Beware Android Trojans hitching a ride on botnets
A dangerous Trojan that targets Google's Android mobile operating system has gained new nefarious capabilities even as a new banking malware takes aim at the OS, according to security researchers.
Kaspersky Lab reported that mobile botnets are being used to distribute the Obad.a Trojan, which can gain administrative rights on an Android device—allowing its masters to do pretty much anything they want with a handset.
Meanwhile, Eset revealed that a bad app it discovered earlier this month—Hespernet—is actually a mobile banking Trojan along the lines of Zeus and SpyEye, but with significant implementation differences that make it a new malware family.
The Obad.a Trojan has been closely watched by Kaspersky since the beginning of the summer, but it wasn't until recently that researchers uncovered the unusual distribution method its handlers have been deploying.
"For the first time, malware is being distributed using botnets that were created using completely different mobile malware," Kaspersky researcher Roman Unuchek wrote in a blog.
"This approach, like other aspects of the Obad operation, mimics what we've been seeing in the desktop ecosystem," Roel Schouwenberg, a senior researcher at Kaspersky, said in an email.
"In the Windows and Linux world, it's very common for malware and botnets to install other types of malware for pay," he added. "So it's likely that we'll see further adoption of this strategy in the mobile space as well."
Handsets are initially infected with the botnet software SMS.AndroidOS.Opfake.a through a poisoned link in an SMS message.
The link promises to deliver a new MMS message to the target. If clicked, the botware will be downloaded and the target asked to run it. If the target complies, SMS messages with the same MMS pitch will be sent to everyone on the target's contact list. In addition, the botware will download Obad.a, which sets up a backdoor on the handset that allows a botmaster to remotely control the device.
Other more conventional means are also used to distribute Obad.a, including SMS spam, links to fake Google Play stores and redirection from poisoned websites.
That kind of multi-vector infection strategy isn't common yet in the mobile world. "Right now, Obad is setting a new standard," Schouwenberg said. "We're still quite a bit away from multiple infection vectors being the norm rather than the exception."
Up to now, Obad.a activity has been directed at populations in the states of the old Soviet Union, although there has been some spillover into other countries. "For now, other countries are not where the attackers' focus seems to be," Schouwenberg said.
Hesperbot also appears to have a limited geographic distribution—primarily Turkey and the Czech Republic. However, the campaign, may expand. "It's quite likely we'll see more instances of this as time goes by," Eset Security Evangelist Stephen Cobb said in an interview. "I would expect we'll see more attacks in more countries."
Hesperbot is spread by luring targets to an infected website with a poisoned link embedded in an email or SMS message. The Czech scam sent targets to a website closely modeled on the landing page of the country's postal service.
"The aim of the attackers is to obtain login credentials giving access to the victim's bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone," Eset researcher Robert Lipovsky wrote in a blog.
He described Hesterbot as a very potent banking Trojan with features such as keystroke logging, creation of screenshots and video capture, setting up a remote proxy, creating a hidden VNC server on an infected system, intercepting network traffic and HTML injection.
Other banking Trojans, like Zeus and SpyEye, perform those functions, too; what sets Hesperbot apart is its use of new code to do those tasks. "It's not made with SpyEye or Zeus code," Evangelist Cobb said. "That might sound like a technical distinction, but the fact that someone went to the trouble to write a brand-new banking Trojan is indicative of the appeal that remains for the software."
That appeal will likely grow. "As more mobile capabilities are rolled out and mobile payments become more widespread and ubiquitous, malware is going to follow," said George Tubin, senior security strategist at Trusteer, an IBM company. "We're right at the beginning of it now."
He explained that improved security measures at larger banks have been driving cyber robbers downstream to mid- and small-sized banks. "Now, they'll also be moving into the mobile channel, because banks haven't deployed very sophisticated fraud detection technologies there yet," Tubin said.
Nevertheless, mobile infections can be avoided if a user is willing to avoid high-risk behavior. "They're not going to get infected if they stick to downloading apps from Google Play or their employer's app store," Randy Abrams, a research director at NSS Labs, said in an interview.
"There have been exceptions, and Google has allowed infected apps into their store," he continued, "but the majority of apps on Google Play are going to be very safe—as long as you don't consider compromising your privacy a safety issue."