A security researcher has found what he claims is the most sophisticated Android trojan yet, currently speading by SMS spam, which goes to great lengths to hide itself and tries to replicate on nearby Bluetooth-enabled devices.
Like other Android malware, the trojan is designed to earn its controllers money by forcing the infected device to send text messages to premium-rate numbers. But what's rare about Obad.a, according to Russian security vendor Kaspersky Lab, is that it exploits previously unknown vulnerabilities in Android to remain invisible.
The malware is not widespread and so far has relied on malware-laden SMS to spread, but it contains an impressive list of capabilities that puts it on par with the sophistication of Windows malware, according to Kaspersky Lab malware researcher Roman Unuchek.
"Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek notes in a blogpost.
The makers of Obad.a have found and used two previously unknown flaws in Android to create its cover from victims and a third in an open source software DEX2JAR, which helps it avoid probing from security researchers.
The trojan is designed to gain device administrator privileges but will not appear in the infected device's list of apps with such privileges, making it difficult for users to remove. This was one of the flaws Kaspersky said it had reported to Google.
The malware sends the victim's device data to a remote command and control server. Information it sends to the server includes the MAC address of the Bluetooth device, the name of carrier, the device's phone number and unique IMEI number, the phone user's account balance, and whether or not device administrator privileges have been obtained.
The malware can also take instructions from the attackers via SMS, such as which premium SMS numbers to text or instructions to scan for nearby devices with activated Bluetooth and share a file selected by the attacker.
Once it has admin privileges, the trojan can also block the device's screen for 10 seconds, and this action typically occurs after the device connects to a wi-fi network or enables Bluetooth. Once a connection is established, Obad.a can copy not just itself but additional malware.