Android Trojans spread by Bluetooth, hijack bank codes

A Trojan that spreads itself via Bluetooth and another that’s received a mobile upgrade to steal SMS banking codes have been discovered by security researchers.

“Backdoor.AndroidOS.Obad.a” was recently discovered by Kaspersky Lab in an Android application. The malware is a multi-functional Trojan that can send SMS messages to premium rate numbers, download malware to a phone and infect other phones through Bluetooth.

After receiving a command from a server operated by a cyber criminal, the malware scans for devices around it with open Bluetooth connections and attempts to send a bad app to them, Kaspersky Lab Expert Roman Unuchek explained in a blog.

When Bluetooth was introduced, there were some experiments with using it to infect machines, but nothing similar to what Kaspersky has discovered. “In this incarnation, it’s definitely novel,” Ken Baylor, research vice president for NSS Labs, said in an interview. “It’s something we haven’t seen in Bluetooth before, other than a proof concept,” he said, “and we’ve never seen it in an Android implementation.”

The Obad backdoor is one of the most complex Android malware programs yet and rivals bad apps written for Windows PCs. “Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits,” Unuchek wrote.

“Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts,” he added. “However, it is rare to see concealment as advanced as Obad.a’s in mobile malware.”

As complex as Obad is, the added sophistication doesn’t seem to be making the Trojan very infectious. “Despite such impressive capabilities, Backdoor.AndroidOS.Obad.a is not very widespread,” Unuchek wrote. “Over a 3-day observation period using Kaspersky Security Network data. Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware.”

Obad’s kind of complexity wasn’t stuffed into the new mobile add-on for the Bugat banking Trojan discovered by researchers at RSA. The add-on, called BitMo by RSA, hijacks security codes sent through SMS messages to bank customers to authenticate their identities.

“It’s a simple SMS forwarder,” Limor Kessem, a cybercrime specialist with RSA, the security division of EMC, said in an interview. “It’s not a rogue. It asks for permissions just like any other application.”

What is interesting about the malware is how its authors get people to download it. They persuade them they need malware protection and request their mobile phone number and platform type. Then they get the person to download the malware.

Once installed on a phone, the bad app operates in the background monitoring SMS messages. If it sees a message containing a bank code, it will hide it from the phone’s owner and ship the message to the byte robber.

Bugat has been tardy coming to the SMS code-snatching game, Kessem explained.

Bank Trojan writers began focusing their attention on mobile devices in 2012, as the use of SMS authentication codes began cutting into the effectiveness of their malware. “They saw that they needed to get into mobile because it’s where their transactions were failing and their fraud rates falling,” Kessem said in an interview.

“Bugat has been around for quite a while, so it’s getting into the SMS game a little late,” she added.

That’s surprising since Bugat is a widespread banking Trojan, ranking behind the infamous Zeus banking Trojan in popularity among cyber bank robbers.

The addition of an SMS redirector could boost Bugat’s popularity in the bank Trojan market, which is now divided among Zeus, Bugat and Citadel. “When Citadel began getting attention in the Western press, it began decreasing its availability,” Baylor, of NSS, explained.”So we may see an ascendance of Bugat.”