Obad.a Trojan now being distributed via mobile botnets : The most interesting of these methods were the ones where Obad.a was distributed along with another mobile Trojan – SMS.AndroidOS.Opfake.a. This was recently described in the blog GCM in malicious attachments. The double infection attempt starts when a user gets a text message containing the following text:
“MMS message has been delivered, download from www.otkroi.com”.
If a user clicks on the link, a file named mms.apk containing Trojan-SMS.AndroidOS.Opfake.a is automatically loaded onto the smartphone or tablet. The malware cannot be installed unless users then run it. If this happens, the C&C server can instruct the Trojan to send out the following message to all the contacts in the victim’s address book:
“You have a new MMS message, download at – http://otkroi.net/12”
Following the link automatically loads Backdoor.AndroidOS.Obad.a under the names of mms.apk or mmska.apk.
The scale of this activity is clearly illustrated by data we gained from a leading Russian mobile operator, which detected a mass distribution of malicious text messages on its network. In the space of five hours, 600 messages were sent with one of the Trojan-SMS.AndroidOS.Opfake.a modifications. In most cases delivery was via infected devices, while previously similar distributions used SMS gateways. At the same time, only a few devices infected with Trojan-SMS.AndroidOS.Opfake.a distributed links to Backdoor.AndroidOS.Obad.a, so we could conclude that the creators of the dangerous Trojan rented part of a mobile botnet to spread their brainchild.