New Android Malware Robs Bandwidth For Fake Searches

adeelarshad82 writes "We've been hearing about various Android malware spreading through the Chinese markets. Well, here's another one to look out for: meet ADRD (aka Trojan:Android/Adrd.A) which is expert in sucking your bandwidth. The malware downloads a list of search URLs and then performs those searches at random in the background, which as the screen shots [in the linked article] show leads to excessive data charges. Similar to other Android malware this too is distributed through wallpapers which are infected repackaged versions of legit wallpapers." Adds reader Trailrunner7: "Lookout, a mobile security vendor, said it has identified 14 instances of the malware repackaging itself in various wallpaper apps and specifically in the popular game RoboDefense, made available in alternative application markets. The trojan works by duping an infected app into sending encrypted data containing the device’s IMEI and IMSI to a remote host. HongTouTou then receives a set of search engine target URIs and search keywords to send as queries. It then uses these keywords to emulate search processes, creating searches in the search engine yielding the top results for those keywords and clicking on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser."

Re:So remind me again...

[vinng86]

The iOS app store can have it's fair share of malware too. It's easy to hide snooping software behind a simple game for example. In fact, all apps can access the contacts list, recent youtube searches, email settings and even non-password field keystrokes [cnet.com]. When developers submit apps they only submit the binary and not the source code so Apple's app approval monkeys basically only cover what they can see. This "walled garden" argument is stupid for this reason.

It's here

[alostpacket]

They already (sadly) make it: http://blogs.mcafee.com/enterprise/mobile/mcafee-for-android-a-mobile-security-update [mcafee.com]

Honestly though I'm tired of Lookout Mobile doing this fear mongering. I'll give them credit though, they are smart guys -- and based on their defcon presentation, they know a lot about Android sercurity. But stop with the scare tactic PR news stories. This would be akin to saying "Virus found on The Pirate Bay, news at 11." I know they need PR because they are a startup, but c'mon.

Re:So remind me again...

[adolf]

Pre-paid Visa cards are available at Wal-Mart for $3.

Becoming an IOS dev costs, what, $99?

So it costs just $102, then, to get a shot at pushing some malware which will hopefully make the author(s) some money. This really isn't a very high bar.

Re:So remind me again...

[SCPRedMage]

Yes, because installing third party firmware is EXACTLY like installing applications, which is what the thread has been about.

YES, you need to root most Android phones in order to install third party firmware, such as CyanogenMod. NO, you do not need to root your Android phone in order to install apps that haven't been explicitly allowed by the phone's manufacturer, included alternative app stores.

Protip: Strawman arguments work significantly better when they aren't so bloody obvious.

Re:So remind me again...

[adolf]

Perhaps the problem is simply that it isn't widely publicized. Please allow me to attempt to rectify that:

Hey, malware authors! You can pounce on unsuspecting iPhone owners for only $102! All you need to do is get a disposable pre-paid Visa from Wal-Mart, and pay Apple $99 for a disposable dev account! And remember, kids, it takes money to make money! Happy phishing!

There. That should do it.

Re:One serious question: Why?

[mynickslongerthanurs]

To understand this one must first understand Baidu (the top Chinese search engine)'s business model.

For a specific search term, the top results shown in Baidu search are paid for, which means the websites in question pay Baidu for prioritizing their sites and every time a user clicks the result (this may sound 'innovative' at first but I assure you it does more harm than good, considering putting names of random diseases in Baidu these days results in a full page of dodgy websites offering expensive (yet often ineffective) treatment courses).
To increase revenue, Baidu encourages equally dodgy 'vendors' to lead users into clicking these links by giving a small kick-back for each successful hit. The whole thing sounds like borderline fraud to me but hell somehow it's legal.

The trojan, HongTouTou (or 'Phantom Clicker'), is the result of such business model as a certain vendor tries to profit by creating artificial traffic.

This an actual URL generated by the malware: http://wap.baidu.com/s?word=%E8%9D%8E%E5%AD%90&vit=uni&from=963a_w1 [baidu.com] (don't click or you'll be generating revenue for them.)
Notice the 'from' parameter, 963a_w1 being the vendor ID.

An in-depth analysis can be found here:
http://www.antiy.com/cn/news/android_adrd.htm [antiy.com]
Oh, Chinese language knowledge required.

Re:So remind me again...

[BasilBrush]

And going by the top 10 hits, not a single one affects non-jailbroken iPhones.