First case of Android Trojan spreading via mobile botnets discovered

First case of Android Trojan spreading via mobile botnets discovered

Summary: Just what you always wanted: A malware botnet on Android devices. But you have to be really dumb to get infected.

SHARE:

Kaspersky Lab is reporting that "For the first time malware is being distributed using botnets that were created using completely different mobile malware."

Isn't that special? 

While annoying, it was only a matter of time.

OBada
The botnet pairing of Obad.a and Opfake.a and suitably unwary users can result in quick spikes of Android malware infections.

Kaspersky describes the malware culprit, Backdoor.AndroidOS.Obad.a, as the "most sophisticated Android Trojan yet." The Russian antivirus company also has said that Obad.a is looking "closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits.

For all the press Android malware gets, you usually have to go out of your way for your device to be infected. Until now.

Roman Unuchek, a Kaspersky Lab Expert, wrote that while Obad.a uses the usual Android infection routes of SMS, aka texting, spam; fake Google Play stores; and cracked or otherwise untrustworthy Android software downloads sites — its latest trick make it more infectious than the usual Android Trojan.

What happens is that Obad.a is distributed along with another mobile Trojan, SMS.AndroidOS.Opfake.a. This uses the usual routes to infect an Android usually while pretending to be another desirable program. Once in place, Opfake.a uses Google Cloud Messaging (GCM) to send the user a text message with the following text:

MMS message has been delivered, download from www.otkroi.com.

If the user clicks on the link, a file named mms.apk, containing Opfake.a, is automatically loaded onto the smartphone or tablet. Then again, the user has to be a bit of an idiot and users run the downloaded program. If that happens, the botnet's command and control server can instruct the Trojan to send out the following message to all the contacts in the victim’s address book:

You have a new MMS message, download at - http://otkroi.net/12

If the people who get this message follow the link , they'll automatically loads Obad.a under the names of mms.apk or mmska.apk. And, if they foolishly run these programs, they'll get a case of Obad.a.

All of this requires mindless clicking by users to work, but guess what? There are a lot of idiots out there.

According to Unuchek, data from a leading Russian mobile operator showed that "in the space of five hours, 600 messages were sent with one of the Trojan-SMS.AndroidOS.Opfake.a modifications. In most cases delivery was via infected devices, while previously similar distributions used SMS gateways. At the same time, only a few devices infected with Opfake.a distributed links to Obad.a, so we could conclude that the creators of the dangerous Trojan rented part of a mobile botnet to spread their brainchild."

The net result is that this botnet is capable of spreading Opfake.a and Obad.a very quickly.

Kaspersky concluded that there are "12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation. Each used an Android OS vulnerability that allows the malware to gain Device Administrator rights and made it significantly more complicated to delete."

In addition, Google has closed the security holes Obad.a used in the Android 4.3. Kaspersky also stated that "the latest version of KIS (Kaspersky Internet Security) for Android 11.1.4 can delete Obad.a from any version of Android despite the presence of vulnerabilities.

Related Stories:

Topics: Security, Android, Mobility, Smartphones, Tablets

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

73 comments
Log in or register to join the discussion
  • Um I thought Andriod was Linux so it wasn't vulnerable

    I mean I'm told all the time how Android is really just Linux anyway and counts as a Linux distro. Gaahhh /S
    greywolf7
    • Is that you todd?

      You Microsoft drones all sound the same.

      DEFEND THE HIVE!! DEFEND THE HIVE!!
      Arm A. Geddon
      • Isn't it YOU that is defending the hive?

        There actually IS an Android elevation-of-privilege vulnerability involved here:

        "Each [of the 12 versions of Backdoor.AndroidOS.Obad.a] used an Android OS vulnerability that allows the malware to gain Device Administrator rights and made it significantly more complicated to delete."

        Why hasn't this vulnerability been patched in Android versions prior to 4.3 and pushed out to Android device users? Samsung is right, some Android users do need anti-virus software installed on their devices to protect them from both themselves as well as exploits targeting OS vulnerabilities.

        Just say no. Don't enable the installation of apps from unknown sources on your Android device. If you do, you'd be well-advised to install anti-virus software from one of the top vendors identified in this link:

        http://www.zdnet.com/android-antivirus-comparison-review-malware-symantec-mcafee-kaspersky-sophos-norton-7000019189/
        Rabid Howler Monkey
    • Notice how this malware needs to ask the user to install it?

      And ask several times, no less. It's hardly a "drive by" installation! I suppose the interesting question is whether the domain "otkroi.com" or "otkroi.net" is the *real* domain where the malware needs to be downloaded from, or a spoofed one.
      Zogg
      • Hemmerdroid??

        I know a few people dumb enough to buy android and vis-a-vis dumb enough to hit install everytime a piece of software asks. I don't care because I still use a digital cell that is not considered a "smart phone". BTW "smart phone" is great marketing sound bite since most of the technologically challenged do what their told even if it's malware telling them because it's on their "smart phone". The smarter the phones get-->the dumber the general public is.
        Jesster
    • Well, Two Problems

      The first problem is that Android and the operating system generally referred to as "Linux" are not the same operating system. Android is not even specific enough to be a distribution. Things like Cyanogenmod, AOKP, and Paranoid Android are distributions, but they are Android distributions, not Linux distributions (the "Linux" in "Linux distribution" is actually a reference to the operating system that people have called Linux for quite some time rather than the kernel that is actually named Linux).

      The second problem is that this is a Trojan, and no system is safe from Trojans because they are installed by someone with installation rights. The closest you can come to being safe from Trojans (other than educating yourself) is to give up installation rights to some degree, like iOS users do when they let Apple dictate what software they can and cannot install. Of course, you can voluntarily stay in repositories that are likely to be safe when using Android or Linux (though Google has not been as good about vetting software for the Play Store as Apple has for the App Store).
      CFWhitman
      • late model browsers

        Things like Smart Screen and other technologies do stop you from loading Trojans even with full admin rights. Running as full admin is an invitation to get whacked. I run with the ability to escalate to admin as needed. That seems to be a good mix of security and flexibility.
        mswift1
    • I'm beginning to feel like a broken record

      Whether Android is/isn't Linux is only an apparent (ie. contrived) "issue"... because whether Android should be considered "Linux" or "not Linux" depends largely on context -- and the anti-Linux contingent is either too ignorant to know, and/or has a vested interest in deliberately confusing the issue.

      For an example of how stupid this behaviour is let's look at a somewhat analogous but distinctly less esoteric matter:

      Around here, especially in late spring early summer, bicycle riders get "speeding tickets" or other traffic citations such as "reckless operation", running a red light, or similar offences (especially in certain popular summer locales) under the Motor Vehicles Act. But despite the fact that the bicycles are "motor vehicles" in these contexts, the riders *somehow* never get into trouble for other "Motor vehicle" offences such as not wearing seat-belts, not displaying a license plate at the rear, or failing to have current motor vehicle registration or insurance papers,, parking in "No Parking" zones, "driving" on pedestrian paths, DUI, etc...

      Now then; when discussing life-style concerns, no one suggests that cars are equally "good exercise" as bicycles. No one suggests that bicycles are no good, because they're not suitable for moving house (or even a new mattress). And anyone who suggested that it's problematic that bicycles don't have ABS anti-locking brakes would be plainly ridiculed. Trying to beat the train to the railway crossing is equally stupid whether your vehicle is powered by blood sugar or by gasoline. Weaselling the issue by pointing out that technically, both can be considered "motor vehicles" would only make it clearer that the speaker has an agenda (or is just nuts).

      So a "bicycle" both *is* and *is not* a "motor vehicle" -- depending on the context and its implications for public safety.

      Similarly, "Android" both *is* and *is not* "Linux" -- again, depending on the *context*, and on the implications of that context for the matter under discussion (for example, security/vulnerability to various kinds of exploits).

      In other Words -- Context Matters.

      And most of you trolls are supposedly both smart enough, and well enough informed, to understand this. That you still, repeatedly and unfailingly, either fail to comprehend this, or else feign to not comprehend this, is very telling...
      bswiss
      • That was the most moronic explanation I've heard in a long time

        First, the bicycle bit. It is considered a vehicle, but you mix traffic laws with laws specific to motor vehicles (note, a bicycle is NOT a motor vehicle under the laws of the United States in most local). Please, before showing your stupidity, look up the rules of motor vehicles and properly differentiate between vehicle rules and traffic laws.

        Second, Android either is or is not Linux. You can't have both.

        Seriously, how moronic do you think the world really is. Perhaps you should do a bit of introspection.

        By the way, most howling that Android is Linux is by the pro-Android bunch. That's how they justify the "Android is bullet proof" arguments.

        Me thinks that one just went down the toilet. Are you really that stupid to believe that context makes the difference?
        Cynical99
  • While I could be mean and say that idiots deserve it

    Many people is not very tech-savvy and this is not good and should be avoided somehow... maybe with more warnings and more clicks :D
    AleMartin
    • Even a warning popup wouldn't work

      Even if the virus installer popped up a warning that said clicking install will destroy your device they would still go ahead.
      greywolf7
      • And I thought that

        Only windows users did things like that. Oh wait many of the infected android users, are the se windows users that get infections.
        Troll Hunter J
        • And

          your point is what?
          schultzycom
        • We see your spins and excuses are running full speed, Troll Hugger

          I guess it's easier to steer the topic away from bad Android news, then it is to discuss ways to eliviate the problem with Android.

          Nice thinking.
          William Farrel
          • Protect the users

            I do find it an interesting question regarding how far any OS should go to protecting the lowest ability. Look at the 130 vehicle pile up that happened over here today. If someone suggested that people can't be trusted with speed, so we should limit all cars to 30mph, people would laugh or go militant about it. With OS' it's like we have to provide a failsafe no matter how tech-illiterate the user might be.

            Disclaimer: That's all OS' before someone claims I'm aiming at a specific brand.
            Little Old Man
          • What specific problem are you referring to?

            The users right to install applications?
            The users right to make mistakes or be stupid?

            Or are you advocating a system users can't use?
            jessepollard
        • Troll Hunter your mirror is calling you

          NT
          greywolf7
        • @Troll Hunter J

          Please change your handle name.
          spicycheeks
      • unfortunately the pop-up is cryptic

        and an average user has no clue what it really means. Doesn't matter what environment you operate in, users are not technical for the most part.
        Cynical99
  • Updates

    The concern i have is how far between the patches are, usually i only get one update per phone. More patches the better IMO.
    oceanisle