It looks like malware writers are leaving no stone unturned to target the Android platform. They are exploring every opportunity to do so; one such opportunity recently popped up in the form of two malwares viz. Android.Obad and Android.Fakedefender. Know what these malware are and how they work, from the rest of the post.
Android.Obad and Android.Fakedefender are more sophisticated than the typical malware families. It has been discovered that, these malware can exploit “Device Admin Privileges”, which boost their stealth level after they get installed in a device.
Important Facts about Andriod.Obad
What is it?
- Android.Obad is a Trojan.
- It masks itself as a genuine application.
What does it do?
- It sends SMS to premium-rate numbers, which results in extra cost for user.
- It is capable of downloading other malicious applications, sending them further to Bluetooth-enabled devices, and taking remote commands to perform malicious actions.
How does it gain Device Admin Privileges?
- Once Android.Obad is launched, it keeps asking the user to grant “Device Admin Privileges”. The “Cancel” button is disabled, which leaves the user only with the “Activate” option, as shown in the reference image below:
Some More Facts:
- Once the malware gets access to Device Admin privileges, it dives deeper into the system and hides itself from the device admin list. This action leaves the user with no option to remove the application via Settings.
- Android.Obad makes extensive use of reflection code, which helps it hide its malicious code from the eyes of malware analysts. The strings used and the function names are encrypted with multiple layers using polymorphic techniques.
- Android programs are compiled into DEX (Dalvik Executable) files, which are in turn, zipped into a single APK file on the device. The Android.Obad malware poses challenges for reverse engineering by creating specially crafted DEX (Dalvik Executable) files, for which most of the tools fail to decompile.
Android.Obad takes advantage of the following vulnerabilities, which makes it difficult for analysts to reverse engineer it.
- Modified AndroidManifest.xml: The malware drops some of the components from the manifest file. Because of this, the dynamic analysis environment fails to do an automated analysis of the malware. However, such file is correctly processed by the smartphone’s OS and malware gets executed in the real environment.
- Error in Dex2Jar tool: Dex2jar is a popular tool used for reverse engineering Android malwares. It either fails to decompile or decompiles it incorrectly which makes static analysis difficult.
- Device Admin Privilege: As discussed earlier, Android.Obad takes Device Admin as a special privilege that allows it to hide itself from the Device Admin list.
Important Facts About Andriod.Fakedefender
What is it?
- Andriod.Fakedefender is a Trojan.
- To display itself, it uses icons of popular applications like Facebook and Skype.
- After it has been installed, it is displayed on the phone as “Android Defender”.
What does it do?
- Once Android.Fakedefender is launched, it keeps asking the user to grant “Device Admin Privileges”. Irrespective of the user’s choice “Device Admin Privileges” are granted.
- The malware starts notifying the user about malware or other security threats that are actually non-existent.
- The malware keeps prompting such messages to scare the user into purchasing apps to remove these threats, thus it is also known as a “scareware”.
- In some cases, the malware may prevent the victim from doing anything else on their phone, until they make a payment.
- It also collects user information like phone number, OS version, device manufacturer, location, etc. and sends it to a remote server.
- The worst part of this malware is its ability to interfere with applications that can warn the user about actual security threats.
Note: Just like Android.Obad, it is also difficult to remove Android.Fakedefender from the device once it has been installed. It changes the device’s settings so that the user is unable to perform a normal factory reset.
We would strongly advice users to be on guard against applications that ask for “Device Admin” privileges.
Definitions of some popular terms used in the post:
- Static Analysis – Static analysis is the analysis of computer software or program that is performed without actually executing it.
- Dynamic Analysis – Analysis performed on executing programs is known as dynamic analysis.
- Reverse engineering – Reverse engineering refers to a process that studies the function and information flow of a piece of software or hardware, in order to determine its technological principles.
- Reflection code – Reflection code refers to the ability of a computer program to examine (see type introspection) and modify the structure and behavior (specifically the values, meta-data, properties, and functions) of an object at runtime.
- APK file – Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google’s Android operating system.
- Automated analysis – Automated Analysis refers to a process that allows malware threat analysts to configure controlled test environments, where they can execute and inspect malware in automated ways.
Blog post acknowledgment – Quick Heal Threat Research and Response Team.