31
Malware threats, hoaxes, and taxonoMy
BadNews
Originally discovered in Google Play, BadNews was repacked in
approximately 30 legitimate apps with an estimated 2 million to 9
million downloads. BadNews masqueraded as an advertising net-
work. It was one of the earliest instances of a malicious ad network
actually posing as a network. e network would download on install
malware on a device. BadNews had the following functionalities: it
would send fake news messages and system-specic data to a remote
C&C server and prompt users to install applications. BadNews used
its ad displaying capabilities to push monetization malware and pro-
mote aliated apps. BadNews also promoted the premium rate SMS
fraud malware AlphaSMS. BadNews was identied mostly in the
Russian Federation, Ukraine, Belarus, Armenia, and Kazakhstan.
e authors of this malware used it to promote their other less popu-
lar apps that also contained BadNews. At the time, there were three
identied C&C servers located in Russia, Ukraine, and Germany.
Obad
Obad, at the time of discovery, was the most sophisticated Android
malware ever discovered. Obad was a multifunctional Trojan, capa-
ble of sending SMS messages to premium rate numbers, installing
other malware on the device, distributing malware via Bluetooth, and
remote execution of root shell commands. e code was obfuscated
and all strings in the DEX le were encrypted. All external methods
are called via reection and all strings are encrypted, including class
and method names. e malware authors leveraged a discovered error
in the Dex2Jar software to disrupt the conversion of Dalvik byte code
into java byte code. is disruption complicated static analysis of the
malware. e authors also leveraged a discovered error in the Android
OS regarding the processing of the AndroidManifest.xml le. e
authors modied the xml le in a noncompliant way with Google
standards, but the XML le was still processed correctly on the device
as a result of exploiting the Android OS error. is complicated the
dynamic analysis of Obad. e authors exploited another discovered
error in the Android OS that granted Obad extended device adminis-
tration without appearing on the list of apps that had these privileges.