Obad is the Baddest Android Trojan on the Block

obad_android_trojan

There is a new Android Trojan in town and this is one bad dude. Backdoor.AndroidOS.Obad or “Obad” as it is known on the street, is the most sophisticated Trojan ever seen, rivaling the capabilities of Windows based malware.

Yesterday a Malware Analysts Expert from Kapersky Labs released an announcement on a new Trojan that seemed like it was written for Windows and not an Android Device.

Earning it the dubious title “The Most Sophisticated Android Trojan“.

Sure it sends SMS messages to high rate numbers like many other Android malware apps, but there are several new features that really set this one apart. According to the report, Obad also has the following capabilities:

  • Downloads and installs other malware programs
  • Propagates malware to other devices via Bluetooth
  • Fully functional remote Command & Control

The ability to download other malware programs has been a Windows Trojan staple feature for a long time. But being able to use Bluetooth as a springboard to infect other devices is pretty concerning.

Obad_android_trojan01

Obad’s Command & Control features allow cyber criminals to send commands via SMS messaging, use a remote shell, download remote files, pull application & personal data from the phone, and attack other devices by using Bluetooth.

Another unique feature is that Obad can also freeze the display for up to 10 seconds to hide what it is doing from the device owner.

Using obfuscated code and several new vulnerabilities, Obad definitely raises the stakes in the mobile malware department. Thankfully it is not very well wide spread at the moment.

For more information check out the Kapersky Team’s complete analysis.

Advertisements

Stuxnet, Duqu and Flame made by same Team

Indepth research shows that Flame and Stuxnet, two serious pieces of malware released against the Iranians were made in co-operation with each other. A report from Kapersky Labs today pretty much solidifies what many security experts assumed, that both programs were made by the same group.

According to the report, “a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.” Some other interesting points from the report include:

  • Flame was created first, as Stuxnet includes one of Flames Modules
  • Flame and Stuxnet use the same USB infector mechanism
  • In 2010, Flame and Stuxnet joint development seems to have ended

The module that was shared between both programs is called “Resource 207”. According to Kapersky, the “module is an encrypted DLL file and it contains an executable file that’s the size of 351,768 bytes with the name “atmpsvcn.ocx”. This particular file, as it is now revealed by Kaspersky Lab’s investigation, has a lot in common with the code used in Flame.”

and,

The primary functionality of the Stuxnet “Resource 207” module was distributing the infection from one machine to another, using the removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. The code which is responsible for distribution of malware using USB drives is completely identical to the one used in Flame.

The code seemed to be shared at the program level, not the binary level. This actually makes a lot of sense. Two teams, one presumably American and one Israeli could have worked together with the overall attack plan, and co-created the code. Then they could have split up to create code to accomplish individual end goals. One being disabling the physical equipment and process, the other being remote access tool and data miner.

Cool stuff, makes you wonder what else Israel and the US is working on.