McAfee Labs

Security Apps, Malware Race to Be First On Your Mobile

0
By on Jun 28, 2013

In China, there is a saying: “道高一尺,魔高一丈,” meaning “The law is strong, but the outlaws are sometimes stronger.”

In the last few weeks, a new Android malware we’re calling Android/Obad.A has appeared. It uses a number of techniques that have rarely been seen before in mobile malware. Android/Obad.A requests the victim to authorize its Device Administrator privilege request and exploits a system vulnerability to hide itself from the DeviceAdmin list to avoid being uninstalled. It also uses the commercial code obfuscation tool DexGuard to make reverse engineering and analysis more difficult.

It is interesting to note that although DeviceAdmin has been used by some security applications to avoid being accidentally or intentionally uninstalled, this is the first known instance of a sophisticated malware using DeviceAdmin.
Obad1Obad2

Names of Android/Obad.A classes and variable have been obfuscated to hamper analysis.

Obad3Obad4

Android/Obad.A requests DeviceAdmin privilege.

In addition to those techniques, Android/Obad.A does the following:

  • Collects sensitive information: IMEI (International Mobile Equipment Identity, a phone serial number), operator name, phone number, and local time
  • Encrypts the information and sends it to the attacker
  • Executes commands from the control server, including:
    • sending SMS messages
    • downloading another package
    • installing a package
    • accessing a certain website
    • sending the contacts information to the attacker
    • sending itself to nearby devices through Bluetooth
    • more commands

These payloads have been seen in other mobile malware since the beginning of Android attacks. However, the malware author breaks new ground in antisecurity software techniques–by attacking antimalware software.

Previously, malware has used the basic technique of deleting or uninstalling antimalware programs. Some malware looked for specific versions or particular brands of antimalware; others targeted multiple brands. Antimalware programs now have real-time scanning to prevent malware from running and deactivating them. In contrast, sophisticated malware runs its own service to detect antimalware software being installed on the device and uninstalling it.

All this looks like a race between the security application and malware. Who runs faster, and who catches (detects) whom?

Unfortunately, some antimalware apps can’t remove Android/Obad.A even if they detect it–due to its DeviceAdmin privilege. An alternative way to combat Obad.A is to develop a special tool to reveal it, and then to disable its DeviceAdmin privilege and allow the antimalware product to remove it. We have recently updated our McAfee Mobile Innovations application, which has multiple features, with one to find hidden applications, including malware such as Android/Obad.A.

Obad5 Obad6

McAfee Mobile Innovations uninstalling Android/Obad.A.

Obad7
McAfee Mobile Innovations completing the task of removing Android/Obad.A.

McAfee has a security product used in Japan that tightly integrated with the phone. This product is given root privilege by the manufacturer/operator, so it can detect Android/Obad.A and remove it without a special tool even if the malware is authorized with DeviceAdmin privilege.

Although Obad.A is sophisticated malware, MMS can still detect and remove it while it is installing–before it’s authorized to use the DeviceAdmin privilege. So we strongly suggest Android mobile phone users install McAfee Mobile Security.

There is also another old saying in China:”魔高一尺,道高一丈,” “As vice raises one foot, virtue raises ten.” Whatever malware appear and whatever technology they use, security applications will keep them out of your device.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>