Skip to main content

Sophisticated Android Trojan spread via botnets hidden inside other malware

A Trojan targeting Android devices is being spread via botnets held inside the malware of other cyber criminals, an investigation into the Obad.a Trojan has revealed.

This is the first time malicious mobile viruses have been transmitted in this way, Kaspersky Lab, the firm behind the research said.

The Trojan - full name Backdoor.AndroidOS.Obad.a - was predominantly found in CIS states, with Russia recording 83 per cent of attempted infections and other detections found in Ukraine, Belarus, Uzbekistan and Kazakhstan.

The most interesting distribution model, the firm says, was through various versions of Obad.a spread inside the Trojan-SMS.AndroidOS.Opfake.a.

"This double infection attempt starts with a text message to users, urging them to download a recently received text message. If the victim clicks the link, a file containing Opfake.a is automatically downloaded onto the smartphone or tablet," explains the Kaspersky Lab team.

Only if the downloaded file is then launched, will Opfake.a be installed. Upon installation, the Trojan, as well as infecting the device, sends messages to all the contacts held on it. These message contains a link that if clicked, automatically downloads the Obad.a Trojan onto the phone of any secondary victims.

"It's a well-organised system: one Russian mobile network provider reported more than 600 messages containing these links within just five hours, pointing to a mass distribution. In most cases the malware was spread using devices that were already infected," says the research team.

Apart from using mobile botnets, the highly complex Trojan is also distributed by spam messages, and fake apps stores which imitated Google Play pages, replacing legitimate links with malicious ones.

"In three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation, and each used an Android OS vulnerability that gives the malware DeviceAdministrator rights and made it much more difficult to delete," said Roman Unuchek, an antivirus expert at Kaspersky Lab.

"As soon as we discovered this, we informed Google and the loophole has been closed in Android 4.3. However, only a few new smartphones and tablets run this version, and older devices running earlier versions are still under threat. Obad.a, which uses a large number of unpublished vulnerabilities, is more like Windows malware than other Trojans for Android."