Researchers Uncover ‘Smartest Android Malware Yet’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Android malware takes advantage of flaws in OS and looks a lot like sophisticated Windows kit

Android malware makers are getting more serious it seems, as researchers found a malicious application that was using plenty of encryption and obfuscation.

They claimed it is the most sophisticated Android Trojan they’ve ever seen.

The “multi-functional Trojan”, called Obad.a, could send text messages to premium rate numbers – a common attribute of widespread Android malware – but could also download additional malware and even send it to other devices over Bluetooth.

android_logoScary Android malware

It took advantage of apparent zero-day flaws in the Android operating system, one of which gave the app device administrator privileges without showing  up on the users’ list of approved applications with such control. That makes it impossible to delete, according to Russian security firm Kaspersky.

“Also, the cyber criminals found an error in the Android operating system which relates to the processing of the AndroidManifest.xml file. This file exists in every Android application and is used to describe the application’s structure, define its launch parameters, etc.,” the company said in a blog post.

“The malware modifies AndroidManifest.xml in such a way that it does not comply with Google standards, but is still correctly processed on a smartphone thanks to the exploitation of the identified vulnerability. All of this made it extremely difficult to run dynamic analysis on this Trojan.”

To make life detection even harder, all strings in the app are encrypted. “The most important strings containing the C&C address undergo an additional stage of decryption. For this, the Trojan first checks if Internet access is available, then downloads the page facebook.com,” the researchers said. “It extracts a certain element of that page, and uses it as decryption key. Thus, Backdoor.AndroidOS.Obad.a can only decrypt C&C addresses when Internet access is available.”

All the stolen data is passed to the C&C server at androfox.com, including device information and whether or not device administrator privileges had been obtained.

The researchers noted the malware was not widespread despite its sophistication, as installation attempts made up no more than 0.15 percent of all attempts to infect mobile devices with various malware over a three day period.

But the fact Android malware is looking increasingly like Windows kit shows how the Google OS is becoming a genuine target for dedicated cyber criminals. Google had not responded to a request for comment at the time of publication.

What do you know about Internet security? Find out with our quiz!