Android Trojan Looks, Acts Like Windows Malware - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Trojan Looks, Acts Like Windows Malware

Android Trojan "Odad.a" rivals Windows malware in the harm it can do to mobile device users, say experts.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Android malware is becoming more like Windows or Mac malware; in other words, more dangerous to users. One of the latest, a Trojan application called Odad.a, offers capabilities that rival many types of malware currently targeting Windows or Mac OS X systems, say experts.

For starters, the new malware creates an attacker-accessible backdoor on infected Android devices, can download and install additional malware, infect nearby devices with the malware -- via Wi-Fi or Bluetooth -- and receive further instructions from the attacker. For good measure, the malware also can send SMS messages to premium phone numbers, thus generating revenue for attackers or their business associates.

"At a glance, we knew this one was special," said Roman Unuchek, a security researcher at Kaspersky Lab, in a blog post citing the fact that whoever developed the malware not only built in numerous capabilities, but also carefully hid the code to make it difficult to detect or study.

"Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a's in mobile malware," Unuchek said. That concealment extends to the Android user experience, as the application malware works in background mode and has no interface.

[ How low can hackers go? Read Malware Attackers Exploit Boston Marathon Bombing. ]

Although the malware is somewhat rare, it's reportedly being distributed in a typical way: most likely disguised as a legitimate app via "alternative app stores and fishy websites," reported Android Police.

Whoever built the malware took advantage of three different flaws in the Android operating system, or related software, to make the malware more difficult to detect or eradicate. For example, the attackers used a vulnerability in the dex2jar software -- often used by malware analysts to convert Android application package (APK) files into Java Archive (JAR) format for easier analysis -- that prevents the APK file from being successfully converted.

Attackers also discovered a vulnerability in the AndroidManifest.xml file specification, which provides essential information about every application to the Android operating system. Using this vulnerability, attackers were able to give the malware a file description that can't be automatically parsed by analysis tools, but which is still processed correctly by the Android operating system.

Finally, the malware's developers "also used yet another previously unknown error in the Android operating system," said Unuchek, which results in the malware being granted "extended Device Administrator privileges without appearing on the list of applications which have such privileges." From a user-interface standpoint, it also means that once the malware infects the device, a user can't revoke those privileges or even delete the application through the operating system.

Using these privileges, the malware can disable access to the device's screen for up to 10 seconds, which is likely used to conceal bad behavior, because it "typically happens after the device is connected to a free Wi-Fi network or Bluetooth is activated," said Unuchek. "With a connection established, the Trojan can copy itself and other malicious applications to other devices located nearby."

"Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek said. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

Looking beyond Odad.a, the volume of malware that targets Android devices continues to increase. "Our count of mobile malware samples, just about exclusively for the Android OS, continues to skyrocket," said a threat report released last month by security firm McAfee, which analyzes the first three months of 2013. "Almost 30% of all mobile malware [ever recorded] appeared this quarter," it said. "Malicious spyware and targeted attacks highlighted the latest assaults on mobile phones."

Until last year, the majority of mobile malware attacks targeted users in Russia and China. But that's changing, according to McAfee's study. In recent months, for example, banking customers in Australia, Italy and Thailand were targeted with malware known as FKsite that purported to be secure online banking software. "Instead it forwards mobile transaction authorization numbers (mTANs) to attackers," said the report, referring to the one-time codes generated by some banks, which are sent via SMS to a subscribers' phone, and which must be used to authorize unusual or high-value transactions. Of course, such malware isn't new; the Zeus variant known as Zitmo, which debuted in 2011, targets mTANs.

Other recently discovered malware includes Smsilence.A, which is disguised as a coupon app for a popular South Korean coffee chain, but which can relay the device's phone number and forward or delete SMS messages. It only infects devices with a phone number beginning with South Korea's country code (+82).

Some mobile malware is even simpler, and recalls the scam Reveton ransomware, which tricks users into paying a fine for alleged illegal activity, supposedly to the FBI. One Android equivalent is Fakejoboffer, which targets users in India, telling them they've won a prize, but must pay a small fee to collect it. Of course, after paying the fee, they receive no prize.

Meanwhile, malware known as Ssucl.a -- a Trojan disguised as a system cleanup utility -- serves as a node in a botnet, and can launch phishing attacks to retrieve Google and Dropbox log-in credentials. Closing the gap between malware that's designed for desktop operating systems versus mobile devices, SSucl.a also can launch auto-run infections at any Windows system to which it gets connected.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/29/2014 | 8:34:09 AM
Android insufficient storage available
There are some people having trouble installing new apps, this is unfortunately a common problem with android phones but can be fixed in a simple way as you can see here.
User Rank: Apprentice
6/8/2013 | 5:02:46 AM
re: Android Trojan Looks, Acts Like Windows Malware
My Galaxy 4 are the best phone I ever had. It awsome, better then anyone else. Andoird is grate. Noone can beet it.
Future IT Teams Will Include More Non-Traditional Members
Lisa Morgan, Freelance Writer,  4/1/2020
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll