Android Malware "Obad" Called Most Sophisticated Yet

chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."

Re:Vulnerability extends application's permissions

[phantomfive]

It's not about sandboxing, the malware uses a previously undiscovered privilege escalation exploit. It doesn't matter how good the design of your sandbox is, once that kind of exploit is found, the sandboxing is pointless.

I don't think this is going to change because Android programmers are sloppy. To give evidence of this, here is what happened to me today: I opened a few Java files from Android in Eclipse, and looked at the warnings. Within a few minutes I had found 5 different bugs just from reading the warnings in the compiler output. Google programmers have been known to publicly say bugs are no big deal [google.com]. If that attitude has really spread around the company, how capable do you think they will be of writing secure sandbox code?

I was prompted .. so I came xD

[OhANameWhatName]

Where does Google sit in the Android heap? They don't sell the phones, they don't take responsibility for the impact of the Malware? Oh yeah! That's right, they just develop the software then 'give it away' to the world .. warts and all.

It sickens me a great deal to see the Google's, Facebooks & Microsoft's of the world just sit back in their soft leather sided armchairs watching other people to discover the security flaws in their software. Microsoft has done it for years with the third party 'Virus Scanner' software providers. Now Google has picked up on the trend .. they can write the software which mines whatever information is useful to their behaviour analysis software without taking any responsibility for the damage they do.

This is what I call an unsustainable business practice. People have to wake up to the understanding that they're being abused. But far, far more importantly .. corporations need to understand that there is no competition, just compromise.