In the spring, the Obad Trojan made news as the most sophisticated mobile Trojan out in the wild. When I first heard about it, my initial reaction was that it won’t be the most sophisticated Trojan for long – after all, mobile is a huge new target for the bad guys and phone users still lag behind in mobile security, preferring speed over everything else.
However, as we’ve seen with other Trojans, they tend to morph into something slightly different so they can beat the defenses and inflict even more harm to our computers. Not surprisingly, the Obad Trojan has done just that. What is a bit surprising, though, is just how quickly it happened – just a few months after its initial discovery. According to the folks at Kaspersky Lab, the criminals behind the Obad Trojan have adopted a new technique to spread their malware: For the first time in the history of mobile cyber crime, a Trojan is being spread using botnets controlled by other criminal groups. As Roman Unuchek explained in a blog post:
So far we have discovered four basic methods used to distribute different versions of Backdoor.AndroidOS.Obad.a. The most interesting of these methods were the ones where Obad.a was distributed along with another mobile Trojan - SMS.AndroidOS.Opfake.a.
This double infection attempt starts with a text message to users, urging them to download a recent text message. If the victim clicks the link, a file containing Opfake.a is automatically downloaded onto the smartphone or tablet. The malicious file can only be installed if the user then launches it; should that happen, the Trojan then sends further messages to all the contacts on the newly infected device. Clicking the link in these messages downloads Obad.a.
Along with mobile botnets, Obad is also distributed using SMS spam, fake Google Play stores, and redirection from cracked sites.
According to Help Net Security:
Google has, of course, been notified of the vulnerability and has already fixed it. Unfortunately, not all users have upgraded to the patched 4.3 version of the OS. Those who haven't and wonder if they have been affected can download version 11.1.4 of Kaspersky's Internet Security for Android or Trend Micro's Hidden Device Admin Detector app and deal with the problem.
It isn’t a Trojan we are seeing much in the US just yet, but that isn’t any reason to ignore it or to shrug off any updates and patches for Android. I really do think this is just the tip of the iceberg of Trojans targeting mobile devices, and we need to be prepared.