In late May, Securelist reported on the details of
Backdoor.AndroidOS.Obad.a, the most sophisticated
mobile Trojan to date. At the time we had almost no
information about how this piece of malware gets onto
mobile devices. We have since been examining how the

Trojan is distributed and discovered that the malware
owners have developed a technique which we have
never encountered before. For the first time malware is
being distributed using botnets that were created using
completely different mobile malware.

So far we have discovered four basic methods used to
distribute different versions of
Backdoor.AndroidOS.Obad.a.

Mobile Botnet
The most interesting of these methods were the ones
where Obad.a was distributed along with another
mobile Trojan – SMS.AndroidOS.Opfake.a. This was
recently described in the blog GCM in malicious
attachments. The double infection attempt starts when a
user gets a text message containing the following text:

“MMS message has been delivered, download from
www.otkroi.com”.

If a user clicks on the link, a file named mms.apk
containing Trojan-SMS.AndroidOS.Opfake.a is
automatically loaded onto the smartphone or tablet.
The malware cannot be installed unless users then run
it. If this happens, the C&C server can instruct the Trojan
to send out the following message to all the contacts in
the victim’s address book:

“You have a new MMS message, download at – http://
otkroi.net/12”

Following the link automatically loads
Backdoor.AndroidOS.Obad.a under the names of
mms.apk or mmska.apk.




http://infolodge.net/blog/blog/2013/09/06/first-android-trojan-discovered-obad-trojan/