English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

The most sophisticated Android Trojan

Roman Unuchek
Kaspersky Lab Expert
Posted June 06, 15:01  GMT
0.7
 

Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated.

The file turned out to be a multi-functional Trojan, capable of the following: sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. Now, Kaspersky Lab-s products detect this malicious program as Backdoor.AndroidOS.Obad.a.

=

Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a-s in mobile malware. Moreover, this complete code obfuscation was not the only odd thing about the new Trojan.

The Trojan-s quirks

The creators of Backdoor.AndroidOS.Obad.a found an error in the popular DEX2JAR software v this program is typically used by analysts to convert APK files into the more convenient Java Archive (JAR) format. This vulnerability spotted by the cybercriminals disrupts the conversion of Dalvik bytecode into Java bytecode, which eventually complicates the statistic analysis of the Trojan.

Also, the cybercriminals found an error in the Android operating system which relates to the processing of the AndroidManifest.xml file. This file exists in every Android application and is used to describe the application-s structure, define its launch parameters, etc. The malware modifies AndroidManifest.xml in such a way that it does not comply with Google standards, but is still correctly processed on a smartphone thanks to the exploitation of the identified vulnerability. All of this made it extremely difficult to run dynamic analysis on this Trojan.

The creators of Backdoor.AndroidOS.Obad.a also used yet another previously unknown error in the Android operating system. By exploiting this vulnerability, malicious applications can enjoy extended Device Administrator privileges without appearing on the list of applications which have such privileges. As a result of this, it is impossible to delete the malicious program from the smartphone after it gains extended privileges.

Finally, Backdoor.AndroidOS.Obad.a does not have an interface and works in background mode.

Code analysis

In this malicious application, all external methods are called via reflection. All strings are encrypted, including the names of classes and methods.

=

Each class has a local descriptor method which obtains the string required for encryption from the locally updated byte array. All strings are ?hidden in this array.

=

The most important strings containing the C&C address undergo an additional stage of decryption. For this, the Trojan first checks if Internet access is available, then downloads the page facebook.com. It extracts a certain element of that page, and uses it as decryption key. Thus, Backdoor.AndroidOS.Obad.a can only decrypt C&C addresses when Internet access is available. This feature further complicates the analysis of this piece of malware.

Some strings are additionally encrypted. The local decryptor receives a coded string in Base64 and decodes it. The decoded string is first decrypted with XOR operation with the MD5 of the key, then additionally decrypted with the MD5 of the string "UnsupportedEncodingException". To obtain the MD5 of the key, the same local decryptor decrypts yet another string, which is then used as an argument for MD5. In this way, key strings, such as the name of the function SendTextMessage, are protected.

=

We began our analysis and were able to decipher all the strings:

=

With the decryption results on hand, we were able to reproduce the application-s working algorithm.

Obtaining privileges

Immediately after it starts, the application attempts to obtain Device Administrator privileges.

=

As we wrote above, one feature of this Trojan is that the malicious application cannot be deleted once it has gained administrator privileges: by exploiting a previously unknown Android vulnerability, the malicious application enjoys extended privileges, but is not listed as an application with Device Administrator privileges.

=

We have already informed Google about the Device Administrator vulnerability in Android.

With the extended Device Administrator Privileges, the Trojan can block the device-s screen for up to 10 seconds. This typically happens after the device is connected to a free Wi-Fi network or Bluetooth is activated; with a connection established, the Trojan can copy itself and other malicious applications to other devices located nearby. It-s possible that this is how Backdoor.AndroidOS.Obad.a tries to prevent the user from discovering its malicious activity.

Also, the Trojan attempts to obtain root privileges by performing the command ?su id.

=

Communication with the owners

The information about whether superuser privileges have been successfully obtained is sent to the C&C server. Obtaining root privileges can put cybercriminals in an advantageous position when executing commands on the console remotely.

After the first launch, the malicious application collects the following information and sends it to the C&C server at androfox.com:

  • MAC address of the Bluetooth device
  • Name of operator
  • Telephone number
  • IMEI
  • Phone user-s account balance
  • Whether or not Device Administrator privileges have been obtained
  • Local time

The collected information is sent to the server in the form of an encrypted JSON object.

=

This information is sent to the current C&C server every time a connection is established. In addition the malicious program reports its current status to its owner: it sends the current table of premium numbers and prefixes to which to send text messages (the ?aos parameter), the task list (?task), and the list of C&C servers. During the first C&C communication session, it sends a blank table and a list of C&C addresses that were decrypted as described above. During the communication session, the Trojan may receive an updated table of premium numbers and a new list of C&C addresses.

In response, the C&C server sends another JSON object which might look like this after decryption:

{"nextTime":1,"conf":{"key_con":"oKzDAglGINy","key_url":"3ylOp9UQwk",
"key_die":"ar8aW9YTX45TBeY","key_cip":"lRo6JfLq9CRNd6F7IsZTyDKKg8UGE5EICh4xjzk"}}

NextTime is the next connection to a C&C server

conf are configuration strings.

Configuration strings can contain instructions to connect to new C&C servers, tables of numbers with prefixes and keys with destinations for text messages, and new tasks with parameters. Besides, keys for traffic encryption (key_cip) may be sent to conf.

Cybercriminals can also use text messages to control the Trojan. Configuration strings may also contain key strings (key_con, key_url, key_die) that the Trojan will look for in incoming text messages, and perform certain actions accordingly.

Each incoming text message is analyzed for the presence of any of these keys. If a key is found, the appropriate action is performed:

key_con: immediately establish a C&C connection;

key_die: delete tasks from the database;

key_url: connect to a new C&C server. This instruction must be followed by the new C&C address. This way the cybercriminal can create a new C&C server and send its address to infected devices in text messages containing this key. This will make all infected devices reconnect to the new server.

If a ?send text message instruction key is found in conf, the Trojan sends a message to the numbers provided by C&C. Thus, the infected devices do not even need to have an Internet connection to receive an instruction to send charged text messages.

=

C&C instructions

The Trojan receives instructions from the C&C and records them in the database. Each instruction recorded in this database contains the instruction-s sequence number; the time when it must be executed, as ordered by C&C; and parameters.

Command list:

  1. Send text message. Parameters contain number and text. Replies are deleted.
  2. PING.
  3. Receive account balance via USSD.
  4. Act as proxy (send specified data to specified address, and communicate the response).
  5. Connect to specified address (clicker).
  6. Download a file from the server and install it.
  7. Send a list of applications installed on the smartphone to the server.
  8. Send information about an installed application specified by the C&C server.
  9. Send the user-s contact data to the server.
  10. Remote Shell. Executes commands in the console, as specified by the cybercriminal.
  11. Send a file to all detected Bluetooth devices.

This command list for Obad.a enables the malicious program to spread files via Bluetooth. The C&C server sends the Trojan receives the local address of the file to be downloaded to the infected devices. On a C&C command, the malicious program scans for nearby devices with enabled Bluetooth connection, and attempts to send the downloaded file to them.

Despite such impressive capabilities, Backdoor.AndroidOS.Obad.a is not very widespread. Over a 3-day observation period using Kaspersky Security Network data, Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware.

To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits. This means that the complexity of Android malware programs is growing rapidly alongside their numbers.


46 comments

Oldest first
Threaded view
 

helenyuehua

2013 Jun 07, 14:44
1
 

Hi guys:
with pleasure to see your good job:)

what is exploiting a previously unknown Android vulnerability? and how it is work?

Reply    

Roman Unuchek

2013 Jun 08, 19:13
0
 

Re:

This app will have DeviceAdmin rights, but it won't be listed in Device Admin list in settings. It means, that it cannot be deleted without root.

Reply    

glentomas123

2013 Jun 07, 18:50
-1
 

Great work

How, when, where is the malware loaded? Seems like some useful info to know.

Reply    

anony

2013 Jun 08, 11:47
0
 

Re: Great work

Nowhere. Scary-omg-ANDROID-viruses posts are not widespread, and can typically be uninstalled by uninstalling the offending application normally (assuming the store you downloaded it from didn't automatically pull it once notified)

Reply    

Roman Unuchek

2013 Jun 08, 12:38
0
 

Re: Great work

How - mostly by SMS spam
When - May 2013
Where - mostly in Russia, but it was in other countries too

Reply    

Kenneth

2013 Jun 07, 19:57
0
 

Excelent work, but I'm a little confussed, when yoy say "hte application attempts to obtain Device Administrator privileges",

what happens or what the malware do if the user doesn't have administrator privileges on its phone?

Reply    

anony

2013 Jun 08, 11:46
0
 

Re:

There's two levels of admin privileges on Android. Root and Device Administrator. Root is what you think it is, and is never given out on a normal user's Android device.

Device Administrator are for applications that require much more invasive control (like disabling lock screen and such as you can see in the picture in the post). To uninstall them, you just go into the Device Administrator list and remove the offending entry.

This, of course, assumes that the store you got this from doesn't uninstall it for you automatically.

Reply    

Roman Unuchek

2013 Jun 08, 12:40
0
 

Re: Re:

This Trojan were using vulnerability in Android. It was not listed in Device Administrator list.

Reply    

navyjax2

2013 Jun 08, 05:22
0
 

To those that want to know more details, keep in mind - everything posted here is also available to cybercriminals that would love to duplicate and build their own versions of this. There is already a lot of detail on here for the basic construction - let's leave the true workings of the vulnerabilities and how exactly to exploit them safely in the closet so others can't take advantage. For now, let's say it obviously can install itself in an encrypted way, is activated when the phone finds the internet, uses Facebook's decryption key to unravel itself and start phoning home info about the phone, installs apps according to the commands stored on the C and C server, and can be told to send text messages (probably with copies of the virus) to other phones. This is, at least, my understanding after reading this article.

For Kenneth, as a programmer, I can tell you that if you don't run your phone as an admin user, the application should not be able to switch users (use the "su" command it uses) to the "root" user to run under that context. "su" should be an admin-only command if Google implemented it correctly (though this part is obviously questionable).

Glentomas123 brings up a good point, though - it would be nice to know how to avoid infection. Is there any knowledge of how this gets on the phones? A website to avoid? A phishing e-mail attachment not to open?

Reply    

anony

2013 Jun 08, 11:44
0
 

Re:

SU is not installed -- and can not be installed -- on any normal Android OS installation.

It must be added via customer ROMs or rooting.

The amount of people this SU command would affect is extremely small. For those who have SU installed, they should know not to install random crap they find -- it requires some research on the part of the user to achieve it.

Reply    

patricia schneider

2013 Jun 12, 08:52
0
 

Re: Backdoor virus

Ouch I would say this over and over again I agree with navyjax2
why because I have 3 droid phones,2droid pads 1 laptop and I really am not a hotshot over the top geek person however I am so careful with what I do on line I don't give out any information to no one and change passwords every week.
I read so much it gets so confusing for those like the non geek person sometimes it's nice to see pages of blogging so full of messages about a virus because I can catch up on how to be safe with my toys.

thanks for the truth and nothing but the truth even if hackers or smackers do what they do there are still those like me with help.

Reply    

cstreater

2013 Jun 08, 07:49
0
 

How is this malware distributed

Great article, but it would be helpful to know how this malware makes its way on to the device in the first place.

Reply    

anony

2013 Jun 08, 11:40
0
 

Re: How is this malware distributed

It isn't. People who stay inside Google Play will automatically have this removed even if it made it onto their device.

Assuming you don't have Superuser (99% of all users on all mobile platforms don't), these are the steps to remove this regular application:

1) Settings > Security > Device Administrators
2) Uncheck offending app (at this point, the app only has normal permissions)
3) Uninstall Normally.

SO HARD!

(And if you have SU/superuser, then it's your own fault for not knowing what it is before enabling that feature.)

Reply    

Roman Unuchek

2013 Jun 08, 12:44
0
 

Re: Re: How is this malware distributed

This app will not be listed in Device Administrator list. So if user will not have SU, he won't be able to delete this app

Reply    

Roman Unuchek

2013 Jun 08, 12:44
0
 

Re: How is this malware distributed

it was sms spam

Reply    

cstreater

2013 Jun 10, 11:26
0
 

Re: Re: How is this malware distributed

Thanks, Roman. So, the victim receives an unsuspecting malicious SMS link, and when the user clicks it, the malware has no infected the device. Is that correct? It sounds like apps acquired through Google Play, and other legitimate markets are not affected.

Reply    

Roman Unuchek

2013 Oct 08, 15:35
0
 

Re: Re: Re: How is this malware distributed

We haven't seen these apps in GooglePlay on in other legitimate markets

Reply    

Hacksperger

2013 Jun 08, 11:05
0
 

Very important discovery

Probably the best laboratory in the world. Excellent work. Admirable. Thank you.

Reply    

Roman Unuchek

2013 Jun 08, 19:13
0
 

Re: Very important discovery

Thank you!

Reply    

Ipad3User

2013 Jun 08, 19:35
0
 

Probable Ipad3 Virus or Phishing

Has appeared on my Ipad 3 twice in the past two days:

" Android Security Scan "

http://user-rewards.com-user.mobi

Security Warning!

Your phone has (7) serious errors!

Press OK below to start the repair process...

OK "

I have not pressed OK, however, I cannot cancel with X or Escape or use the Back Arrow to release the screen. I must reboot to clear the above banner announcement once it has appeared in Safari.

I am noting the use of dashes instead of slashes in the IP address.

Searched on Google and Kaspersky but no luck yet.

Help?

Reply    

VinceXie

2013 Jun 09, 13:17
0
 

Wonderful decryption

The malware used a lot of encryption. How could you decrypt all the string? Hope u can reply me, thanks a lot.

Reply    

Roman Unuchek

2013 Oct 08, 15:31
0
 

Re: Wonderful decryption

Patching app is the simplest way to decrypt all strings.

Reply    

Bildos

2013 Jun 10, 15:07
0
 

...

How to protect???

Reply    

Roman Unuchek

2013 Oct 08, 15:30
0
 

Re: ...

Use AV software like KMS

Reply    

an12349

2013 Jun 10, 23:10
0
 

passwords

could it log your gmail password? I'm afraid that I may have received a phone with this preinstalled on it unbeknownst to me.

Would a factory reset // full wipe be able to get rid of this thing?

Reply    

Roman Unuchek

2013 Oct 08, 15:30
0
 

Re: passwords

No, it had not logged passwords.
You can just use special software like KMS.

Reply    

Chris Smith

2013 Jun 13, 13:21
0
 

Content of the text message/link

Could you say what was the content of the text message (and link) that was sent out?

Reply    

Roman Unuchek

2013 Oct 08, 15:29
0
 

Re: Content of the text message/link

There were some different messages. You can read about them here http://www.securelist.com/en/blog/8131/Obad_a_Trojan_now_being_distri buted_via_mobile_botnets

Reply    

Jessie

2013 Jun 14, 20:15
0
 

Bluetooth propagation

Roman, great analysis! Could you tell if there was a unique method of bluetooth propagation? Or does it spread by just having admin privileges to the bluetooth and bluetooth_admin APIs, which would make a potential victim in proximity still have to accept a connection in order to infect their phone as well. Thank you.

Reply    

Roman Unuchek

2013 Oct 08, 15:27
0
 

Re: Bluetooth propagation

Thank you!
No, they do not use any unique methods for Bluetooth.
They just have possibility to initialize sending file through Bluetooth.

Reply    

1Mirek

2013 Jun 15, 10:27
0
 

lol most sophisticated trojan, what you found is this https://www.youtube.com/watch?v=C-p0gg7z3b8 from my friend he made it so we can have some fun and you kaspersky noobs go berserk mode immediately telling to the world how smart you are, rather fix your so called "anti-virus" program cuz you are ripping people off, and that what you sellin sure ain't anti-virus software more like a huge memory consumer...glupi rusi

Reply    

Roman Unuchek

2013 Oct 08, 15:12
0
 

Re:

no, it is another app

Reply    

1Mirek

2013 Jun 15, 10:44
0
 

and btw it is 'Android Surveillance Application' not trojan or virus I know it sounds cool to you cuz you can then sell more of your "anti" virus, it is more like anti-memory than anti-virus definitely

Reply    

CeeJayBee

2013 Jun 27, 23:16
0
 

Re:

Hope this doesn't sound like a YouTube rant but here goes...

A. KL are great at protecting people like you from viruses.

B. Your 'anti-virus' is probably spyware or rogueware.

C. Learn to spell.

Also, great report! As an Android user myself I rarely install Google Play apps that I don't know of, or follow those 'ur phone haz (4) viruzes' ads, but this is an educational report. Thanks again!

- CeeJayBee

EDIT: Also, you signed up on the day you posted these messages, and these are your only comments.

Reply    

Roman Unuchek

2013 Oct 08, 15:10
0
 

Re: Re:

Thank you!

Reply    

Roman Unuchek

2013 Oct 08, 15:09
0
 

Re:

No, it is not

Reply    

OreoX

2013 Jun 15, 22:18
0
 

newcomer question

This is amazing,I have several questions sounds stupid.Why the writers tried to encrypt the string? When we run this app, does it decrypt itself first?

Reply    

Roman Unuchek

2013 Oct 08, 15:08
0
 

Re: newcomer question

Hello,
Thank you!
Cybercriminals did it for complicated Analysis of this app.
Yes, it will decrypt strings after it starts

Reply    

dungelin

2013 Aug 11, 20:51
0
 

Great analysis

This is the great analysis, may be many company use Dexguard aware of this. Can you tell me how you can decrypt all that string and class?

Reply    

Roman Unuchek

2013 Oct 08, 15:06
0
 

Re: Great analysis

Hello,
Thank you!
Patching app is the simplest way.

Reply    

Jeffery

2013 Sep 09, 12:21
0
 

Great analysis!

Can u list the sample's md5?

Reply    

Roman Unuchek

2013 Oct 08, 15:05
0
 

Re: Great analysis!

Hello,
Thank you.
e1064bfd836e4c895b569b2de47002 84
fd8bdf6df57e2eb6e02c6f3210af0b fc

Reply    

LeeShiro17

2013 Sep 29, 11:06
0
 

Guys! I was victimized by this Trojan..

And all I can say is this malware is so dangerous that it can render your phone unusable when it gained priviliged access to the phone you are using.. Also the only thing that is the last resort for your phone to be useable again is to perform factory data reset. :(

Reply    

Stefano

2013 Nov 02, 16:49
0
 

Help

Is there a way to tell if I'm infected?

Reply    

xiaogang

2014 Apr 09, 06:56
0
 

Re: Help

u can find defferent between the list of ((DevicePolicyManager) this.getSystemService("device_policy")).getActiveAdmins() and zhe list of queryBroadcastReceivers intent of DEVICE_ADMIN_ENABLED,if they are defferent,may be u have been infected!

Reply    

Art

2014 Apr 09, 02:50
0
 

dex2jar

Dear mr. Unuchek,

I know that this analysis has been some time ago, however I have to research this particular piece of malware at this moment and I was wondering how you dealt with the dex2jar exploit.
I'm struggling to recompile after I've removed the :goto_x labels in the smali files due to the AndroidManifest exploit (apktool fails to recompile it)

It would help me ever so much to see how you tackled this issue

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share