Guys at Kaspersky Lab have stumbled upon yet another malware. They refer to this one as the “most sophisticated Android Trojan“, and have detected it as Backdoor.AndroidOS.Obad.a.
The malware in question is a multi-functional Trojan that can send SMS to premium-rate numbers, download other malware programs, install them on the infected device and/or send them via Bluetooth, and also remotely perform commands in the console.
Kaspersky Lab Expert Roman Unuchek, elaborating on this sophisticated Android malware, adds that they stumbled upon it recently when an Android app came to them for analysis. The strings in the DEX file were encrypted and the code was obfuscated – signs that told them that the case they were dealing with wasn’t common. Unuchek added that while malware writers usually made the codes complicated enough to make it difficult for anti-malware experts to detect, they did not often come across “concealment as advanced as Odad.a’s in mobile malware”.
Is this the most sophisticated Android Trojan?
Not just that, miscreants who created the Backdoor.AndroidOS.Obad.a found a glitch in the DEX2JAR software that is used by analysts to convert APK files to JAR format. A glitch in this software allows miscreants to disrupt “the conversion of Dalvik bytecode into Java bytecode, which eventually complicates the statistical analysis of the Trojan”.
Cybercriminals found an error in the Android operating system pertaining to the processing of the AndroidManifest.xml file. This file is present in every Android app and is used to describe it's structure and define its launch parameters etc. The sophisticated malware then modifies AndroidManifest.xml in a way that it does not comply with Google standards, but is still correctly processed on a smartphone owing to the exploitation of the identified vulnerability. The result? It makes it very difficult to run dynamic analysis on this Trojan.
Now these miscreants who created Backdoor.AndroidOS.Obad.a used yet another previously unknown error in the Android operating system. “By exploiting this vulnerability, malicious applications can enjoy extended Device Administrator privileges without appearing on the list of applications which have such privileges. As a result of this, it is impossible to delete the malicious program from the smartphone after it gains extended privileges,” the post explains.