Researchers have discovered a sophisticated trojan that targets Android smartphones exploiting two previously unknown vulnerabilities in the mobile platform and a third flaw in separate software.
The malware sends premium-rate text messages and downloads other malware onto victims' phones.
Kaspersky researcher Roman Unuchek said an Android device administrator flaw made it impossible for a user to delete the Obad trojan once it gained extended administrator privileges on the phone.
A second Android vulnerability inhibited the platform's ability to process an Android .xml file, called “AndroidManifest,” making it difficult for the malware to be detected.
Obad also exploited a third flaw in separate software, called DEX2JAR, which was popularly used by researchers to convert Android executable files into Java Archive (JAR) format.
That component of the attacks also made it more difficult for the malware to be analysed by researchers, according to Unuchek.
Along with downloading other malware on victims' phones and sending SMS to premium-rate numbers, Obad also received instructions from its command-and-control server that allowed it to spread malicious files to other devices via unsecure Wi-Fi networks or Bluetooth connection.
“On a [command-and-control server] command, the malicious program scaned for nearby devices with enabled Bluetooth connection, and attempted to send the downloaded file to them,” Unuchek said.
However, while the trojan was sophisticated and comparable to Windows malware because of its complexity and use of unknown exploits, it is not currently widespread.
Kaspersky observed the malware over a three-day period and found Obad attacks consisted of less than 0.15 percent of malware attacks against its customers.
Google was notified about the exploits but did not returned requests for comment by SC.
Obad's tricks made the trojan a rarity in Android malware, and a standout threat as researchers more often deem legitimate apps or app stores a bigger security concern to users than advanced mobile malware.
News of the findings came as several participants at a Federal Trade Commission mobile security forum downplayed the threat posed by malware on these devices and even applauded third-party app stores for becoming more trustworthy from which to download.
National Cyber Security Alliance program manager Ryan Pretzer said apps reverse-engineered to harm were popular vectors of attack.