We have been seeing apps that exploit vulnerabilities in Android, with most of them attempting to gain higher privileges on user devices. In recent days, a stronger and a far more advanced Android malware named ANDROIDOS_OBAD has come into play. What seems to be a product from the same malware authors behind ANDROIDOS_JIFAKE, ANDROIDOS_OBAD is found to be equipped with ability to avoid being uninstalled from devices and triggers more malicious code.
Newer and more improved stealth routines
This new malware family has overall stealth and anti-reverse methods for both normal users and security researchers. When installed, it asks for root privileges and activates the device administrator. Because of ANDROIDOS_OBAD’s gaining root privilege, the malware takes complete control of the device and may allow an attacker to utilize this fully.
If the user does not activate as instructed, the malware displays frequent pop-up messages when the device restarts. Additionally, if users press the back button, pop-ups appear once again. If the if home button pressed, the pop-ups appear any time later.
Here, users will finally have the chance to uninstall it, but if device administrator is activated, the malware will instead run fully in stealth mode.
Figure 1. Activating device administrator allows the malware to run in stealth mode
Still, you can carefully distinguish the malicious app from the mixed Android system apps under Apps Management. However, you won’t be able to uninstall it because it’s a device admin app.
Figure 2. Malware’s app information
The “anti-uninstall” tricks also work on Android’s vulnerability by hiding itself from Device Administrator management view:
Figure 3. The malware hides itself from the Device Administrator management view
From a security researcher’s perspective, it seems that the malware author tested ANDROIDOS_OBAD against traditional analyze tools.
The Android OS recognizes AndroidManifest.xml but major decoding tools fail to precisely parse it. Most sandboxes encounter problems loading this malware because ANDROIDOS_OBAD has the ability to initially detect them.
A new obfuscation technique
The app’s Dalvik code is obfuscated in a new way – almost every Class file has a unique, embedded obfuscated decryption routine. This means that every string and function called must be first decrypted while the app runs. Some parts of the code – like string constants – are encrypted multiple times. Current decompilers have problems to illustrate the execution order correctly.
An example of unordered execution code snippet from one decrypt routine:
Figure 4. Code sample
The upper IF statement intersects with WHILE loop. The IF condition cannot be true, so consequent code will never be executed, but WHILE loop will loop back to the middle of IF consequent code (p6 = (p6 + 1); ). The correct order is append last two lines of IF consequent code to the WHILE loop, and disable IF statement.
Once we were able to decrypt the code and analyze it, we found that the malware is capable of the following behavior:
- Hiding the launcher, and run as a background service with the highest priority.
- Automatically try to open Wi-Fi connections and connect to remote server (http://www.{BLOCKED}ofox.com/load.php).
- Collect user’s contacts, call log, SMS inbox and installed apps.
- Download, install and uninstall apps (with root privileges, this can be done silently).
- Distributing malware to other phones via Bluetooth
ANDROIDOS_OBAD vs. ANDROIDOS_JIFAKE
ANDROIDOS_OBAD shares similar features with that of its predecessor ANDROIDOS_JIFAKE. The latter is a fake app installer that tricks user into installing and executing them, after which it will silently register as a service connecting to remote servers as it waits for commands. The remote server can then trigger sending premium text messages and do the same “anti-uninstall” tricks.
The anti-uninstall trick is exploited through Android’s Device Administration feature. If one app is installed and enabled as the device admin application, it will be entrusted with more power to constrain user’s device, including enforcing security policy, lock or wipe user’s device. Under this level, app cannot be easily uninstalled, which contributes much for the anti-uninstall tricks.
To uninstall the device application app, users need to deactivate under Settings->Security->Device Administrators. But an unpublished Android vulnerability can be exploited to hide the deactivation option. Users are then forced to enable the malware as device admin application with no way to disable it.
Trend Micro Mobile Security already detects this malware family upon installation.
Leave a reply
