Forgot your password?
typodupeerror
Security Android

Android Malware "Obad" Called Most Sophisticated Yet 117

Posted by samzenpus
from the protect-ya-neck dept.
chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."
This discussion has been archived. No new comments can be posted.

Android Malware "Obad" Called Most Sophisticated Yet

Comments Filter:
  • Follow the Money? (Score:5, Informative)

    by EvilDroid (705289) on Thursday June 06, 2013 @07:47PM (#43931275)
    This one should be pretty easy, no? Which premium numbers benefited from the text messages?
    • You can't punish the premium number guys, they might not have anything to do with this. (They could have 4 or 5 legit numbers in the list) A better way would be to have a pop up screen/window asking permission for anything that costs money. (and have something similar for roaming costs)
      • by EvilDroid (705289)
        Why would someone write malware that dumps money into some unrelated stranger's bank account?
        • by Anonymous Coward

          by adding a few unrelated accounts alongside the malware author's accounts, he now has plausable deniability to say he was also just a random person targeted.

        • Why would someone write malware that dumps money into some unrelated stranger's bank account?

          Plausible deniability.

        • 5 accounts, 1 is yours and 4 aren't. It gets a lot easier to deny it was you that did it.
      • by Anonymous Coward

        The latest version of cyanogen actually has this feature. Anytime a text is attempted to be sent to a premium number or service the OS itself blocks it then prompts the user and asks if they wish to allow it to be sent. It also gives the option to always allow or just allow once and no matter which you choose it will prompt any time a new number is used in the recipients field. Google should merge that code into aosp

        • by SuperKendall (25149) on Friday June 07, 2013 @02:29AM (#43933299)

          The latest version of cyanogen actually has this feature. Anytime a text is attempted to be sent to a premium number or service the OS itself blocks

          Until the malware removes the block of course... If it can escalate permissions it can probably also take out a lot of system safeguards.

          • by scot4875 (542869)

            Until the malware removes the block of course... If it can escalate permissions it can probably also take out a lot of system safeguards.

            And can the malware do this, or is this just uninformed conjecture masquerading as "insight" coming from an Apple troll?

            --Jeremy

      • by Elbart (1233584)
        SMS confirmation was released with 4.2. Too bad next to no user will get that version.
  • A fitting name... (Score:4, Informative)

    by denzacar (181829) on Thursday June 06, 2013 @07:58PM (#43931343) Journal

    Obad is Bosnian (also Croatian and Serbian) for horse-fly. [wikipedia.org]

  • by dgharmon (2564621) on Thursday June 06, 2013 @08:11PM (#43931403) Homepage
    "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device"

    Yes, the vulnerability requires prompting the user to explicidly install the app and explicidly raise permissions.

    "Do you want to install this application?"

    "Activate device administrator?"
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      As if that would be of any defense against the malware.
      NO normal user hesitates to click OK. Most won't even understand what the messages mean. Remember : most people are not geeks.

      The fault is solely on Android for not properly sandboxing apps. It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.

      • by phantomfive (622387) on Thursday June 06, 2013 @09:18PM (#43931835) Journal
        It's not about sandboxing, the malware uses a previously undiscovered privilege escalation exploit. It doesn't matter how good the design of your sandbox is, once that kind of exploit is found, the sandboxing is pointless.

        I don't think this is going to change because Android programmers are sloppy. To give evidence of this, here is what happened to me today: I opened a few Java files from Android in Eclipse, and looked at the warnings. Within a few minutes I had found 5 different bugs just from reading the warnings in the compiler output. Google programmers have been known to publicly say bugs are no big deal [google.com]. If that attitude has really spread around the company, how capable do you think they will be of writing secure sandbox code?
      • Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable. Okay, it can spread through BlueTooth but that requires you have already paired your device with an infected one manually. Most people pair their devices with things like their car and headset, not other random phones.

        Then when you do install the app the warning message that appears is very different to the one you see on Google Play and explains that you should not trust unknown sources. It's not like "oh another UAC prompt, click yes to continue", it is a different and more scary warning that most users will never have seen before.

        It's basically like Mac or Linux malware. It exists but you have to be incredibly dumb to fall victim to it. There isn't really much more anyone can do to help people who are that stupid.

        • by Anonymous Coward

          Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable.

          Uhh, excuse me, Mr. Ignorant, but Google Play isn't available in some markets, such as China. So, you might want to go back and check your 99.9% figure again.

      • by oobayly (1056050)

        When showing colleagues how to use their new Android phones I always explain the permissions to them, especially the Contacts, SMS and Calling permissions. The wording I use is "If it's something like Skype, it needs to read your contacts. If it's a football game, it doesn't - don't install it"

        On more than one occasion I've been told "how am I supposed to remember that?", to which reply (I work in a motor-trade related business, so I use an obligatory car analogy) "When you drive into a petrol station, do y

      • by thegarbz (1787294)

        NO normal user hesitates to click OK. Most won't even understand what the messages mean. ...

        It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.

        I'm sorry but the solution to a user clicking OK to an indecipherable message is to provide an indecipherable message to the user?

        If Microsoft's UAC has taught us anything it is to NOT bombard the user with "Click here to make your system work" messages which only desensitize them to actual warnings.

    • Yeah basically this. When a user installs an app, they are told what permissions the app is asking for. You agree to to upon clicking ok. When creating these apps, it is as simple as putting a few lines of XML in the manifest for Resource to access here
  • by TranquilVoid (2444228) on Thursday June 06, 2013 @08:28PM (#43931511)

    Most sophisticated? Take that iOS!

  • Really, is it that complex?

    • by exomondo (1725132)
      And what authenticates it?
    • by smash (1351)

      As per my other post, an end user, prompted for authorisation to install something they downloaded (even if it is malicious) is going to click "yes" or enter their password. Without a development background, the source code, possibly a debugger and a few days up their sleeve, the choice to install or not is entirely uninformed.

      It is blind luck as to whether or not the app they have downloaded is trojaned or not, unless it has been vetted upstream in some manner.

      • by gelfling (6534)

        I was thinking more along of the lines of don't allow the installation of anything unless the user punches in some always varying pin code that's sent along a different channel. It's not a wonderful fix but the simple act of forcing someone to wait and then do a few manual things might address part of the issue. After all it's not precisely that people are blindly allowing things on their phones, it's the privileges on their account that allow them to do that. At work in the Linux world if your company is g

        • by smash (1351)
          You have replaced a code signing certificate (of say, 2048 bits of entropy) with a PIN. Other than that, you have described code-signing. And again, relying on the user to run SUDO or not puts the security in the hands of the user. Who is often a muppet and has no idea what they are doing with regards to security or doesn't care. Until they get owned. Making them jump through hoops to install things is still going to result in them installing things they shouldn't.
  • The method of obtaining install permissions and privilege escalation don't look particularly "unknown".
    It seems as though the app just asks for it and waits for the user to say yes.

    Did I miss something or does this look like every other non-event Android malware except with a new crypto scheme?
    http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan
    • It seems as though the app just asks for it and waits for the user to say yes.

      Did I miss something or does this look like every other non-event Android malware

      The frightening thing is that you actually believe this to be a non-event.

      You sit in your high tower built atop the bones of those unfortunate enough not to understand if they should say yes or not. But hey the system lets you change wall paper really easily, so fuck the 100 million people or whatever that must perish so you can have full flexibility

      • by slater86 (1154729)
        I'm calling non-event because everytime the Media reports these "Emerging Critical Threats" like the sky is falling, a month down the track nothing happens.
        Maybe, at most 1000 people in china infect their device by manually enabling side-loading for pirated apps and the rest of the world gets on with life.

        I'm suggesting its not sophisticated or unknown because it just asks for permission through the intended API, i.e Not A Bug. I didn't mention anything about how the user perceives the question, that comple
      • by oobayly (1056050)

        As I've said previously, most people who this will happen to are lazy, and for some inexplicable reason, proud that they don't know anything about "computers". I'm not defending the GP, it's a shit attitude for those people to have, and it's a shit attitude to say "they deserved it".

        However, in my office I explain permissions (with examples) to people with new Android phones. Some make a show of saying they'll never remember that. I use a car analogy (which I've already posted [slashdot.org] - not a karma whore) which goe

  • by Anonymous Coward

    However, it is capable of downloading additional modules and of spreading via Bluetooth connections.

    If that's what it looks like, it's the first I've heard of that doesn't need user interference to spread. That's a Big Deal, unlike anything in most of these stories.

  • by smash (1351)
    ... where's the iOS version? Oh wait...
  • Where does Google sit in the Android heap? They don't sell the phones, they don't take responsibility for the impact of the Malware? Oh yeah! That's right, they just develop the software then 'give it away' to the world .. warts and all.

    It sickens me a great deal to see the Google's, Facebooks & Microsoft's of the world just sit back in their soft leather sided armchairs watching other people to discover the security flaws in their software. Microsoft has done it for years with the third party 'Virus
  • I don't get it, if the malware has the ability to "exploit vulnerabilities in Google’s mobile operating system to extend the application’s permissions on the infected device" then why does it need to ask for a bunch of obviously suspicious permissions [wp.com]?

    Seems like whatever vulnerability they're discovered must be relatively minor or they wouldn't need to ask for any additional permissions.

There is hardly a thing in the world that some man can not make a little worse and sell a little cheaper.

Working...