Skip to content

From Windows to Android: The Continued Migration of Threats

News outlets are dubbing OBAD, a particular Android malware, as "the worst" of its kind and "the most sophisticated Android Trojan" to date. Apart from its enhanced routines, it is also garnering a lot of buzz because it exhibits behaviors more typical of Windows malware.

Repeating History

In our 2012 Mobile Threat and Security Roundup, we discussed how the Android threat landscape is mimicking that of Windows but at a much faster pace. The discovery of OBAD implies that the similarities continue into 2013.

Figure 1: Timeline comparison of Android and Windows malware

We also noticed an increase in the sophistication of more recent mobile malware, both in terms of technique and deployment. This confirms one of our 2013 security predictions.

Emerging Threats


OBAD combines stealth and vulnerability exploitation with older techniques. It first asks for root and Device Administrator privileges by harassing users with incessant pop-up messages. Once the privileges are granted, the malware runs on stealth mode.

It can perform the following routines:

  • Access a command-and-control (C&C) server
  • Collect a user's contact list, call logs, text messages, and list of installed apps
  • Download and install packages
  • Spread malware via Bluetooth®

OBAD's propagation method is notable because of its use of Bluetooth, a routine more common among Symbian malware. Rehashing this old tactic suggests that cybercriminals’ propagation methods are no longer solely reliant on downloading malware via app stores.


While FAKEAV attacks on desktops and laptops are dwindling, they are increasing on mobile devices. Much like FAKEAV for computers, ANDROIDOS_FAKEAV.F displays fake scan results. It urges users to pay for a supposed full version of a mobile security app in order to exit the program.

Figure 2: FAKEAV malware show fake scan results to convince you to purchase full versions of rogue antivirus software

Apart from the fivefold increase in FAKEAV mobile malware detections from last year, we also saw notable developments in malware routines. ANDROIDOS_FAKEAV.F, for instance, displays a pop-up message saying the app you just opened is infected. Other FAKEAV variants also show pop-up windows to persuade you to buy nonexistent products.

Malicious Ads

Cybercriminals now use mobile ads to target users like you. Several ads on numerous Android apps promote a fraudulent site that allegedly sells gadgets like the iPhone® 5 and Samsung Galaxy Note® II at low prices. What's troubling though is that the ads are delivered by a mainstream ad network used by more than 90,000 apps. The attack could then have victimized a huge user base.

Figure 3: Ad for Samsung Galaxy Note II

Aggressive adware routines are often limited to persistent notifications and possible information theft. This attack is different in that the ads lead you to web threats (i.e., a fraudulent site). The inclusion of mobile ads in multichain attacks shows how cybercriminals are refining known threats. It's possible to see similar attacks in the future.

The Cybercriminal Landscape

Recent Google data shows that 750 million Android devices are now in use worldwide. This number is projected to further grow to 1 billion by 2017. Unfortunately though, this growth also translates to more potential cybercriminal victims.

Another factor that makes the Android platform appealing to cybercriminals is its fragmented nature. People are using different Android versions—Gingerbread being the most installed. Unfortunately, using outdated versions pose security risks. A device running on Gingerbread, for instance, can have as many as 11 vulnerabilities! The complicated Android update process only worsens the problem. Through malware like OBAD, cybercriminals can take advantage of Android vulnerabilities to run malicious routines on devices.

User behavior also unwittingly aids cybercriminal activities in a number of ways. Growing awareness of mobile malware, for instance, not only creates a market for security apps but also a FAKEAV malware target base.

If you often download free apps, you may not think twice about clicking in-app ads, which can lead to fraudulent or malicious sites. Attacks using ads can gain popularity, especially given Google's decision to remove all ad-blocking apps from Google Play.

But you can update your Android OS to address vulnerabilities even though this isn't a cure-all to Android threats. Devices running on the latest Android versions are still prone to other threats. Installing patches for vulnerabilities can be a problem, too, because of issues surrounding vulnerability disclosure and patching.

Installing a security app like Trend Micro™ Mobile Security for Android™ can effectively block mobile threats like malicious apps and links. The Hidden Device Admin Detector app, meanwhile, allows you to keep track of and disable apps that have device administrator privileges but are hidden from the Android Device Administrator list.

Connect with us on