back to article Sneaky new Android Trojan is WORST yet discovered

Security researchers at Kaspersky Lab report that a recently discovered Android Trojan is the most sophisticated such mobile malware yet to be identified. In a post to Kaspersky Lab's Securelist blog, security expert Roman Unuchek describes the malicious program, dubbed Backdoor.AndroidOS.Obad.a or "Obad" for short, as being …

COMMENTS

This topic is closed for new posts.

Page:

  1. dshan
    Unhappy

    What Security?

    So Google will soon issue a fix for the vulns that allow this malware to infect Android devices, and in about two years about 50% of Android users will be on a release that includes the fix. Excellent.

    1. Paul Crawford Silver badge

      Re: What Security?

      That is a valid point, and not just about Android.

      It is high time that all devices with embedded software had a legal requirement to provide timely fixes for all notified security exploits for at least 5 years after purchase, along with proper financial penalties for the companies selling such devices that fail to do so.

      Think of all of those phones, printers, routers and numerous other semi-smart devices that have a network connection and no one looking after them.

    2. Anonymous Coward
      Anonymous Coward

      Re: What Security?

      No need to worry, just a couple of weeks ago Google said security vulnerabilities should be addressed within seven days.

      "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management. "

      1. FrankBarnes
        Childcatcher

        Re: What Security?

        Well, that's good news, but what about people who have older phones that the individual phone manufacturers don't issue updates? Is a Samsung Galaxy I still vulnerable? How about a Droid?

        While Google is making a good effort to patch issues like this, relatively quickly, the manufacturers, and sometimes carriers, still, and very often, have final say in an OS update.

        On the Apple side of the house, more effort is placed into platform standardization. Right now, the only phone/s and devices that can't recieve the latest OS include the iPhone 1, and the iPhone 3G. These devices never had the horsepower to support multitasking that every other generation of iPhone had.

        It would be adventagous to all Android customers and users if they could apply an update, directly from Google for a trojan like this. A trojan that has all this functionality can be a menace, and in a corporate environment would create some serious IT security issues.

    3. Anonymous Coward
      Anonymous Coward

      This cannot be?

      What, and Android virus, malware on my Android phone!

      I am incensed, this all is Apple propaganda, all lies, how dare they say this, it must be a Daily Mail story, someone is always ready to knock Android, these evil doers, nasty people who keep spreading such malicious lies and rumours .........

      Interestingly in PC Advisor August 2013 page 14, the headline 'Laptop makers drop Windows 8 for Android'.

      Well what a rip roaring fatally flawed platform you will be getting on your laptop. Yippee-ki-yay.

    4. LarsG
      Meh

      Dig deeper

      Dig deeper and you will find, 'Made by US Gov, Trademark 'Prism' copyright US Gov' stamped on it somewhere.

    5. Anonymous Coward
      Megaphone

      Re: What Security?

      Ever get the feeling you've been cheated?

      Kaspersky want to sell you a malware solution for a problem that doesn't really exist

      The Register profit from this sensationalist nonsense because people come here to read it.

      You my friend just aren't playing the game...

      1. Anonymous Coward
        Mushroom

        Re: Kaspersky want to sell you a solution

        And so many of these Register virus/trojan/malware articles are just regurgitated press releases.

        Come on, El Reg, what about some independent journalism on these subjects?

      2. AlbertH
        Linux

        Re: What Security?

        Kaspersky want to SELL you a malware solution for a problem that CANNOT exist. There is no means of any software installed with user priveledge gaining root access without manual user intervention.

        These are desperate times for the anti-this and anti-that manufacturers. Even the latest iterations of Windoze are getting more secure, and MS's own, free anti-malware programs do the job better than these bogus third-party efforts. McAfee, Kaspersky and all the other snake-oil salesmen are rapidly going out of business, and these specious claims andmalicious lies are their final efforts to keep their businesses alive.

        1. Ian McNee
          Boffin

          @AlbertH

          Actually, unlike Linux, Android is not vastly more secure than the alternatives for three obvious reasons:

          (i) all software has vulnerabilities and the more complex, the more vulnerabilities;

          (ii) Android is very popular and by definition very connected and therefore very valuable to criminal malware coders;

          (iii) as stated above in detail, device manaufaturers are essentially negligent in their provision of timely updates to fix known Android vulnerabilities.

          As for the idea that malware could not possibly gain root access without manual user intervention, that's just plain not true. One of the main ways of rooting a good number of Android devices involved exploiting a vulnerability in the OS. All the user would notice if this were malware would probably be the device rebooting unexpectedly - hardly an unknown occurrence with quite a lot of mobile devices.

          Don't get me wrong - I love Android, it rocks compared to everything else widely available at the moment, but let's get real. And likewise I have no remit for the AV companies, especially when they make such obvious "BUY ME!" releases like this one from Kaspersky.

          1. Anonymous Coward
            Anonymous Coward

            Re: @AlbertH

            "unlike Linux, Android is not vastly more secure than the alternatives"

            Actually Linux has one of the worst the worst security architectures and vulnerability counts of any current OS.

            Look at exploit statistics for a market where Linux is actually used like Webservers, and you will see that you are far more likely to be exploited running Linux than say Windows Server or BSD...

        2. Irongut

          Re: What Security? (AlbertH)

          MS' free av is not as good a decent 3rd party av. Just look at any independant tests and you'll see that it is fairly useless. You're much better off with ESET, Kaspersky, AVG, Avira or Avast. Some of which are also free.

          1. GeekinOrpington

            Re: What Security? (AlbertH)

            That's funny!

            In the real world I support PCs in homes and small businesses and I have only one recollection af a PC with Microsoft Security Essentials becoming infected, but I an continually dealing with PCs with McAfee, Norton, AVG and Avast that have become infected.

            It's not an INDEPENDANT test just my experience.

        3. Wize

          Re: What Security?

          "Kaspersky want to SELL you a malware solution for a problem that CANNOT exist. There is no means of any software installed with user priveledge gaining root access without manual user intervention."

          And if a typical thick user stumbles across a website telling them they can have a pink pony dancing around on their lock screen by following a few steps, some will do it. Even if those steps are to give the app root control.

    6. eulampios
      Facepalm

      Re: What Security?

      1) You need to install it in the first place (with all the permissions to donate all your bases to the app)

      2) You need to specifically grant it the administrative privileges when it asks from you

      So if you both you totally deserve it.

      To have a resemblance with the windows malware one might want no work done on the behalf of the user, so that the trojan,/virus install on the machine by itself.

    7. Anonymous Coward
      Anonymous Coward

      Re: What Security?

      "So Google will soon issue a fix for the vulns that allow this malware to infect Android devices"

      The only short term fix would be an upgrade to a secure OS with a chain of trust model like Windows Phone. Android is insecure and broken in so many ways due to it's Linux heritage that a simple fix is not possible....

  2. Khaptain Silver badge

    Couple of questions

    There is no mention of how the malware gets into the system, from the article it appears that the virus must be "installed".

    The article also doesn't mention how the virus gains "Device Administrator privilèges":

    How did Kaspersky manage to find this well hidden, disguised virus.

    How do they know it can connect to URLs, ping etc and yet not know the addresses that it pings, connects to.

    ).

    1. Ole Juul

      Re: Couple of questions

      Questions indeed. Without some answers I'll just assume that someone is selling something here.

      1. Anonymous Coward
        Anonymous Coward

        Re: Couple of questions

        To be honest just about any article about how a "security" company have "found" a really nasty virus/trojan etc. is completely lacking in any real detail about just how these things get onto your computer / phone / nuclear reactor controller.

        I'm getting more and more suspicious that a lot of it is total and utter bullshit and why tech sites do not challenge the companies over the real details rather than just regurgitating their press release I do not know.

        1. Chet Mannly

          Re: Couple of questions

          "I'm getting more and more suspicious that a lot of it is total and utter bullshit "

          +1 - Especially when they don't mention anything (like the name of the app) that might prevent people downloading the trojan in the first place, just "buy my program now".

          Also why didn't they report the name of the app to Google so they can remove it from the Play Store? That would stop 99% of people getting infected.

          Much better for sales to say its a vulnerability, so anyone who hasn't updated their OS recently will buy AV...

          1. Anonymous Coward
            Anonymous Coward

            Re: Couple of questions

            Who says it was an app? Maybe it can be spread from an infected PC on the same network, or spread from an infected phone to other phones using the same AP, maybe you just have to visit the wrong website, or maybe visit the right website that unfortunately has a contract with the wrong ad provider.

            There are a lot of ways for malware to spread beyond downloading dodgy apps. It's just that that's been such an easy path so far that malware writers haven't really had to try as hard. Sort of like how PC malware used to be spread by infected floppies and .exe attachments, and because that was so easy there was no reason to write something as complex as Stuxnet.

            1. eulampios

              Re: Couple of questions

              There are a lot of ways for malware to spread beyond downloading dodgy apps.

              These ways are good for MS Windows mostly. With the allegedly huge amounts of Android malware (that very few people have ever seen) none gets on a device by automatically and without user explicitly installing it.

            2. Chemist

              Re: Couple of questions

              "Who says it was an app?"

              As the link in the article states :-

              "Recently, an Android application came to us for analysis"

    2. heenow

      Re: Couple of questions

      The article has a screen shot of how the Trojan gets administrator privilege.

    3. tony2heads
      Facepalm

      Re: Couple of questions

      how it gains device administrator privilege -see

      http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan

      "

      Obtaining privileges

      Immediately after it starts, the application attempts to obtain Device Administrator privileges"

      So it just ASKS for them

  3. Andrew Jones 2
    Mushroom

    And.... it's a big non problem because:

    1) you have to download and install the malware - which means you have to agree to the permissions it needs to run.

    2) you have to enable Device Administrator support for it to be able to do anything bad to your device

    3) You need to be rooted for it to be most effective.

    The chances of 1 are admittedly higher for the "I will download everything I possibly can" crowd

    The chances of 2 are pretty slim as the sort of people caught by step 1 - are not the sort of people who know about device administrator

    and the chances are 3 are 0% because the sort of people who are rooted are not the sort of people who go out and download everything under the sun believing that everything will be sunshine and roses.

    Finally - it does not use "previously unknown" vulnerabilities - it uses well known vulnerabilities.

    The team that discovered this trojan also admit that because the code remains largely encrypted until it first makes contact with the C&C server - it makes it very difficult to analyse what it does and how it does it - in any great detail - which frankly - I find ludicrous to suggest - either stick it on a fresh device with a PAYG sim card or stick it on an emulator.

    1. Anonymous Coward
      Anonymous Coward

      Not a non problem

      Yep, what you say has truth in it, but the fatal flaw is that 90% of Android users download stuff without even thinking about it.

      1. Otto is a bear.

        Re: Not a non problem

        I don't think that's a problem restricted to Android users, you should see the S$5t the family yoof download onto just about every device they own and then ask me to fix when it all goes horribly wrong. They really get upset when I wipe the device and reload from scratch and ask for the backup, tease that I am.

      2. Chet Mannly

        Re: Not a non problem

        "90% of Android users download stuff without even thinking about it."

        So you didn't read points 2&3 at all then?

        You need to do more than just download an app - you have to enable other things as well.

    2. Tufty Squirrel

      Non-problem? Hardly.

      >> you have to download and install the malware - which means you have to agree to the permissions it needs to run.

      Quite, but how many people actually take any notice of, or understand, the permissions warning screen? After all, if you've downloaded <x>, it's because you already /want/ to run it - Android doesn't give you any option of "stop this application doing this, but it might compromise functionality", it's all or nothing, "install it or don't". Everyone I know, *myself included*, hits "install it". So all you need is something that people *want* to run, and you're on a load of devices.

      Your issues 2 and 3 are largely moot because, once you have code running on a machine, you effectively have physical access. Privilege escalations are hardly unknown, after all, and Linux kernel + Android runtime provides a pretty large attack surface, especially given the likelihood of anything having been patched since the device left the factory.

      1. John H Woods Silver badge

        Re: Non-problem? Hardly.

        The privileges are not granular enough. You don't have the option of installing an app with some privileges, so you either accept full access to SD card, or you do without the app -- No option to chroot an app to subfolder on the SD card, You either accept access to the camera or you do without the app -- no option for "ask me each time". This would also be useful with "services that cost money"

        There is also, afaik, no log of which app invoked which privilege and when, so there is no auditing. So, in my experience, although I don't like it, the accept permissions step of most apps I'm interested in is pretty much just one more click you have to make.

        1. Vince

          Re: Non-problem? Hardly.

          The lack of control over permissions on Android does increasingly irritate me.

          Especially when I'm using my Blackberry Z10 where I can say "actually this app can't use location services" but I'm ok with it reading stuff from my contact book" if I so want.

          Why the hell android does not allow ME to control that I have no idea.

          1. Tim Bates

            Re: Non-problem? Hardly.

            "Why the hell android does not allow ME to control that I have no idea."

            Well it could be worse... You could be using iOS - where not only do apps not inform you what they could do, but the OS doesn't either.

            1. Anonymous Coward
              Anonymous Coward

              Re: Non-problem? Hardly.

              No iOS does ask you if you want to allow apps to access your data.

          2. aj87
            WTF?

            Re: Non-problem? Hardly.

            Not related to this trojan but since you are saying BB10 permissions are better

            Have RIM fixed that little permission where you can't use the GPS hardware in the device without using location services and therefore agreeing to give them all your location data/wifi hotspots/gsm cells? That genuinely annoyed me when I got an Z10, its my hardware why can't I use GPS on its own.

            1. Anonymous Coward
              Anonymous Coward

              Re: its my hardware why can't I use GPS on its own.

              That's what I always used to think on my stock android. I couldn't switch on the GPS without sending data to Google. No, not because it was using wifi to locate, that was disabled, I couldn't activate the GPS module on the phone without first agreeing to send "anonymous" data to google. (yeah, because a lat and lon with no other information would be so useful!)

              So not a blackberry specific problem, one that occurs for users of Android handsets as well...

          3. Down not across

            Re: Non-problem? Hardly.

            +1

            Rather annoying that to get that kind of control, you have to root the phone and install additional software.

          4. sorry, what?
            FAIL

            Re: Non-problem? Hardly.

            The broken permissions model really does irk. And it's not like it is a new grumble against Android either.

            As I once said in a comment on a previous article (http://forums.theregister.co.uk/forum/1/2012/03/05/more_android_privacy_fail/): "Symbian anyone?"

    3. Robert Carnegie Silver badge

      It's a TROJAN

      You think you're installing something you want, like "Microsoft Office". And instead (or as well!), you get this.

  4. YARR
    Facepalm

    Isn't it high time Android moved to a model of rolling updates from a central (Google) server just like any other internet connected OS? The device customisation by manufacturers needs to be restricted to only self-contained device drivers, pre-installed apps and some UI appearance settings. It's crazy that you can still buy new devices that are stuck on OS versions from 1-2 years ago, given that the software is free. The latest generation of devices ought to have sufficient memory and storage available to handle a slow growing OS footprint.

    I'd also like to know if any of the vulnerabilities are in the Linux kernel upon which Android is based.

    1. Cliff

      Manufacturer & Mobile operator

      Yes, that would be ideal for me, but alas the manufacturer and network pre - installed stuff is the main way HTC differentiate themselves from LG from Sony from Samsung. They all want to add their branding and app stores to thehandsets to get a bite of the recurring revenue not just the low margin hardware market or data carrier market

      1. Anonymous Coward
        Anonymous Coward

        Re: Manufacturer & Mobile operator

        ". They all want to add their branding and app stores to thehandsets to get a bite of the recurring revenue"

        And then they wonder why they don't actually get any income. Who the f*** buys anything from the Samsung or HTC crapp stores? Who uses their mobile operators content portal? A tiny, tiny minority, because everybody uses iTunes or Play, or Amazon.

        If the hardware makers want more money, then they should make their devices work better so that people will pay a bit more for them. DLNA is slow and sluggish in most implementations, involving deep menu dives on both devices. Tablets often struggle with simple tasks like printing. TV's are craply integrated with other media devices. Where's Jobs when you need him? He'd have made it work, and then everybody else could have learned how to do it.

        Although even there, Apple showed how to manage a phone OS, and Google managed to ignore the important bit about central control and avoidance of fragmentation.

        1. Anonymous Coward
          Anonymous Coward

          Re: Manufacturer & Mobile operator

          Android is open source, how exactly is Google supposed to force updates on Android phones? If they had code to do that, it would be among the first things Samsung removed in the process of building their own version to install on a GS4.

          As for why Samsung doesn't do it, they've got a ton of different models, with more coming out every month. Even the models that use the same version of Android probably have different bits of customization in them, simply to patch existing versions to fix a security issue is probably a big job. Let alone taking a newer generic Android version from Google, adding back the customizations for their dozens of models, and then testing it to make sure their customizations didn't break anything when matched against the newer Android code. No wonder it is mostly only the high end Samsung models that get updates, and even then not in a particularly timely fashion.

          1. Anonymous Coward
            Holmes

            Re: Manufacturer & Mobile operator

            "Android is open source, how exactly is Google supposed to force updates on Android phones?"

            Maybe that's the problem, don't you think?

        2. Mark .

          Re: Manufacturer & Mobile operator

          So making an Android device to put your own storefront on it is doomed to failure, then you cite everyone buying from Amazon *cough*Kindle Fire*cough*?

          "Where's Jobs when you need him? He'd have made it work, and then everybody else could have learned how to do it."

          Funny how he failed to make these things work. I love how Apple fanatics now argue by simply *making up what Apple might do*, even though they haven't done it. Let me try it to: an Apple solution would only work with Apple devices. It would cost twice as much, lack basic functionality, sell less than the competition, but have a light up glow in dark logo and by hyped by the media before it even existed. Just like you are doing now.

          The examples you list are precisely the things that Jobs and Apple don't do well. Just look at the mess we've got outselves into where so many audio devices only work with the minority of Apple phones or outdated ipods - my TV actually makes a far better audio sharing device, because it supports DLNA and USB, working with any hardware or platform.

        3. Captain DaFt

          Re: Manufacturer & Mobile operator : @Ledswinger

          Jobs' brilliance was due to his focus on esthetics and user interface, leaving the *how* to the grunts.

          There are many stories of something being submitted to him, He'd play with it, then deamand, "Why doesn't it do this? Why can't I do that?"

          When they'd tell him, "It doesn't work that way." or "that's not secure." , he'd throw it at them and demand that they bring it back when it "worked right".

          Guess what? They brought it back meeting his demanding criteria, and still kept it mostly secure.

          Jobs wasn't a computer genius, he was a people genius, in that he knew what the average joe on the street expected from a device.

    2. Mark .

      It's Open Source, so manufacturers can and do what they like - and with Samsung selling 10s of millions a month, they're not going to change anytime soon.

      I do agree though I wish there were more Nexus-like devices - perhaps we'll start to see this now (as with the new S4 announced running standard Android).

      "The latest generation of devices ought to have sufficient memory and storage available to handle a slow growing OS footprint."

      Possibly they don't though? My Galaxy Nexus is starting to be sluggish in areas, and it's still way better than the low end of new devices.

  5. h3

    It is probably part of Facebook Home (Or does about the same amount of damage to the device). Remember Google tried to stop them doing their own updates I think this is a test from them.

  6. Richard Boyce
    Big Brother

    Not the only thing hidden, apparently

    So how do we remove PRISM from our devices using Google software ... and Apple software ... and so on?

    1. Florida1920
      Joke

      Re: Not the only thing hidden, apparently

      "So how do we remove PRISM from our devices"

      http://images2.wikia.nocookie.net/__cb20110429175847/clocktower/images/9/9a/Sledgehammer.png

Page:

This topic is closed for new posts.

Other stories you might like