Mobile malware targets Android with criminal botnets
20 September 2013, 22:35
Cape Town - A security company has revealed what it claims is the first case of a Trojan malware being spread by collaborating criminal groups.
Kaspersky Lab said that Obad.a, malware that targets Android powered devices, was being distributed by botnets controlled by other criminal groups.
A botnet is a collection of infected computers controlled by a hacker or group. In many cases, user behaviour is exploited, resulting in a computer being infected with malware and leading it to become part of such a network.
"In total, 83% of attempted infections were recorded in Russia, while it was also detected on mobile devices in Ukraine, Belarus, Uzbekistan and Kazakhstan," Kapersky said, indicating that the infections are, for the moment, limited mainly to Eastern European countries.
The company explained how the infection likely occurs.
"The most interesting distribution model saw various versions of Obad.a spread with Trojan-SMS.AndroidOS.Opfake.a. This double infection attempt starts with a text message to users, urging them to download a recently received text message. If the victim clicks the link, a file containing Opfake.a is automatically downloaded onto the smartphone or tablet."
The malware then sends messages to all the user's contacts urging them to repeat the process.
A related scam involves sending spam. Users are tricked into following a link claiming an unpaid debt and download the malware on the device.
As Android powered devices begin to make up the operating system on most mobiles, criminals have moved swiftly to exploit user ignorance to compromise the smart devices.
The Backdoor. AndroidOS.Obad.a malware is also able to create a fraudulent Google Play Store storefront, complete with copies of the content, but that contain malicious links.
"When legitimate sites are cracked and users are redirected to dangerous ones, Obad.a exclusively targets mobile users - if potential victims enter the site from a home computer nothing happens, but smartphones and tablets of any operation system could be redirected to those fake sites (although only Android users are at risk)," said Kaspersky.
The security company said that the code was spreading especially to devices running older versions of Android.
"In three months we discovered 12 versions of Backdoor. AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation, and each used an Android OS vulnerability that gives the malware Device Administrator rights and made it much more difficult to delete," said Roman Unuchek, antivirus expert at Kaspersky Lab.
The company informed Google and the vulnerability has been closed for versions of Android 4.3, but Unuchek said that only a small percentage of devices had the latest version of the OS.
"However, only a few new smartphones and tablets run this version, and older devices running earlier versions are still under threat. Obad.a, which uses a large number of unpublished vulnerabilities, is more like Windows malware than other Trojans for Android."
- Follow Duncan on Twitter