Over the last three months Kaspersky analysts have been investigating how the Obad.a Trojan, a malicious app for Android, is distributed. It transpires that the criminals behind the Trojan have adopted a new technique to spread their malware. For the first time in the history of mobile cybercrime, a Trojan is being spread using botnets controlled by other criminal groups. It also became clear that Obad.a is mostly found in CIS countries. In total, 83% of attempted infections were recorded in Russia, while it was also detected on mobile devices in Ukraine, Belarus, Uzbekistan and Kazakhstan.
The most interesting distribution model saw various versions of Obad.a spread with Trojan-SMS.AndroidOS.Opfake.a. This double infection attempt starts with a text message to users, urging them to download a recently received text message. If the victim clicks the link, a file containing Opfake.a is automatically downloaded onto the smartphone or tablet.
The malicious file can only be installed if the user then launches it; should that happen, the Trojan sends further messages to all the contacts on the newly infected device. Clicking the link in these messages downloads Obad.a. It’s a well-organized system: one Russian mobile network provider reported more than 600 messages containing these links within just five hours, pointing to a mass distribution. In most cases the malware was spread using devices that were already infected.
Apart from using mobile botnets, this highly complex Trojan is also distributed by spam messages. This is a major carrier of the Obad.a Trojan. Typically a message warning the user of unpaid ‘debts’ lures victims to follow a link which automatically downloads Obad.a onto the mobile device. Again, though, users must run the downloaded file in order to install the Trojan.
Fake application stores also spread Backdoor.AndroidOS.Obad.a. They copy the content of Google Play pages, replacing legitimate links with malicious ones. When legitimate sites are cracked and users are redirected to dangerous ones, Obad.a exclusively targets mobile users – if potential victims enter the site from a home computer nothing happens, but smartphones and tablets of any operation system could be redirected to those fake sites (although only Android users are at risk).
“In three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation, and each used an Android OS vulnerability that gives the malware DeviceAdministrator rights and made it much more difficult to delete. As soon as we discovered this, we informed Google and the loophole has been closed in Android 4.3. However, only a few new smartphones and tablets run this version, and older devices running earlier versions are still under threat. Obad.a, which uses a large number of unpublished vulnerabilities, is more like Windows malware than other Trojans for Android,” said Roman Unuchek, a leading antivirus expert at Kaspersky Lab.
You can read more about Obad.a distribution at securelist.com.