The keepers of the mobile Obad Trojan realize the window of opportunity they have to spread the malware on Android devices may be closing since the vulnerability the Trojan exploits has been patched in Android 4.3.
That could explain why Kaspersky Lab researchers have spotted a recent spike in infections, an occurrence they attribute to the use of a mobile botnet. This is the first time a botnet of mobile devices has been used to distribute a mobile Trojan, according to Roman Unuchek, a researcher at Kaspersky.
“The owners of [Obad] not only command their own software to spread itself, they also take advantage of Trojans operated by other cybercriminals,” Unuchek wrote on the Securelist blog.
Specifically, 12 versions of Obad have been spotted pairing up and being distributed by devices infected with Opfake, malware found in malicious applications that sends premium-rate SMS messages to a number controlled by the attacker.
Obad, however, exploits an Android vulnerability that allows the malware to have extended Device Administrator privileges on a device, yet stay off a list of privileged apps on the device, making it difficult to delete. Couple that feature with a number of encryption and obfuscation techniques, and Obad is able to gain a firm hold on a smartphone or tablet once it is installed.
Unuchek said Kaspersky Lab disclosed the vulnerability in May to Google, which included a patch for the bug in its late July release of Android 4.3. Currently, the updates are available to Google Nexus devices and most of the major manufacturers such as HTC and Samsung have yet to update devices, most promising to do so by the end of the month.
“Devices which use earlier versions of the platform are still at risk,” Unuchek said.
The Trojan has been found mostly in Russia, Ukraine and Belarus; 83 percent of infections were seen in Russia, Unuchek reports.
Working with a Russian mobile provider, Kaspersky researchers spotted a mass distribution of malicious text messages on its network during a five-hour span on Aug. 10. More than 600 messages containing a modified version of Opfake were sent from infected devices.
“Only a few devices infected with [Opfake] distributed links to [Obad], so we could conclude that the creators of the dangerous Trojan rented part of a mobile botnet to spread their brainchild,” Unuchek wrote.
The attacks begin with a text message “MMS message has been delivered, download from www[.]otkroi[.]com.” If the user clicks through, a file called mms.apk which holds the Opfake malware is loaded onto the device; it will not run, however, until the user executes it. Once that happens, it connects with a command and control server which spams the victim’s address book with another text: “You have a new MMS message, download at – otkroi[.]net/12.” That link automatically loads a file called mms.apk or mmska.apk which contains Obad.
Obad’s encryption and obfuscation frustrates security analysts. The Trojan has a bevy of capabilities gained by getting Device Administrator privileges. Those include the ability to send SMS messages to premium-rate numbers, downloading more malware, installing them on the device or spreading them via Bluetooth. An attacker can also perform commands in the console, Unuchek said.
The Trojan also sends device information via an encrypted JSON object to the command and control server, including operator name, Bluetooth MAC address and more.
Obad is not exclusively distributed via the mobile botnet. Unuchek reports that early versions of the malware were sent via traditional SMS spam text messages pointing victims to the dolg[.]info domain, from which Obad was automatically loaded onto a mobile device. Attackers would also lure victims to phony versions of the Google Play market, using search engine poisoning to do so. Finally, legitimate websites could also be compromised and visitors would be redirected to websites owned by the attacker. The javascript loaded onto the compromised site would determine whether the user was arriving from a home PC, for example, or a mobile device before redirecting them to the attack site where Obad awaited.
Unuchek said more than 120 compromised sites were discovered by Kaspersky Lab, redirecting users to nbelt[.]ru and a user clicking anywhere on the page would infect their mobile device with Obad.
“The owners of [Obad} must have decided to strike while the iron is hot, so they are using both traditional and brand new approaches,” Unuchek said. “[This] demonstrates that cybercriminals continue to adapt and update their infection techniques.”