Roman Unuchek, a Kaspersky Lab Expert, wrote that while Obad.a uses the usual Android infection routes of SMS, aka texting, spam; fake Google Play stores; and cracked or otherwise untrustworthy Android software downloads sites — its latest trick make it more infectious than the usual Android Trojan.
What happens is that Obad.a is distributed along with another mobile Trojan, SMS.AndroidOS.Opfake.a. This uses the usual routes to infect an Android usually while pretending to be another desirable program. Once in place, Opfake.a uses Google Cloud Messaging (GCM) to send the user a text message with the following text:
MMS message has been delivered, download from www.otkroi.com.
If the user clicks on the link, a file named mms.apk, containing Opfake.a, is automatically loaded onto the smartphone or tablet. Then again, the user has to be a bit of an idiot and users run the downloaded program. If that happens, the botnet's command and control server can instruct the Trojan to send out the following message to all the contacts in the victim’s address book:
You have a new MMS message, download at - http://otkroi.net/12
If the people who get this message follow the link , they'll automatically loads Obad.a under the names of mms.apk or mmska.apk. And, if they foolishly run these programs, they'll get a case of Obad.a.
All of this requires mindless clicking by users to work, but guess what? There are a lot of idiots out there.
According to Unuchek, data from a leading Russian mobile operator showed that "in the space of five hours, 600 messages were sent with one of the Trojan-SMS.AndroidOS.Opfake.a modifications. In most cases delivery was via infected devices, while previously similar distributions used SMS gateways. At the same time, only a few devices infected with Opfake.a distributed links to Obad.a, so we could conclude that the creators of the dangerous Trojan rented part of a mobile botnet to spread their brainchild."
The net result is that this botnet is capable of spreading Opfake.a and Obad.a very quickly.
Kaspersky concluded that there are "12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation. Each used an Android OS vulnerability that allows the malware to gain Device Administrator rights and made it significantly more complicated to delete."
In addition, Google has closed the security holes Obad.a used in the Android 4.3. Kaspersky also stated that "the latest version of KIS (Kaspersky Internet Security) for Android 11.1.4 can delete Obad.a from any version of Android despite the presence of vulnerabilities.