Mobile
News
6/7/2013
12:47 PM
Connect Directly
RSS
E-Mail
50%
50%

Android Trojan Looks, Acts Like Windows Malware

Android Trojan "Odad.a" rivals Windows malware in the harm it can do to mobile device users, say experts.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Android malware is becoming more like Windows or Mac malware; in other words, more dangerous to users. One of the latest, a Trojan application called Odad.a, offers capabilities that rival many types of malware currently targeting Windows or Mac OS X systems, say experts.

For starters, the new malware creates an attacker-accessible backdoor on infected Android devices, can download and install additional malware, infect nearby devices with the malware -- via Wi-Fi or Bluetooth -- and receive further instructions from the attacker. For good measure, the malware also can send SMS messages to premium phone numbers, thus generating revenue for attackers or their business associates.

"At a glance, we knew this one was special," said Roman Unuchek, a security researcher at Kaspersky Lab, in a blog post citing the fact that whoever developed the malware not only built in numerous capabilities, but also carefully hid the code to make it difficult to detect or study.

"Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a's in mobile malware," Unuchek said. That concealment extends to the Android user experience, as the application malware works in background mode and has no interface.

[ How low can hackers go? Read Malware Attackers Exploit Boston Marathon Bombing. ]

Although the malware is somewhat rare, it's reportedly being distributed in a typical way: most likely disguised as a legitimate app via "alternative app stores and fishy websites," reported Android Police.

Whoever built the malware took advantage of three different flaws in the Android operating system, or related software, to make the malware more difficult to detect or eradicate. For example, the attackers used a vulnerability in the dex2jar software -- often used by malware analysts to convert Android application package (APK) files into Java Archive (JAR) format for easier analysis -- that prevents the APK file from being successfully converted.

Attackers also discovered a vulnerability in the AndroidManifest.xml file specification, which provides essential information about every application to the Android operating system. Using this vulnerability, attackers were able to give the malware a file description that can't be automatically parsed by analysis tools, but which is still processed correctly by the Android operating system.

Finally, the malware's developers "also used yet another previously unknown error in the Android operating system," said Unuchek, which results in the malware being granted "extended Device Administrator privileges without appearing on the list of applications which have such privileges." From a user-interface standpoint, it also means that once the malware infects the device, a user can't revoke those privileges or even delete the application through the operating system.

Using these privileges, the malware can disable access to the device's screen for up to 10 seconds, which is likely used to conceal bad behavior, because it "typically happens after the device is connected to a free Wi-Fi network or Bluetooth is activated," said Unuchek. "With a connection established, the Trojan can copy itself and other malicious applications to other devices located nearby."

"Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek said. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

Looking beyond Odad.a, the volume of malware that targets Android devices continues to increase. "Our count of mobile malware samples, just about exclusively for the Android OS, continues to skyrocket," said a threat report released last month by security firm McAfee, which analyzes the first three months of 2013. "Almost 30% of all mobile malware [ever recorded] appeared this quarter," it said. "Malicious spyware and targeted attacks highlighted the latest assaults on mobile phones."

Until last year, the majority of mobile malware attacks targeted users in Russia and China. But that's changing, according to McAfee's study. In recent months, for example, banking customers in Australia, Italy and Thailand were targeted with malware known as FKsite that purported to be secure online banking software. "Instead it forwards mobile transaction authorization numbers (mTANs) to attackers," said the report, referring to the one-time codes generated by some banks, which are sent via SMS to a subscribers' phone, and which must be used to authorize unusual or high-value transactions. Of course, such malware isn't new; the Zeus variant known as Zitmo, which debuted in 2011, targets mTANs.

Other recently discovered malware includes Smsilence.A, which is disguised as a coupon app for a popular South Korean coffee chain, but which can relay the device's phone number and forward or delete SMS messages. It only infects devices with a phone number beginning with South Korea's country code (+82).

Some mobile malware is even simpler, and recalls the scam Reveton ransomware, which tricks users into paying a fine for alleged illegal activity, supposedly to the FBI. One Android equivalent is Fakejoboffer, which targets users in India, telling them they've won a prize, but must pay a small fee to collect it. Of course, after paying the fee, they receive no prize.

Meanwhile, malware known as Ssucl.a -- a Trojan disguised as a system cleanup utility -- serves as a node in a botnet, and can launch phishing attacks to retrieve Google and Dropbox log-in credentials. Closing the gap between malware that's designed for desktop operating systems versus mobile devices, SSucl.a also can launch auto-run infections at any Windows system to which it gets connected.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnF513
50%
50%
JohnF513,
User Rank: Apprentice
4/29/2014 | 8:34:09 AM
Android insufficient storage available
There are some people having trouble installing new apps, this is unfortunately a common problem with android phones but can be fixed in a simple way as you can see here.
deasys
50%
50%
deasys,
User Rank: Apprentice
6/8/2013 | 5:02:46 AM
re: Android Trojan Looks, Acts Like Windows Malware
My Galaxy 4 are the best phone I ever had. It awsome, better then anyone else. Andoird is grate. Noone can beet it.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.