A new piece of sophisticated Android malware has been discovered by security researchers at Kaspersky Labs. Dubbed as Backdoor.AndroidOS.Obad.a, it is the most sophisticated piece of Android malware ever seen.

It exploits multiple vulnerabilities, blocks uninstall attempts, attempts to gain root access, and can execute a host of remote commands. It include complex obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allowed it to take control of and maintain a foothold on infected Android devices.
There are two previously unknown Android vulnerabilities exploited by Obad. It can gain administrator privileges, making it virtually impossible for a user to delete it off a device.


Another flaw in the Android OS relates to the processing of the AndroidManifest.xml file. This file exists in every Android application and is used to describe the application’s structure, define its launch parameters. 

"The malware modifies AndroidManifest.xml in such a way that it does not comply with Google standards, but is still correctly processed on a Smartphone thanks to the exploitation of the identified vulnerability," said Kaspersky Lab Expert. "All of this made it extremely difficult to run dynamic analysis on this Trojan."

Like many modern malicious programs, Obad is modular, with the ability to receive software updates directly from C&C servers controlled by the attackers.

Obad Malware is very similar to the 'Android Malware Engine', that was developed and demonstrated by Mohit Kumar  (Founder, The Hacker News) last year in Malcon Conference.

Android Malware Engine has the capability to exploit more than 100's of Android platform features with command and control server that also communicate with stealthy methods to execute various evil commands and to stealing user data. The Trojan doesn't even have an interface it works entirely in background mode.

Malware enhanced with features like:
  • Download a file from the server and install it
  • Act as proxy server, HTTP server, FTP server
  • Stealing, Sending, Deleting and Creating text message, contacts and Call Logs.
  • Turning off Wi-Fi, GPS, Bluetooth, Vibration
  • Ransomware
  • Remote Shell, and also installing the ssh server on the device
  • Extracting information of all list of applications and antiviruses installed
  • Stealing Whatsapp conversations
  • Forwarding messages and calls to malicious numbers
  • Controlling all infected devices as bots for sms and network ddos attack
  • Modifying permission model and randomizing classes for making it undetectable from behaviour and signature based antivirus. 
  • Locating victims with Live GPS locations on world map.
The researchers at Kaspersky Labs say that the Trojan has fortunately not spread a lot and have also notified Google of the above vulnerabilities on their OS, which have been exploited by the Trojan.

Android’s rapid gains in the mobile space have raised concerns that the mobile OS will become a target, as Microsoft’s Windows was in the PC space.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.