Security researchers have discovered what is claimed to be the most sophisticated Android malware ever seen.
Dubbed Obad, the malware can send texts to premium rate numbers, download and install additional malware and remotely execute console commands. It also uses complex obfuscation techniques to evade detection.
The trojan looks closer to Windows malware than to other Android Trojans, in terms of its complexity.
The malware was unearthed by researchers working for IT security firm Kaspersky said that once the smartphone is infected, the malware quickly gains access to privileges on the phone and starts working in the background. The Trojan then attempts to spread through Wi-Fi and Bluetooth networks sending malicious files to other phones.
Obad also exploits vulnerabilities in the Android OS. It can gain administrator privileges, making it virtually impossible for a user to delete it off a device. Another flaw in the Android OS relates to the processing of the AndroidManifest.xml file. This file exists in every Android application and is used to describe the application's structure, define its launch parameters.
"The malware modifies AndroidManifest.xml in such a way that it does not comply with Google standards, but is still correctly processed on a smartphone thanks to the exploitation of the identified vulnerability," said Roman Unuchek, Kaspersky Lab Expert. "All of this made it extremely difficult to run dynamic analysis on this Trojan."
It also interferes with DEX2JAR code on the device, this converts APK files into JAR files. The disruption complicates analysis of the Trojan.
The Trojan collects large amounts of data from the device, which it passes back to hackers through a command and control (C&C) server, according to Unuchek. The collected information is sent to the server in the form of an encrypted JSON object.
This information is sent to the current C&C server every time a connection is established. In addition, the malicious program reports its current status to its owner: it sends the current table of premium numbers and prefixes to which to send text messages, the task list, and the list of C&C servers. During the first C&C communication session, it sends a blank table and a list of C&C addresses that were decrypted as described above. During the communication session, the Trojan may receive an updated table of premium numbers and a new list of C&C addresses.
Unuchek said that the malware "looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits."
"This means that the complexity of Android malware programs is growing rapidly alongside their numbers," he said.
