A dangerous Trojan that targets Google's Android mobile operating system has gained new nefarious capabilities even as a new banking malware takes aim at the OS, according to security researchers.
Kaspersky Lab reported that mobile botnets are being used to distribute the Obad.a Trojan, which can gain administrative rights on an Android device — allowing its masters to do pretty much anything they want with a handset.
Meanwhile, Eset revealed that a bad app it discovered earlier this month — Hespernet — is actually a mobile banking Trojan along the lines of Zeus and SpyEye, but with significant implementation differences that make it a new malware family.
The Obad.a Trojan has been closely watched by Kaspersky since the beginning of the summer, but it wasn't until recently that researchers uncovered the unusual distribution method its handlers have been deploying.
"For the first time, malware is being distributed using botnets that were created using completely different mobile malware," Kaspersky researcher Roman Unuchek wrote in a blog.
Such distribution techniques are common in the desktop world, but their arrival in the mobile space is another indicator that Android is becoming the mobile equivalent of Windows for hackers.
"This approach, like other aspects of the Obad operation, mimics what we've been seeing in the desktop ecosystem," Roel Schouwenberg, a senior researcher at Kaspersky, said in an email.
"In the Windows and Linux world, it's very common for malware and botnets to install other types of malware for pay," he added. "So it's likely that we'll see further adoption of this strategy in the mobile space as well."
Handsets are initially infected with the botnet software SMS.AndroidOS.Opfake.a through a poisoned link in an SMS message.
The link promises to deliver a new MMS message to the target. If clicked, the botware will be downloaded and the target asked to run it. If the target complies, SMS messages with the same MMS pitch will be sent to everyone on the target's contact list. In addition, the botware will download Obad.a, which sets up a backdoor on the handset that allows a botmaster to remotely control the device.
Other more conventional means are also used to distribute Obad.a, including SMS spam, links to fake Google Play stores and redirection from poisoned websites.
That kind of multi-vector infection strategy isn't common yet in the mobile world. "Right now, Obad is setting a new standard," Schouwenberg said. "We're still quite a bit away from multiple infection vectors being the norm rather than the exception."
Up to now, Obad.a activity has been directed at populations in the states of the old Soviet Union, although there has been some spillover into other countries. "For now, other countries are not where the attackers' focus seems to be," Schouwenberg said.
Sign up for CIO Asia eNewsletters.