Android Malware "Obad" Called Most Sophisticated Yet

chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."

Re:2 decades of Windows being pwned and Google lea

[smash]

2 decades of Windows being pwned and Google learns... nothing

So, so much this.

Relying on the end user to magically be aware that stuff they are signing is not trojaned, reputable, etc. is not going to work. As demonstrated by Microsoft for the last 30 years, and as demonstrated in the unix world since the 70s.

I've been saying for some time that Android is the Windows of the mobile world. Not because of the code-base or even quality of the code-base, but due to the design decision to push security back on the end user. 99.999% of us are not security experts.

Virus scanners are a waste of resources (cpu/storage and thus, battery).

Vet executables at the source. If the user wants to run their own code, provide a code signing mechanism (this can be done on iOS with a dev account, sure there is a cost argument but the technical benefit is huge. if it was free and there was sufficient verification of an individual's identity to prevent issuing multiple certs to the same person, the money issue could go away. at the moment the cost is there to make obtaining thousands (say) of code-signing certs impractical for a malware author). If apple included a code-signing cert for the end user to "bless" their own (or downloaded) code with for use on their own devices, would people's bitching about not "owning" their iOS device change?

This is the single biggest reason I am an iOS user. I've been around long enough to know not to trust myself or any of my users to vet apps themselves (no one has the time or skillset or tools to do it anyway). I have no faith in the security of a device which can run any code from anywhere being in the hands of an end user (including myself) who is not capable of verifying whether or not code is malicious.

No it is not a 100% solution and there is every chance that malware slips through, however once it has been reported to the distribution point, its cert can be revoked to stop it spreading any further.

Yes, exploits can be created if the signing mechanism is secure, but that is an implementation issue, not a core design issue, and can be fixed.