First case of mobile Trojan spreading via ‘alien’ botnets reported

Analysts from security firm Kaspersky Lab have reported that for the first time in the history of mobile cybercrime, a Trojan is being spread using botnets controlled by other criminal groups.

The discovery was made after virus experts investigated for over the last three months how the Obad.a Trojan, a malicious app for Android, is distributed.

This Trojan is disguised as a porn app, but in fact it consists of just two images. The main objective of this Trojan was to send premium text messages. Kaspersky Lab detected over 300 installers for this Trojan

In total, 83 percent of attempted infections were recorded in Russia, while it was also detected on mobile devices in Ukraine, Belarus, Uzbekistan, and Kazakhstan.

The most interesting distribution model saw various versions of Obad.a spread with Trojan-SMS.AndroidOS.Opfake.a. This double infection attempt starts with a text message to users, urging them to download a recently received text message.

If the victim clicks the link, a file containing Opfake.a is automatically downloaded onto the smartphone or tablet.

The malicious file can only be installed if the user then launches it. Should that happen, the Trojan sends further messages to all the contacts on the newly infected device, by clicking the link in these messages downloads Obad.a.

One Russian mobile network provider reported more than 600 messages containing these links within just five hours, pointing to a mass distribution. In most cases, the malware was spread using devices that were already infected.

Apart from using mobile botnets, the highly complex Trojan is also distributed by spam messages, Kaspersky Lab said.

According to Kaspersky Lab, a message warning the user of unpaid ‘debts’ lures victims to follow a link, which automatically downloads Obad.a onto the mobile device. Again though, users must run the downloaded file in order to install the Trojan.

Fake application stores also spread Backdoor.AndroidOS.Obad.a. They copy the content of Google Play pages, replacing legitimate links with malicious ones.

When legitimate sites are cracked and users are redirected to dangerous ones, Obad.a exclusively targets mobile users. If potential victims enter the site from a home computer, nothing happens. But smartphones and tablets of any operation system could be redirected to those fake sites (although only Android users are at risk).

“In three months, we discovered 12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation, and each used an Android OS vulnerability that gives the malware DeviceAdministrator rights and made it much more difficult to delete,” said Kaspersky Lab expert Roman Unuchek.

“As soon as we discovered this, we informed Google and the loophole has been closed in Android 4.3. However, only a few new smartphones and tablets run this version, and older devices running earlier versions are still under threat. Obad.a, which uses a large number of unpublished vulnerabilities, is more like Windows malware than other Trojans for Android,” Unuchek said.

Comment on this post