Android Trojan Looks, Acts Like Windows Malware

Android Trojan "Odad.a" rivals Windows malware in the harm it can do to mobile device users, say experts.

Mathew J. Schwartz, Contributor

June 7, 2013

5 Min Read
InformationWeek logo in a gray background | InformationWeek

The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army: 9 Things We Know


(click image for larger view)
The Syrian Electronic Army: 9 Things We Know

Android malware is becoming more like Windows or Mac malware; in other words, more dangerous to users. One of the latest, a Trojan application called Odad.a, offers capabilities that rival many types of malware currently targeting Windows or Mac OS X systems, say experts.

For starters, the new malware creates an attacker-accessible backdoor on infected Android devices, can download and install additional malware, infect nearby devices with the malware -- via Wi-Fi or Bluetooth -- and receive further instructions from the attacker. For good measure, the malware also can send SMS messages to premium phone numbers, thus generating revenue for attackers or their business associates.

"At a glance, we knew this one was special," said Roman Unuchek, a security researcher at Kaspersky Lab, in a blog post citing the fact that whoever developed the malware not only built in numerous capabilities, but also carefully hid the code to make it difficult to detect or study.

"Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a's in mobile malware," Unuchek said. That concealment extends to the Android user experience, as the application malware works in background mode and has no interface.

[ How low can hackers go? Read Malware Attackers Exploit Boston Marathon Bombing. ]

Although the malware is somewhat rare, it's reportedly being distributed in a typical way: most likely disguised as a legitimate app via "alternative app stores and fishy websites," reported Android Police.

Whoever built the malware took advantage of three different flaws in the Android operating system, or related software, to make the malware more difficult to detect or eradicate. For example, the attackers used a vulnerability in the dex2jar software -- often used by malware analysts to convert Android application package (APK) files into Java Archive (JAR) format for easier analysis -- that prevents the APK file from being successfully converted.

Attackers also discovered a vulnerability in the AndroidManifest.xml file specification, which provides essential information about every application to the Android operating system. Using this vulnerability, attackers were able to give the malware a file description that can't be automatically parsed by analysis tools, but which is still processed correctly by the Android operating system.

Finally, the malware's developers "also used yet another previously unknown error in the Android operating system," said Unuchek, which results in the malware being granted "extended Device Administrator privileges without appearing on the list of applications which have such privileges." From a user-interface standpoint, it also means that once the malware infects the device, a user can't revoke those privileges or even delete the application through the operating system.

Using these privileges, the malware can disable access to the device's screen for up to 10 seconds, which is likely used to conceal bad behavior, because it "typically happens after the device is connected to a free Wi-Fi network or Bluetooth is activated," said Unuchek. "With a connection established, the Trojan can copy itself and other malicious applications to other devices located nearby."

"Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek said. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

Looking beyond Odad.a, the volume of malware that targets Android devices continues to increase. "Our count of mobile malware samples, just about exclusively for the Android OS, continues to skyrocket," said a threat report released last month by security firm McAfee, which analyzes the first three months of 2013. "Almost 30% of all mobile malware [ever recorded] appeared this quarter," it said. "Malicious spyware and targeted attacks highlighted the latest assaults on mobile phones."

Until last year, the majority of mobile malware attacks targeted users in Russia and China. But that's changing, according to McAfee's study. In recent months, for example, banking customers in Australia, Italy and Thailand were targeted with malware known as FKsite that purported to be secure online banking software. "Instead it forwards mobile transaction authorization numbers (mTANs) to attackers," said the report, referring to the one-time codes generated by some banks, which are sent via SMS to a subscribers' phone, and which must be used to authorize unusual or high-value transactions. Of course, such malware isn't new; the Zeus variant known as Zitmo, which debuted in 2011, targets mTANs.

Other recently discovered malware includes Smsilence.A, which is disguised as a coupon app for a popular South Korean coffee chain, but which can relay the device's phone number and forward or delete SMS messages. It only infects devices with a phone number beginning with South Korea's country code (+82).

Some mobile malware is even simpler, and recalls the scam Reveton ransomware, which tricks users into paying a fine for alleged illegal activity, supposedly to the FBI. One Android equivalent is Fakejoboffer, which targets users in India, telling them they've won a prize, but must pay a small fee to collect it. Of course, after paying the fee, they receive no prize.

Meanwhile, malware known as Ssucl.a -- a Trojan disguised as a system cleanup utility -- serves as a node in a botnet, and can launch phishing attacks to retrieve Google and Dropbox log-in credentials. Closing the gap between malware that's designed for desktop operating systems versus mobile devices, SSucl.a also can launch auto-run infections at any Windows system to which it gets connected.

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights