Page 22 - index
P. 22
Kaspersky Labs Special Report: Mobile Malware
The explosive growth in mobile malware that began in 2011 has continued this year. There are
now more than 148,427 mobile malware modifications in 777 families. The vast majority of it,
as in recent years, is focused on Android – 98.05% of mobile malware found this year targets
this platform. This is no surprise. This platform ticks all the boxes for cybercriminals: it’s
widely-used, it’s easy to develop for and people using Android devices are able to download
programs (including malware) from wherever they choose. This last factor is important:
cybercriminals are able to exploit the fact that people download apps from Google Play,
from other marketplaces, or from other web sites. It’s also what makes it possible for
cybercriminals to create their own fake web sites that masquerade as legitimate stores. For this
reason, there is unlikely to be any slowdown in development of malicious apps for Android.
The malware targeting mobile devices mirrors the malware commonly found on infected
desktops and laptops – backdoors, Trojans and Trojan-Spies. The one exception is SMS-
Trojan programs – a category exclusive to smartphones. The threat isn’t just growing in
volume. We’re seeing increased complexity too. In June we analyzed the most sophisticated
mobile malware Trojan we’ve seen to-date, a Trojan named Obad. This threat is multi-
functional: it sends messages to premium rate numbers, downloads and installs other malware,
uses Bluetooth to send itself to other devices and remotely performs commands at the console.
This Trojan is also very complex. The code is heavily obfuscated and it exploits three
previously unpublished vulnerabilities. Not least among these is one that enables the Trojan to
gain extended Device Administrator privileges – but without it being listed on the device as one
of the programs that has these rights. This makes it impossible for the victim to simply remove
the malware from the device. It also allows the Trojan to block the screen. It does this for no
more than 10 seconds, but that’s enough for the Trojan to send itself (and other malware) to
nearby devices – a trick designed to prevent the victim from seeing the Trojan’s activities.
Obad also uses multiple methods to spread. We’ve already mentioned the use of Bluetooth. In
addition, it spreads through a fake Google Play store, by means of spam text messages and
through redirection from cracked sites. On top of this, it’s also dropped by another mobile
Trojan – Opfake. The cybercriminals behind Obad are able to control the Trojan using pre-
defined strings in text messages. The Trojan can perform several actions. including sending text
messages, pinging a specified resource, operating as a proxy server, connecting to a
specified address, downloading and installing a specified file, sending a list of apps installed
on the device, sending information on a specific app, sending the victim’s contacts to the server
and performing commands specified by the server.
The Trojan harvests data from the device and sends it to the command-and-control server –
including the MAC address of the device, the operating name, the IMEI number, the account
balance, local time and whether or not the Trojan has been able to successfully obtain Device
Administrator rights. All of this data is uploaded to the Obad control-and-command server: the
Trojan first tries to use the active Internet connection and, if no connection is available,
searches for a nearby Wi-Fi connection that doesn’t require authentication.
22 Cyber Warnings E-Magazine – December 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
