They come, they hide, and they mess up – Android.Obad and Android.Fakedefender

It looks like malware writers are leaving no stone unturned to target the Android platform. They are exploring every opportunity to do so; one such opportunity recently popped up in the form of two malwares viz. Android.Obad and Android.Fakedefender. Know what these malware are and how they work, from the rest of the post.

Android.Obad and Android.Fakedefender are more sophisticated than the typical malware families. It has been discovered that, these malware can exploit “Device Admin Privileges”, which boost their stealth level after they get installed in a device.

Important Facts about Andriod.Obad

What is it?

  • Android.Obad is a Trojan.
  • It masks itself as a genuine application.

What does it do?

  • It sends SMS to premium-rate numbers, which results in extra cost for user.
  • It is capable of downloading other malicious applications, sending them further to Bluetooth-enabled devices, and taking remote commands to perform malicious actions.

How does it gain Device Admin Privileges?

  • Once Android.Obad is launched, it keeps asking the user to grant “Device Admin Privileges”. The “Cancel” button is disabled, which leaves the user only with the “Activate” option, as shown in the reference image below:

Device_Admin_Privileges

Some More Facts:

  •  Once the malware gets access to Device Admin privileges, it dives deeper into the system and hides itself from the device admin list. This action leaves the user with no option to remove the application via Settings.
  •  Android.Obad makes extensive use of reflection code, which helps it hide its malicious code from the eyes of malware analysts. The strings used and the function names are encrypted with multiple layers using polymorphic techniques.
  •  Android programs are compiled into DEX (Dalvik Executable) files, which are in turn, zipped into a single APK file on the device. The Android.Obad malware poses challenges for reverse engineering by creating specially crafted DEX (Dalvik Executable) files, for which most of the tools fail to decompile.

Android.Obad takes advantage of the following vulnerabilities, which makes it difficult for analysts to reverse engineer it.

  • Modified AndroidManifest.xml: The malware drops some of the components from the manifest file. Because of this, the dynamic analysis environment fails to do an automated analysis of the malware. However, such file is correctly processed by the smartphone’s OS and malware gets executed in the real environment.
  • Error in Dex2Jar tool: Dex2jar is a popular tool used for reverse engineering Android malwares. It either fails to decompile or decompiles it incorrectly which makes static analysis difficult.
  • Device Admin Privilege: As discussed earlier, Android.Obad takes Device Admin as a special privilege that allows it to hide itself from the Device Admin list.

Important Facts About Andriod.Fakedefender

 What is it?

  • Andriod.Fakedefender is a Trojan.
  • To display itself, it uses icons of popular applications like Facebook and Skype.
  • After it has been installed, it is displayed on the phone as “Android Defender”.

What does it do?

  • Once Android.Fakedefender is launched, it keeps asking the user to grant “Device Admin Privileges”. Irrespective of the user’s choice “Device Admin Privileges” are granted.
  • The malware starts notifying the user about malware or other security threats that are actually non-existent.
  • The malware keeps prompting such messages to scare the user into purchasing apps to remove these threats, thus it is also known as a “scareware”.
  • In some cases, the malware may prevent the victim from doing anything else on their phone, until they make a payment.
  • It also collects user information like phone number, OS version, device manufacturer, location, etc. and sends it to a remote server.
  • The worst part of this malware is its ability to interfere with applications that can warn the user about actual security threats.

Andriod_Fakedefender

Note: Just like Android.Obad, it is also difficult to remove Android.Fakedefender from the device once it has been installed. It changes the device’s settings so that the user is unable to perform a normal factory reset.

We would strongly advice users to be on guard against applications that ask for “Device Admin” privileges.

Definitions of some popular terms used in the post:

  1.  Static Analysis – Static analysis is the analysis of computer software or program that is performed without actually executing it.
  2.  Dynamic Analysis – Analysis performed on executing programs is known as dynamic analysis.
  3.  Reverse engineering – Reverse engineering refers to a process that studies the function and information flow of a piece of software or hardware, in order to determine its technological principles.
  4.  Reflection code – Reflection code refers to the ability of a computer program to examine (see type introspection) and modify the structure and behavior (specifically the values, meta-data, properties, and functions) of an object at runtime.
  5.  APK file – Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google’s Android operating system.
  6.  Automated analysis – Automated Analysis refers to a process that allows malware threat analysts to configure controlled test environments, where they can execute and inspect malware in automated ways.

Blog post acknowledgment – Quick Heal Threat Research and Response Team.

Bajrang Mane

Bajrang Mane

Follow @

Subscribe
Notify of
guest
50 Comments
Inline Feedbacks
View all comments
Hrushi Sonar
Hrushi Sonar
7 years ago

Really very help fully info regarding 2 malware that is Android.Obad and Android.Fakedefender.

Thanks & Regards,
Hrushi Sonar.

DR RAJESH BUDDHADEV
DR RAJESH BUDDHADEV
7 years ago

HELPFUL, was not aware of these malwares.
thanks for sharing

Anis Balluwala
Anis Balluwala
7 years ago

It is really new for me. Thanks a lot for updating my knowledge about Android.Obad and Android.Fakefender.

Thanks

Anis Balluwala

Ganapate Girish
Ganapate Girish
7 years ago

But in my case the Quick Heal Total Security itself is not able to take either detect the HTC set / if detected then unable to run scanner / if able to run then gets not responding message.

Till date after purchasing the package 4 months earlier – invain.

Pls. guide.

Rajiv Singha
7 years ago

Hi Ganapate,

Kindly contact our support team at 0-927-22-33-000.

You can also raise a query at https://www.quickheal.com/submitticket.asp. Our support team will get back to you to resolve the issue you are facing.

Regards,

Arun Singh Parmar
Arun Singh Parmar
7 years ago

thanks for making aware about these two new android malwares.
Really the Android is on the target ……..

Manoj Sahu
Manoj Sahu
7 years ago

Thanks for aware us about malware this info is very helpfull regarding to malware that is Android.Obad and Android.Fakedefender.

Manoj Sahu

anna
anna
7 years ago

But what are the precautions for a non IT/ software person? Pls share info to keep safe too.

Rajiv Singha
7 years ago
Reply to  anna

Hi Anna,

You can take these precautions:

1. Avoid installing apps that ask for device admin privileges.
2. Always verify apps and their publishers before installing them.
3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
4. Ensure that your mobile phone’s security software is always up to date.

Regards,

rajendra
rajendra
7 years ago

Hope quick heal has their antidotes. Can we get it?How? When?
thanks

Rajiv Singha
7 years ago
Reply to  rajendra

Hi Ranjendra,

Yes, Quick Heal does have antidotes for such malwares. They are in the release process. We will keep you posted.

Regards,

rupam sharma
rupam sharma
7 years ago

very significant information. a heart felt thanks. but how to get rid of these?

Rajiv Singha
7 years ago
Reply to  rupam sharma

Hi Rupam,

Quick heal detects these malwares and removes them automatically, if the malicious app does not have access to the device admin privileges.

Regards,

Himanshu Shekhar
Himanshu Shekhar
7 years ago

This was an excellent article and deserves 10/10.
But what is to be done if : –
1. The phone gets affected by these
2. We have already installed the apps, how to know whether it is malicious or not and if it is malicious what to do next.
3. some extra precautions like not downloading certain apps from certain websites.
Thank you.

Rajiv Singha
7 years ago

Hi Himanshu, To know whether certain apps are malicious or not, install Quick Heal on your mobile. If you already have Quick Heal then you need not worry. However, if these malwares have already infected your device and then you install Quick Heal, then it’s not possible to remove them if the device admin privileges are already granted. On the other hand, if admin privileges are not granted then Quick Heal can guide you through the malware removal process. Here are some precautions you can take: 1. Never install apps that ask for device admin privileges. 2. Always verify apps… Read more »

Mohammed Tanweer
Mohammed Tanweer
7 years ago

Thanks for the information =)

Kesari Parvatesam
Kesari Parvatesam
7 years ago

Please let me know if you have come up with a defense for this virus / affliction.
You may please charge me for removing and safeguarding from this threat.

TREAT THIS AS MOST URGENT PLEASE

Rajiv Singha
7 years ago

Hello Kesari,

Yes, Quick heal has devised a solution for these malwares, and it’s in the release process. You can take these precautionary measures to keep your devise safe:

1. Never install apps that ask for device admin privileges.
2. Always verify apps and their publishers before installing them.
3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
4. Ensure that your mobile phone’s security software is always up to date.

Regards,

Jit
Jit
7 years ago

How can we install quickheal on android phone.?

Rajiv Singha
7 years ago
Reply to  Jit

Hello Jit,

It’s easy. Simply download Quick Heal Total Security from Google Play. Kindly follow this link.

Regards,

arup
arup
7 years ago

does the quick heal total security version for android have the tenets to counter them.if not how can we keep our mobiles safe?

Rajiv Singha
7 years ago
Reply to  arup

Hi Arup,

Yes, Quick heal has devised a solution for these malwares and it’s in the release process.

To add, you can follow these security measures to keep your mobile device safe from such malwares:

1. Never install apps that ask for device admin privileges.
2. Always verify apps and their publishers before installing them.
3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
4. Ensure that your mobile phone’s security software is always up to date.

Regards,

S8
S8
7 years ago

This is serious and thanks Mr. Mane to bring it upto notice.

Malwares cvause havoc with systems now with devices lie mobile.s
They are unproductived, time money wasters. causes potential breakdowsn.

Increases stress lveles, loss of business.

Pls take due notice to avoid downsloading too many things like games, apps, theemes from untrusted sources.

Sb

Mohammed Sajid
Mohammed Sajid
7 years ago

Thanks for the info. But what about the remedy if someone is hit by this malwares. How do you remove it or which tools are able to successfully remove it or is it necessary to wipe clean the phone?

Rajiv Singha
7 years ago
Reply to  Mohammed Sajid

Hello Mr. Sajid,

If a user has preinstalled Quick Heal then they need not worry. However, if these malwares have already infected their device and then they install Quick Heal, then it’s not possible to remove them if the device admin privileges are already granted.
On the other hand, if admin privileges are not granted then Quick Heal can guide the user through the malware removal process.

Regards,

Harish Bharati
Harish Bharati
7 years ago

Thanks for your valued information. Plz. keep it up to make our tech world malware free and alert to get rid off them.

Thanks once again

Bappi Tamang of Agartala, Tripura
Bappi Tamang of Agartala, Tripura
7 years ago

Thank You Sir. Please continue sharing of such type of information to secure our andorid devices.

Anil Gadekar
Anil Gadekar
7 years ago

Thanks, using android phone, will be helpful.

Sharad
Sharad
7 years ago

Does Quickheal can remove this viruses?

Rajiv Singha
7 years ago
Reply to  Sharad

Hi Sharad,

Quick heal detects these malwares and removes them automatically, if the malicious app does not have access to the device admin privileges.

Regards,

Sagar Ikhankar
Sagar Ikhankar
7 years ago

Thanks , Keep updating.

Parin
Parin
7 years ago

how to identify if my android device is affected with this malware? and how to remove it?

Rajiv Singha
7 years ago
Reply to  Parin

Hi Parin,

Install Quick Heal on your device. That will help you identify them.

Quick heal detects these malwares and removes them automatically, if the malicious app does not have access to the device admin privileges.

Regards,

sudhanshu
sudhanshu
7 years ago

thankyou for information thankyou very much

thankyou for informating

Dr. Raval
Dr. Raval
7 years ago

I bought Quick heal total security a couple of years back for three and half years. I am surprised to see that people are so lazy and idle not to improve anything! I have been complaining since 2010 to add android phones in mobile security facility. I really hate Quick Heal now and suggest everyone never to buy it. QuickHeal has time to design a new android app for android apps to earn 50/100 Rs. but they are so mean not to keep their promise to provide one of the features in their total security software. We are really ashamed… Read more »

Rajiv Singha
7 years ago
Reply to  Dr. Raval

Hello Dr. Raval,

Quick Heal security solutions not only cover desktops but also mobile platforms such as Android and Blackberry. You can avail Quick Heal mobile security for Android or BlackBerry, or Quick Heal Total Security for Android phones, which offer additional benefits. For more details on these products you can follow this link.

Furthermore, Quick Heal also offers PC2Mobile scan service to a wide range of mobile phones. Visit this link to know more about it.

If PC2Mobile Scan does not support your device, you can raise a request for the same. Kindly follow this link.

Regards,

DK Jain
DK Jain
7 years ago

OK, understood the problem… what is the solution.
How to avoid installation of these malwares.
Thanx

Rajiv Singha
7 years ago
Reply to  DK Jain

Hi Mr/Ms Jain,

Here are some steps that can help reduce the risk of installing such malwares:

1. Never install apps that ask for device admin privileges.
2. Always verify apps and their publishers before installing them.
3. Do not keep your phone’s Bluetooth in “visible to all/discoverable” mode when in public places.
4. Ensure that your mobile phone’s security software is always up to date.

Regards,

chinmoy roy
chinmoy roy
7 years ago

so what!you are with us,thank you Quick Heal thank you.

Arvind B.
Arvind B.
7 years ago

Thanx 4 sharing…

Harish Gupta
Harish Gupta
7 years ago

I am using Quick Heal Total Security for Android Smartphone in my Lenovo smartfone for the past one month, does it automatically prevent the malwares from entering the phone, pls advise if it need to be done manually.

Rajiv Singha
7 years ago
Reply to  Harish Gupta

Hi Harish,

Yes, if Quick Heal is already installed on the mobile, then it detects these malwares and can guide the user through the removal process.

Regards,

Supradip Gayen
Supradip Gayen
7 years ago

Very Helpful info….. But one question arises in my mind that if these apps present themselves in the form of Facebook or Skype apps then how do we recognize them… Please suggest.

Rajiv Singha
7 years ago
Reply to  Supradip Gayen

Hi Supradip,

Apps such as Facebook and Skype do not request for device admin privileges. So, if such apps are asking for the same, then a user can recognize them as malicious apps.

Regards,

Raja Sarma
Raja Sarma
7 years ago

Thanks a lot…….

RAJA

ASSAM, GUWAHATI, INDIA

Dr. Chetan Batavia
Dr. Chetan Batavia
7 years ago

awareness makes more alert to go through handling such application with caution while downloading either or permitting to it for.

Thanks for making aware of it.

Dr. Chetan Batavia

Gujarat.

Sandeep
Sandeep
7 years ago

can quickheal be a safeguard against these malwares in an andrioid phone?

Rajiv Singha
7 years ago
Reply to  Sandeep

Hi Sandeep,

Yes, Quick Heal can protect your Android phone against such malwares.

Regards,

umesh
umesh
7 years ago

ya it is helpful for me thanks Quick Heal

MANOJ
MANOJ
7 years ago

WHEN WE CAN SE QUICK HEAL 2014 ALSO CAN U SHARE SOME NEW IN 2014

50
0
Would love your thoughts, please comment.x
()
x