Android malware has long been a very real, but limited threat to devices. These malicious software packages have so far been poorly coded, easy to detect, and even easier to remove. But a newly detected Trojan targeting Google's platform looks more like an advanced Windows virus than Android malware. It exploits multiple previously unknown vulnerabilities in the mobile OS, uses complex code obfuscation techniques, and blocks uninstall attempts.
Kaspersky Labs researchers discovered the Trojan recently, and have named it Backdoor.AndroidOS.Obad.a. That's not a very imposing name for what may be the most sophisticated piece of Android malware to date, as well as the prototype for a new generation of aggressive security-evading mobile Trojans. From the instant Obad.a arrives on a system, it is geared towards avoiding detection until it's too late.
The first big Android vulnerability Obad.a uses relates to the processing of the AndroidManifest.xml file. Every Android app has a manifest file, which tells the OS about its structure and components. Obad.a's manifest is malformed in a way that hides its intentions and ensures installation.
Even when Obad.a gets a foothold on a system, it keeps most of its code encrypted to make identification that much more difficult. Components are only decrypted when needed. For example, the addresses of the command and control servers are not decrypted until an Internet connection is verified.
Once the Trojan is in place, it goes after the next previously unknown Android vulnerability by exploiting Android's Administrator function. Certain regular apps request Administrator rights on Android, which allows functions like locking the screen, reading notifications, and remote wiping the device. Obad.a has a different goal in mind – an application that has been granted access to Administrator functions cannot be uninstalled.
Standard apps that are intentionally added to the Administrator list by a user can be de-authorised at any time and uninstalled. The exploit utilised by Obad.a prevents it from showing up on the list of Administrator apps. Thus, even a user aware of its presence cannot remove Obad.a from the device once it's entrenched. To further confuse efforts to remove it, the Trojan has no interface at all – it runs only as a background service.
After evading detection and barricading itself inside, the Trojan goes to work doing the kind of things all malware does – it exports your personal information, downloads and installs additional malicious apps, spams your contacts, and tries to send premium-rate SMS messages. Yes, even this masterful example of evil coding exists simply to make money.
A bit more unconventionally, Obad.a will start seeking out nearby Bluetooth devices and attempts to send copies of itself to them. Should an infected device have root access, the command and control server can execute remote terminal commands and essentially do anything.
The Obad.a Trojan illustrates a number of serious vulnerabilities in the structure of Android. It's troubling that this one piece of malware exploits two previously unknown, high risk flaws in Google's security. The real threat isn't Obad.a – the exploits will be patched and virus definitions will be updated. The problem is bigger than that: Android may have finally become a large enough target that it makes sense for Internet villains to create complex, stubborn malware of the sort previously reserved for Windows. It could be a big headache for Google in the coming years.