A troubling trend in Android malware is the use of botnets, which are networks of compromised smartphones used to distribute spam and malicious code. These zombie networks enable malware creators to spread their apps in far greater numbers than more typical venues, such as online app stores.
Mobile botnets have been discovered before, but the latest one comes with a unique twist, according to security vendor Kaspersky Lab. Rather than send only the original malware used in creating the botnet, the newly discovered network also sends different malware. This is significant because it indicates cybercriminals are renting out botnets to other crooks.
The availability of such services shows that the business of Android malware is maturing. For years, cybercriminals targeting Windows PCs have had a wide selection of development tools, exploit kits, botnets and pre-built malware. These services and tools have made it possible for criminals with little tech knowledge to set up shop.
Mobile versions of these technologies and services are expected to eventually be offered on the underground for attacking Android, which ran 79% of all smartphones shipped in the second quarter, according to tech researcher Gartner. However, the transition will take time, since a lot of new code has to be written and criminals have to work out important business details, such as payment.
In the meantime, progress is being made. Kaspersky says that a botnet created with a mobile Trojan the company calls SMS.AndroidOS.Opfake.a is also being used to distribute Backdoor.AndroidOS.Obad.a. The latter, discovered in June, is the most sophisticated Trojan to date. The multi-functional software can send SMS messages to premium rate numbers, download additional malware from a command and control server and spread to other phones via Bluetooth.
The method used to infect Android smartphones starts with a text message that says, "MMS message has been delivered, download from www.otkroi.com." Clicking the link automatically loads Opfake.a, however, the malware cannot be installed unless the user agrees to run it.
If he does, then the malware is instructed by its command and control server to send to everyone on the phone's contact list a text message that says, “You have a new MMS message, download at - http://otkroi.net/12.” This time, clicking on the link automatically loads Obad.a.
Mischief attributed to Obad.a includes monitoring SMS messages for bank codes. If one is found, the malware hides the code from the phone's user and ships it to a server.
The use of Opfake.a to spread indicates that the Obad.a creators are renting a part of the former malware's botnet, according to Kaspersky. In time, these types of partnerships are expected to lead to wider distribution of malware.
For now, most of this activity does not affect Android users in the U.S. More than 80% of Obad.a infection attempts occur in Russia. Other countries where the Trojan has been spotted include Kazakhstan, Uzbekistan, Belarus and Ukraine.
The developers of Obad.a are using more than just a botnet to spread their brainchild. They also use fake application stores that copy Google Play content and inject code in legitimate sites so visitors are redirected to malicious ones. These two methods are typically used in the Russian Federation, Eastern Europe and Asia, where people often use third-party app stores. In the U.S., the much safer Google Play dominates the market.
Whether malware developers can penetrate the U.S. remains to be seen. They will have to develop much better tools and services. But as the Obad.a example shows, they don't lack creativity and we can expect to see more innovation in the future.