Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Android Trojans spread by Bluetooth, hijack bank codes

John P. Mello Jr. | June 12, 2013
Mobile malware gets more complex, defeats two-factor authentication.

A Trojan that spreads itself via Bluetooth and another that's received a mobile upgrade to steal SMS banking codes have been discovered by security researchers.

"Backdoor.AndroidOS.Obad.a" was recently discovered by Kaspersky Lab in an Android application. The malware is a multi-functional Trojan that can send SMS messages to premium rate numbers, download malware to a phone and infect other phones through Bluetooth.

After receiving a command from a server operated by a cyber criminal, the malware scans for devices around it with open Bluetooth connections and attempts to send a bad app to them, Kaspersky Lab Expert Roman Unuchek explained in a blog.

When Bluetooth was introduced, there were some experiments with using it to infect machines, but nothing similar to what Kaspersky has discovered. "In this incarnation, it's definitely novel," Ken Baylor, research vice president for NSS Labs, said in an interview. "It's something we haven't seen in Bluetooth before, other than a proof concept," he said, "and we've never seen it in an Android implementation."

The Obad backdoor is one of the most complex Android malware programs yet and rivals bad apps written for Windows PCs. "Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek wrote.

"Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts," he added. "However, it is rare to see concealment as advanced as Obad.a's in mobile malware."

As complex as Obad is, the added sophistication doesn't seem to be making the Trojan very infectious. "Despite such impressive capabilities, Backdoor.AndroidOS.Obad.a is not very widespread," Unuchek wrote. "Over a 3-day observation period using Kaspersky Security Network data. Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware."

Obad's kind of complexity wasn't stuffed into the new mobile add-on for the Bugat banking Trojan discovered by researchers at RSA. The add-on, called BitMo by RSA, hijacks security codes sent through SMS messages to bank customers to authenticate their identities.

"It's a simple SMS forwarder," Limor Kessem, a cybercrime specialist with RSA, the security division of EMC, said in an interview. "It's not a rogue. It asks for permissions just like any other application."

What is interesting about the malware is how its authors get people to download it. They persuade them they need malware protection and request their mobile phone number and platform type. Then they get the person to download the malware.

Once installed on a phone, the bad app operates in the background monitoring SMS messages. If it sees a message containing a bank code, it will hide it from the phone's owner and ship the message to the byte robber.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.