Blog

Bajrang Mane
They come, they hide, and they mess up – Android.Obad and Android.Fakedefender
July 24, 2013

It looks like malware writers are leaving no stone unturned to target the Android platform. They are exploring every opportunity to do so; one such opportunity recently popped up in the form of two malwares viz. Android.Obad and Android.Fakedefender. Know what these malware are and how they work, from the rest of the post.

Android.Obad and Android.Fakedefender are more sophisticated than the typical malware families. It has been discovered that, these malware can exploit “Device Admin Privileges”, which boost their stealth level after they get installed in a device.

Important Facts about Andriod.Obad

What is it?

  • Android.Obad is a Trojan.
  • It masks itself as a genuine application.

What does it do?

  • It sends SMS to premium-rate numbers, which results in extra cost for user.
  • It is capable of downloading other malicious applications, sending them further to Bluetooth-enabled devices, and taking remote commands to perform malicious actions.

How does it gain Device Admin Privileges?

  • Once Android.Obad is launched, it keeps asking the user to grant “Device Admin Privileges”. The “Cancel” button is disabled, which leaves the user only with the “Activate” option, as shown in the reference image below:

Device_Admin_Privileges

Some More Facts:

  •  Once the malware gets access to Device Admin privileges, it dives deeper into the system and hides itself from the device admin list. This action leaves the user with no option to remove the application via Settings.
  •  Android.Obad makes extensive use of reflection code, which helps it hide its malicious code from the eyes of malware analysts. The strings used and the function names are encrypted with multiple layers using polymorphic techniques.
  •  Android programs are compiled into DEX (Dalvik Executable) files, which are in turn, zipped into a single APK file on the device. The Android.Obad malware poses challenges for reverse engineering by creating specially crafted DEX (Dalvik Executable) files, for which most of the tools fail to decompile.

Android.Obad takes advantage of the following vulnerabilities, which makes it difficult for analysts to reverse engineer it.

  • Modified AndroidManifest.xml: The malware drops some of the components from the manifest file. Because of this, the dynamic analysis environment fails to do an automated analysis of the malware. However, such file is correctly processed by the smartphone’s OS and malware gets executed in the real environment.
  • Error in Dex2Jar tool: Dex2jar is a popular tool used for reverse engineering Android malwares. It either fails to decompile or decompiles it incorrectly which makes static analysis difficult.
  • Device Admin Privilege: As discussed earlier, Android.Obad takes Device Admin as a special privilege that allows it to hide itself from the Device Admin list.

Important Facts About Andriod.Fakedefender

 What is it?

  • Andriod.Fakedefender is a Trojan.
  • To display itself, it uses icons of popular applications like Facebook and Skype.
  • After it has been installed, it is displayed on the phone as “Android Defender”.

What does it do?

  • Once Android.Fakedefender is launched, it keeps asking the user to grant “Device Admin Privileges”. Irrespective of the user’s choice “Device Admin Privileges” are granted.
  • The malware starts notifying the user about malware or other security threats that are actually non-existent.
  • The malware keeps prompting such messages to scare the user into purchasing apps to remove these threats, thus it is also known as a “scareware”.
  • In some cases, the malware may prevent the victim from doing anything else on their phone, until they make a payment.
  • It also collects user information like phone number, OS version, device manufacturer, location, etc. and sends it to a remote server.
  • The worst part of this malware is its ability to interfere with applications that can warn the user about actual security threats.

Andriod_Fakedefender

Note: Just like Android.Obad, it is also difficult to remove Android.Fakedefender from the device once it has been installed. It changes the device’s settings so that the user is unable to perform a normal factory reset.

We would strongly advice users to be on guard against applications that ask for “Device Admin” privileges.

Definitions of some popular terms used in the post:

  1.  Static Analysis – Static analysis is the analysis of computer software or program that is performed without actually executing it.
  2.  Dynamic Analysis – Analysis performed on executing programs is known as dynamic analysis.
  3.  Reverse engineering – Reverse engineering refers to a process that studies the function and information flow of a piece of software or hardware, in order to determine its technological principles.
  4.  Reflection code – Reflection code refers to the ability of a computer program to examine (see type introspection) and modify the structure and behavior (specifically the values, meta-data, properties, and functions) of an object at runtime.
  5.  APK file – Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google’s Android operating system.
  6.  Automated analysis – Automated Analysis refers to a process that allows malware threat analysts to configure controlled test environments, where they can execute and inspect malware in automated ways.

Blog post acknowledgment – Quick Heal Threat Research and Response Team.

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Bajrang Mane
About Bajrang Mane
Bajrang Mane is leading the Threat Analysis, Incident response, and Automation teams in Quick Heal Security Labs. Having spent 13 years in the IT security industry,...
Articles by Bajrang Mane »

50 Comments

Your email address will not be published.

CAPTCHA Image

  1. Hrushi SonarJuly 24, 2013 at 6:34 PM

    Really very help fully info regarding 2 malware that is Android.Obad and Android.Fakedefender.

    Thanks & Regards,
    Hrushi Sonar.

    Reply
  2. DR RAJESH BUDDHADEVJuly 25, 2013 at 5:28 PM

    HELPFUL, was not aware of these malwares.
    thanks for sharing

    Reply
  3. Anis BalluwalaJuly 25, 2013 at 5:35 PM

    It is really new for me. Thanks a lot for updating my knowledge about Android.Obad and Android.Fakefender.

    Thanks

    Anis Balluwala

    Reply
  4. Ganapate GirishJuly 25, 2013 at 6:28 PM

    But in my case the Quick Heal Total Security itself is not able to take either detect the HTC set / if detected then unable to run scanner / if able to run then gets not responding message.

    Till date after purchasing the package 4 months earlier – invain.

    Pls. guide.

    Reply
  5. Arun Singh ParmarJuly 25, 2013 at 6:54 PM

    thanks for making aware about these two new android malwares.
    Really the Android is on the target ……..

    Reply
  6. Manoj SahuJuly 25, 2013 at 7:14 PM

    Thanks for aware us about malware this info is very helpfull regarding to malware that is Android.Obad and Android.Fakedefender.

    Manoj Sahu

    Reply
  7. But what are the precautions for a non IT/ software person? Pls share info to keep safe too.

    Reply
    • Hi Anna,

      You can take these precautions:

      1. Avoid installing apps that ask for device admin privileges.
      2. Always verify apps and their publishers before installing them.
      3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
      4. Ensure that your mobile phone’s security software is always up to date.

      Regards,

      Reply
  8. Hope quick heal has their antidotes. Can we get it?How? When?
    thanks

    Reply
  9. rupam sharmaJuly 25, 2013 at 7:59 PM

    very significant information. a heart felt thanks. but how to get rid of these?

    Reply
    • Hi Rupam,

      Quick heal detects these malwares and removes them automatically, if the malicious app does not have access to the device admin privileges.

      Regards,

      Reply
  10. Himanshu ShekharJuly 25, 2013 at 8:10 PM

    This was an excellent article and deserves 10/10.
    But what is to be done if : –
    1. The phone gets affected by these
    2. We have already installed the apps, how to know whether it is malicious or not and if it is malicious what to do next.
    3. some extra precautions like not downloading certain apps from certain websites.
    Thank you.

    Reply
    • Hi Himanshu,

      To know whether certain apps are malicious or not, install Quick Heal on your mobile.

      If you already have Quick Heal then you need not worry. However, if these malwares have already infected your device and then you install Quick Heal, then it’s not possible to remove them if the device admin privileges are already granted. On the other hand, if admin privileges are not granted then Quick Heal can guide you through the malware removal process.

      Here are some precautions you can take:

      1. Never install apps that ask for device admin privileges.
      2. Always verify apps and their publishers before installing them.
      3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
      4. Ensure that your mobile phone’s security software is always up to date.

      Regards,

      Reply
  11. Mohammed TanweerJuly 25, 2013 at 8:23 PM

    Thanks for the information =)

    Reply
  12. Kesari ParvatesamJuly 25, 2013 at 8:47 PM

    Please let me know if you have come up with a defense for this virus / affliction.
    You may please charge me for removing and safeguarding from this threat.

    TREAT THIS AS MOST URGENT PLEASE

    Reply
    • Hello Kesari,

      Yes, Quick heal has devised a solution for these malwares, and it’s in the release process. You can take these precautionary measures to keep your devise safe:

      1. Never install apps that ask for device admin privileges.
      2. Always verify apps and their publishers before installing them.
      3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
      4. Ensure that your mobile phone’s security software is always up to date.

      Regards,

      Reply
  13. How can we install quickheal on android phone.?

    Reply
  14. does the quick heal total security version for android have the tenets to counter them.if not how can we keep our mobiles safe?

    Reply
    • Hi Arup,

      Yes, Quick heal has devised a solution for these malwares and it’s in the release process.

      To add, you can follow these security measures to keep your mobile device safe from such malwares:

      1. Never install apps that ask for device admin privileges.
      2. Always verify apps and their publishers before installing them.
      3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
      4. Ensure that your mobile phone’s security software is always up to date.

      Regards,

      Reply
  15. This is serious and thanks Mr. Mane to bring it upto notice.

    Malwares cvause havoc with systems now with devices lie mobile.s
    They are unproductived, time money wasters. causes potential breakdowsn.

    Increases stress lveles, loss of business.

    Pls take due notice to avoid downsloading too many things like games, apps, theemes from untrusted sources.

    Sb

    Reply
  16. Mohammed SajidJuly 26, 2013 at 9:34 AM

    Thanks for the info. But what about the remedy if someone is hit by this malwares. How do you remove it or which tools are able to successfully remove it or is it necessary to wipe clean the phone?

    Reply
    • Hello Mr. Sajid,

      If a user has preinstalled Quick Heal then they need not worry. However, if these malwares have already infected their device and then they install Quick Heal, then it’s not possible to remove them if the device admin privileges are already granted.
      On the other hand, if admin privileges are not granted then Quick Heal can guide the user through the malware removal process.

      Regards,

      Reply
  17. Harish BharatiJuly 26, 2013 at 10:20 AM

    Thanks for your valued information. Plz. keep it up to make our tech world malware free and alert to get rid off them.

    Thanks once again

    Reply
  18. Bappi Tamang of Agartala, TripuraJuly 26, 2013 at 10:49 AM

    Thank You Sir. Please continue sharing of such type of information to secure our andorid devices.

    Reply
  19. Anil GadekarJuly 26, 2013 at 11:00 AM

    Thanks, using android phone, will be helpful.

    Reply
  20. Does Quickheal can remove this viruses?

    Reply
    • Hi Sharad,

      Quick heal detects these malwares and removes them automatically, if the malicious app does not have access to the device admin privileges.

      Regards,

      Reply
  21. Sagar IkhankarJuly 26, 2013 at 2:43 PM

    Thanks , Keep updating.

    Reply
  22. how to identify if my android device is affected with this malware? and how to remove it?

    Reply
    • Hi Parin,

      Install Quick Heal on your device. That will help you identify them.

      Quick heal detects these malwares and removes them automatically, if the malicious app does not have access to the device admin privileges.

      Regards,

      Reply
  23. thankyou for information thankyou very much

    thankyou for informating

    Reply
  24. Dr. RavalJuly 27, 2013 at 3:30 AM

    I bought Quick heal total security a couple of years back for three and half years. I am surprised to see that people are so lazy and idle not to improve anything! I have been complaining since 2010 to add android phones in mobile security facility.

    I really hate Quick Heal now and suggest everyone never to buy it. QuickHeal has time to design a new android app for android apps to earn 50/100 Rs. but they are so mean not to keep their promise to provide one of the features in their total security software.

    We are really ashamed of such people who belittle the fame and growth of our nation everyway!!

    Reply
    • Hello Dr. Raval,

      Quick Heal security solutions not only cover desktops but also mobile platforms such as Android and Blackberry. You can avail Quick Heal mobile security for Android or BlackBerry, or Quick Heal Total Security for Android phones, which offer additional benefits. For more details on these products you can follow this link.

      Furthermore, Quick Heal also offers PC2Mobile scan service to a wide range of mobile phones. Visit this link to know more about it.

      If PC2Mobile Scan does not support your device, you can raise a request for the same. Kindly follow this link.

      Regards,

      Reply
  25. OK, understood the problem… what is the solution.
    How to avoid installation of these malwares.
    Thanx

    Reply
    • Hi Mr/Ms Jain,

      Here are some steps that can help reduce the risk of installing such malwares:

      1. Never install apps that ask for device admin privileges.
      2. Always verify apps and their publishers before installing them.
      3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
      4. Ensure that your mobile phone’s security software is always up to date.

      Regards,

      Reply
  26. chinmoy royJuly 27, 2013 at 4:53 PM

    so what!you are with us,thank you Quick Heal thank you.

    Reply
  27. Arvind B.July 27, 2013 at 8:18 PM

    Thanx 4 sharing…

    Reply
  28. Harish GuptaJuly 28, 2013 at 1:53 PM

    I am using Quick Heal Total Security for Android Smartphone in my Lenovo smartfone for the past one month, does it automatically prevent the malwares from entering the phone, pls advise if it need to be done manually.

    Reply
    • Hi Harish,

      Yes, if Quick Heal is already installed on the mobile, then it detects these malwares and can guide the user through the removal process.

      Regards,

      Reply
  29. Supradip GayenJuly 28, 2013 at 8:38 PM

    Very Helpful info….. But one question arises in my mind that if these apps present themselves in the form of Facebook or Skype apps then how do we recognize them… Please suggest.

    Reply
    • Hi Supradip,

      Apps such as Facebook and Skype do not request for device admin privileges. So, if such apps are asking for the same, then a user can recognize them as malicious apps.

      Regards,

      Reply
  30. Raja SarmaJuly 29, 2013 at 11:01 AM

    Thanks a lot…….

    RAJA

    ASSAM, GUWAHATI, INDIA

    Reply
  31. Dr. Chetan BataviaJuly 29, 2013 at 3:08 PM

    awareness makes more alert to go through handling such application with caution while downloading either or permitting to it for.

    Thanks for making aware of it.

    Dr. Chetan Batavia

    Gujarat.

    Reply
  32. can quickheal be a safeguard against these malwares in an andrioid phone?

    Reply
  33. ya it is helpful for me thanks Quick Heal

    Reply
  34. WHEN WE CAN SE QUICK HEAL 2014 ALSO CAN U SHARE SOME NEW IN 2014

    Reply