Security team.