{"id":2509,"date":"2013-06-07T14:12:21","date_gmt":"2013-06-07T18:12:21","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=2509"},"modified":"2013-06-07T14:12:21","modified_gmt":"2013-06-07T18:12:21","slug":"new-android-trojan-app-exploits-previously-unknown-flaws","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/06\/07\/new-android-trojan-app-exploits-previously-unknown-flaws\/","title":{"rendered":"New Android Trojan app exploits previously unknown flaws"},"content":{"rendered":"

\"\"<\/a><\/p>\n

A newly discovered Trojan program exploits previously unknown flaws in Android and borrows techniques from Windows malware in order to evade detection and achieve persistence on infected devices.
\nSecurity researchers from antivirus firm Kaspersky Lab named the new malicious application Backdoor.AndroidOS.Obad.a and labeled it the most sophisticated Android Trojan program to date.
\nThe malware is designed to send SMS messages to premium-rate numbers and allows attackers to execute rogue commands on infected devices by opening a remote shell. Attackers can use the malware to steal any kind of data stored on compromised devices or to download additional malicious applications that can be installed locally or distributed to other devices over Bluetooth.
\nThe Obad.a Trojan program makes heavy use of encryption and code obfuscation in order to hinder analysis efforts, Kaspersky researcher Roman Unuchek said Thursday in a blog post.
\nAn intelligent bug
\n\u201cMalware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts,\u201d the researcher said. \u201cHowever, it is rare to see concealment as advanced as Odad.a\u2019s in mobile malware.\u201d
\nIn addition to using encryption and code obfuscation techniques, the malware also exploits previously unknown bugs in Android and third-party software, Unuchek said.
\nFor example, the malicious application exploits an error in a piece of software called DEX2JAR that\u2019s used by malware analysts to convert Android application packages (APKs) into Java Archive (JAR) files.
\n\u201cThis vulnerability spotted by the cybercriminals disrupts the conversion of Dalvik bytecode into Java bytecode, which eventually complicates the statistical analysis of the Trojan,\u201d Unuchek said.
\nThe malware also abuses a bug in the way Android processes AndroidManifest.xml files. These files are found in every application and contain information about the application\u2019s structure and launch parameters.
\nThe Trojan program contains a specifically crafted AndroidManifest.xml that doesn\u2019t conform to Google\u2019s specification, but is still processed correctly by the Android OS, Unuchek said. This makes dynamic analysis of the malware extremely difficult, he said.
\nWhen first executed, Obad.a prompts users for device administrator privilege. Applications that gain this privilege can no longer be uninstalled through the regular apps menu until they are removed from the administrators list in the security settings menu.
\n“The new Trojan program is distributed through SMS spam, but is not very widespread at the moment.”
\nThe Obad.a malware exploits a previously unknown flaw in the Android OS in order to hide itself from the administrators list, leaving users unable to revoke the privilege and uninstall the app. \u201cWe have already informed Google about the Device Administrator vulnerability in Android,\u201d Unuchek said.
\n\"\"<\/a>
\n 
\nIn addition, on rooted devices, the malware tries to gain root privileges by executing the \u201csu id\u201d command, said Denis Maslennikov, a senior malware analyst at Kaspersky Lab, Friday via email. Like gaining administrative privileges, gaining root access requires user permission, he said.
\n\u201cBackdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits,\u201d Unuchek said.
\nThe new Trojan program is distributed through SMS spam, but is not very widespread at the moment. According to detection statistics from Kaspersky Lab, installation attempts for Obad.a amounted to only 0.15 percent of the total number of malware infection attempts on mobile devices over a three-day period.
\nThat said, Maslennikov believes that other Android malware threats will adopt advanced techniques like the ones used by this malware in the future. \u201cWe think that similar techniques are going to be more widespread very soon,\u201d he said.
\nvia New Android Trojan app exploits previously unknown flaws | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A newly discovered Trojan program exploits previously unknown flaws in Android and borrows techniques from Windows malware in order to […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[6,7,10],"tags":[65,655],"class_list":["post-2509","post","type-post","status-publish","format-standard","hentry","category-networking","category-security","category-technology","tag-android","tag-malware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-Et","jetpack-related-posts":[{"id":3156,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/09\/hand-of-thief-banking-trojan-doesnt-do-windows-but-it-does-linux\/","url_meta":{"origin":2509,"position":0},"title":"\u201cHand of Thief\u201d banking trojan doesn\u2019t do Windows\u2014but it does Linux","author":"NCCT","date":"August 9, 2013","format":false,"excerpt":"Signaling criminals' growing interest in attacking non-Windows computers, researchers have discovered banking fraud malware that targets people using the open-source Linux operating system. Hand of Thief, which was recently discovered by researchers from security firm RSA, sells for about $2,000 in underground Internet forums and boasts its own support and\u2026","rel":"","context":"In "Linux"","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":8453,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/07\/07\/zeusvm-malware-building-tool-leak-may-cause-botnet-surge\/","url_meta":{"origin":2509,"position":1},"title":"ZeusVM malware building tool leak may cause botnet surge","author":"NCCT","date":"July 7, 2015","format":false,"excerpt":"The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free. The source code for the builder and control panel of ZeusVM version 2.0.0.0 was leaked sometime in June, according\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7294,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/29\/beware-fake-the-interview-movie-download-app-is-in-the-wild\/","url_meta":{"origin":2509,"position":2},"title":"Beware: Fake “The Interview” movie download app is in the wild","author":"NCCT","date":"December 29, 2014","format":false,"excerpt":"\"The Interview\" is undeniably the hottest movie of the year, which is a comedy about a plan to kill North Korea's leader, Kim Jong-un. It has also been the most controversial, backed by disputes with hackers threatening theaters who will play the said movie with physical action, and also by\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8976,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/07\/15\/this-android-trojan-blocks-victims-from-alerting-banks\/","url_meta":{"origin":2509,"position":3},"title":"This Android Trojan blocks victims from alerting banks","author":"NCCT","date":"July 15, 2016","format":false,"excerpt":"By Michael Kan | PCWorld A new Trojan that can steal your payment data will also try to stymie you from alerting your bank. Security vendor Symantec has noticed a \u201ccall-barring\u201d function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8690,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/10\/22\/researcher-shows-how-it-could-take-hackers-just-10-seconds-to-wirelessly-upload-malware-to-a-fitbit\/","url_meta":{"origin":2509,"position":4},"title":"Researcher shows how it could take hackers just 10 seconds to wirelessly upload malware to a FitBit","author":"NCCT","date":"October 22, 2015","format":false,"excerpt":"By Rob Thubron In recent times, hackers have been discovering ways to exploit wireless systems in a number of devices, from vehicle infotainment centers to self-aiming sniper rifles. It now seems another gadget may be added to this list, as Fortinet researcher Axelle Apvrille has revealed that fitness-tracking wristband FitBit,\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/qa8qVAPPlTE\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":5916,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/08\/attack-on-dailymotion-redirected-visitors-to-exploits\/","url_meta":{"origin":2509,"position":5},"title":"Attack on Dailymotion redirected visitors to exploits","author":"NCCT","date":"July 8, 2014","format":false,"excerpt":"Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post. The iframe redirected browsers to\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=2509"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2509\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=2509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=2509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=2509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}