Obad¶
The most technically sophisticated Android trojan of its time. Discovered by Kaspersky's Roman Unuchek in June 2013, Obad exploited two previously unknown Android vulnerabilities: one in manifest processing and another to gain irremovable Device Administrator privileges without appearing in the admin list. It was also the first mobile malware distributed through botnets built with entirely different malware families.
Overview¶
| Property | Value |
|---|---|
| First Seen | June 2013 |
| Type | Backdoor / Multi-function trojan |
| Attribution | Unknown |
| Aliases | Backdoor.AndroidOS.Obad.a (Kaspersky), Backdoor:Android/Obad (F-Secure) |
Distribution¶
Distributed via mobile botnets (first mobile malware to use this technique), SMS spam, and redirected web links. Used botnets built with entirely different malware to spread itself.
Capabilities¶
| Capability | Implementation |
|---|---|
| Manifest exploit | Exploited AndroidManifest.xml processing vulnerability |
| Invisible admin | Gained Device Admin privileges without appearing in admin list |
| Anti-analysis | Exploited DEX2JAR flaw to prevent decompilation; multi-layer encryption |
| Premium SMS | Sent messages to premium-rate numbers |
| Bluetooth worm | Sent files to all detected Bluetooth devices |
| Proxy server | Acted as a network proxy |
| Remote shell | Executed commands via shell |
| Payload delivery | Downloaded and installed additional malware |
Obad operated entirely without a user interface. Key components were only decrypted after gaining internet access, preventing offline analysis.
Significance¶
Despite relatively low infection rates (0.15% of mobile malware over a three-day Kaspersky observation), Obad's significance was its unprecedented technical sophistication. Its techniques (0-day exploitation, DEX2JAR evasion, irremovable Device Admin, encrypted C2, botnet-based distribution) borrowed heavily from Windows malware and foreshadowed the professionalization of the mobile malware ecosystem.