I generally ignore the noise spouted by (mobile) anti-virus vendors as it’s often spreading fear that’s out of proportion to the actual risk. However, a recent blog post by Roman Unuchek of Kaspersky tells of a new sophisticated Android Trojan that’s very interesting. Also, some of the techniques used by the malware can be used by normal apps to make themselves less susceptible to piracy.
All strings in the DEX file were encrypted, and the code was obfuscated. Furthermore, the code uses a flaw in a commonly used decompilation tool (DEX2JAR) and a quirk in the Android AndroidManifest.xml parsing to make analysis by third parties, such as Kaspersky, very difficult. The malware also uses a previously unknown Android OS vulnerability to keep itself off the list of apps that enjoy extended Device Administrator privileges and hence makes itself impossible to delete. Strings in the malware code are even decrypted using part of a page downloaded from Facebook.
The app is spread via SMS and Bluetooth. Despite its complexity, the app prompts the user to activate device administrator and some of the functionality will only work on rooted phones.
If you are an Android user, my advice is to:
- Only download from the Play store where there’s much less malware.
- As with on the PC, web (and Mac) treat any unexpected dialogs with caution.
- Own a recent device with Android 4.x on it so you know a large proportion of vulnerabilities have been fixed.
- Don’t root your device otherwise you are opening yourself up to more risks.