The Obad.a Android Trojan first analyzed by Kaspersky Lab in June has turned out to have an innovative and predatory capability to piggyback on botnets controlled by third-party criminal networks.
This behavior was spotted when the firm noticed that smartphones that had been infected with the hugely successful but apparently unrelated Opfake.a Trojan were being used as a launching pad for Obad.a to send malicious links to everyone in that victim's address book.
According to Kaspersky, the malware was also being spread via convincing-looking copies of the Google Play store as well as a campaign of mobile spam. Someone wants to get Obad.a on to as many Android devices as possible.
So far, they've been successful in Russia with a smaller number of infections in nearby republics such as Ukraine, Belarus, Uzbekistan, and Kazakhstan. One Russian mobile network had detected 600 of Obad's spam messages in a matter of hours, suggesting that its piggyback tactic was working, Kaspersky said.
"In three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation, and each used an Android OS vulnerability that gives the malware DeviceAdministrator rights and made it much more difficult to delete," said Kaspersky researcher Roman Unuchek.
The vulnerability in question had been closed in Android 4.3, which meant that large numbers of devices not running this version remained vulnerable, he added.
"Obad.a, which uses a large number of unpublished vulnerabilities, is more like Windows malware than other Trojans for Android," Unuchek said.
Although Obad.a is at core just another SMS fraud Trojan targeting Russian Android users, its complexity and innovation has surprised researchers. As well as exploiting flaws in Android, it has been designed to download secondary capabilities as it pleases.
Last month, research by Lookout Mobile Security determined that the Russian criminals sector dedicated to creating mobile SMS fraud apps could be controlled by as few as ten organizations.
This story, "Android Trojan appears to launch off earlier botnet" was originally published by Techworld.com.