Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Meet the most insidious Android malware yet

Chris Nerney | June 11, 2013
Android's vulnerability to malware is the main reason Google's mobile operating system has failed to penetrate the enterprise.

android

Android's vulnerability to malware is the main reason Google's mobile operating system has failed to penetrate the enterprise.

But as I wrote recently, Android's dominance in the consumer market — it has anywhere from 65% to 75% market share — makes it inevitable that enterprises will have to support the Google OS.

Or perhaps not. The latest Android Trojan, discovered by Kaspersky Lab, may give serious pause to many IT pros considering a large Android implementation.

The Trojan, known as Backdoor.AndroidOS.Obad.a, can perform a number of functions, including downloading other malware, installing it on an infected device and/or sending it elsewhere via Bluetooth, remotely performing commands in the console, and sending SMS to premium-rate numbers.

Who's going to be eager to invite that into their enterprise?

Kaspersky Lab expert Roman Unuchek, describing the malware as only a security professional can, writes, "At a glance, we knew this one was special."

"Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts," Unuchek writes. "However, it is rare to see concealment as advanced as Odad.a's in mobile malware."

Among other things, the new Trojan doesn't employ an interface and runs in background mode.

Disturbingly, the new Trojan exploits two different errors in the Android operating system, which has been roundly criticized for its poor security and which has inspired Samsung to create Android security platforms such as SAFE and KNOX in order to overcome enterprise security concerns:

  • A file called AndroidManifest.xml, which is part of all Android apps, is designed to describe the structure of the application and its launch parameters, among other things. The Trojan modifies the file in a way that it no longer complies with Google standards, but still processes correctly on the infected device. This makes detection extremely difficult, even conducting dynamic analysis, Unuchek says.
  • Perhaps more insidiously, Backdoor.AndroidOS.Obad.a exploits another Android vulnerability that grants malicious apps extended and undetected device administrator privileges. "As a result of this, it is impossible to delete the malicious program from the smartphone after it gains extended privileges," Unuchek writes. And Obad.a attempts to gain those privileges as soon as it starts.

Once launched, Obad.a collects and sends to the cybercriminals a lot of information, including the device's phone number, name of operator, MAC address of the Bluetooth device, the user's account balance, and whether device administrator privileges have been granted.

Fortunately, Kaspersky says Backdoor.AndroidOS.Obad.a "is not very widespread," with installation attempts during a three-day observation period amounting to 0.15% of all malware efforts to infect mobile devices.

Unfortunately, Obad.a is closer in nature to Windows malware than other Android Trojans "in terms of its complexity and the number of unpublished vulnerabilities it exploits," Kaspersky says. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.