Forgot your password?
typodupeerror
Android Cellphones Handhelds Security IT

New Android Malware Robs Bandwidth For Fake Searches 236

Posted by timothy
from the what-would-the-appropriate-penalty-be? dept.
adeelarshad82 writes "We've been hearing about various Android malware spreading through the Chinese markets. Well, here's another one to look out for: meet ADRD (aka Trojan:Android/Adrd.A) which is expert in sucking your bandwidth. The malware downloads a list of search URLs and then performs those searches at random in the background, which as the screen shots [in the linked article] show leads to excessive data charges. Similar to other Android malware this too is distributed through wallpapers which are infected repackaged versions of legit wallpapers." Adds reader Trailrunner7: "Lookout, a mobile security vendor, said it has identified 14 instances of the malware repackaging itself in various wallpaper apps and specifically in the popular game RoboDefense, made available in alternative application markets. The trojan works by duping an infected app into sending encrypted data containing the device’s IMEI and IMSI to a remote host. HongTouTou then receives a set of search engine target URIs and search keywords to send as queries. It then uses these keywords to emulate search processes, creating searches in the search engine yielding the top results for those keywords and clicking on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser."
This discussion has been archived. No new comments can be posted.

New Android Malware Robs Bandwidth For Fake Searches

Comments Filter:
  • by WrongSizeGlass (838941) on Thursday February 17, 2011 @08:58PM (#35239588)
    It's not surprising that malware vendors are focusing on the fastest growing segment of the computer market. Android is going to be attacked with malicious intent from all sides. It's all part of the game: Success == Target

    I guess it's running fake searches to up the 'autofill' for items on Google? Let's just hope it's not searching for iPhone related items. Man, wouldn't that be embarrassing?
    • by AmiMoJo (196126)

      Note that the malware is not in the official Android Market either, it is in third-party add-on markets. Android lets you install apps from anywhere, including web pages and other apps. The price of this freedom is the possibility of installing malware.

      This is the price of freedom - the need for vigilance and not blindly trusting a wallpaper app that for some reason wants full internet access.

      • by idontgno (624372)

        >This is the price of freedom - the need for vigilance

        Truer words were never spoken.

        and not blindly trusting a wallpaper app that for some reason wants full internet access.

        Umm... yeah, that too.

        Seriously. If a mobile device owner wants to outsource responsibility for his device's security, there's always the "walled fruit garden". I guess we can be glad that many in-duh-viduals chose Apple, because we've seen the debacle they've made of the Net with their unpatched trojaned exploit-ridden PCs.

        Hmm. T

  • by zooblethorpe (686757) on Thursday February 17, 2011 @08:59PM (#35239604)

    So was this malware put together by, on on the orders of, a mobile company itself, seeking to boost revenues? What other reasons would there be for this malware to exist? Does simply searching for terms do something for SEO?

    Curious,

    • by yuna49 (905461) on Thursday February 17, 2011 @09:14PM (#35239690)

      Thanks for asking this. I was left scratching my head after reading the blurb, too. Other than simple malicious behavior like draining batteries and running up account charges, is there some deeper purpose to this piece of crap?

      • Perhaps it is supposed to do more but is buggy?

    • Good question. Or someone who owns a lot of Apple stock?
    • by mynickslongerthanurs (1322243) on Friday February 18, 2011 @04:50AM (#35241676)
      To understand this one must first understand Baidu (the top Chinese search engine)'s business model.

      For a specific search term, the top results shown in Baidu search are paid for, which means the websites in question pay Baidu for prioritizing their sites and every time a user clicks the result (this may sound 'innovative' at first but I assure you it does more harm than good, considering putting names of random diseases in Baidu these days results in a full page of dodgy websites offering expensive (yet often ineffective) treatment courses).
      To increase revenue, Baidu encourages equally dodgy 'vendors' to lead users into clicking these links by giving a small kick-back for each successful hit. The whole thing sounds like borderline fraud to me but hell somehow it's legal.

      The trojan, HongTouTou (or 'Phantom Clicker'), is the result of such business model as a certain vendor tries to profit by creating artificial traffic.

      This an actual URL generated by the malware: http://wap.baidu.com/s?word=%E8%9D%8E%E5%AD%90&vit=uni&from=963a_w1 [baidu.com] (don't click or you'll be generating revenue for them.)
      Notice the 'from' parameter, 963a_w1 being the vendor ID.

      An in-depth analysis can be found here:
      http://www.antiy.com/cn/news/android_adrd.htm [antiy.com]
      Oh, Chinese language knowledge required.
    • by idontgno (624372)

      Click Fraud [wikipedia.org]. Trojan authors are, or are working for, "advertising affiliates" that get paid per-click for clicks on advertisement links.

      SEO would be another good theory, but This Register article [theregister.co.uk] is calling it very specifically "click fraud", and indicates that the trojan is specifically targeting the ad network on the Baidu search engine. Maybe SEO might be a desired side-effect, since it also increases click-throughs from the search engine (plumping up the "popularity" metric).

  • by esoterus (66707) <esoterus@@@gmail...com> on Thursday February 17, 2011 @09:00PM (#35239610) Homepage

    McAfee for Droid... ugh

  • by Divebus (860563) on Thursday February 17, 2011 @09:01PM (#35239612)

    This is PC vs Mac all over again.

    • Amen! (Score:2, Interesting)

      by Weezul (52464)

      It's all downhill for iOS from here on. Jobs will kick the bucket ending both the reality distortion field and Apple's market responsiveness.

      Android will gradually take most developers and users by virtue of being "just open enough", much like Windows. We've even got Blackberry going for Android apps, ala Dr. DOS. A behemoth spewing a billion dollars on marketing and payola pushing their unwanted child called WP7 (OS2). And we'll all end up running MeeGo (Linux) on phones originally designed to run Andr

      • I'm not so sure on the developers front. My experience this past year releasing apps for both Android and iOS was that sure I had more downloads of the free "lite" app from android, but iOS accounted for well over 80% of my revenue. And the type of apps I produced really don't work for advertising. I used Admob for both platforms. They are utility apps, not content apps so you don't get a lot of impressions. Problem is, Android takes more of my time to sort out minor problems between OS versions and ha

        • by Weezul (52464)

          Apple's iOS will certainly maintain some reasonable user base, but the market shall never grant dominance to a control freak. Sorry but people go their own way. iPhone are cute, but kinda old hat now, and all identical. Android otoh has an ever growing rainbow of flavors & features that'll seduce most users eventually. And young people are way more familiar with Java than Objective C meaning Android will see more & more regular the apps first.

          Apple has always been pleasant for a certain type of

          • by AK Marc (707885)
            The only think Android has working for it is that the hardware can be grossly underpowered and they will still ship with Android on it for a horrible user experience and sub-$200 price (free with contract).

            iPhone has something going for it in that you are "safe" using it because it protects you from yourself, and most users need that. Android assumes competency, and that's why it is open to millions of attacks.
  • "It does not affect any apps in their original versions available on the Google Android Market."

    So pretty much you stay away from the untrusted markets where they download the app from the trusted market, append virus, rinse, and repeat and you should be pretty good...
  • ... (yet) according to the article. It's affecting users in China who get repackaged apps from alternative-market Chinese sites. There been reports of suspicious apps on the official Android Market, but they are very few and quickly removed (http://bit.ly/5FOeM3). Does anyone know if there has ever been a confirmed threat? FTA: As of now, Lookout Security is only aware of the HongTouTou Trojan affecting users on Chinese forums. It does not affect any apps in their original versions available on the Google
  • by Animats (122034) on Thursday February 17, 2011 @09:31PM (#35239826) Homepage

    If it's doing searches in bulk like that, it's a search spam program. It's exploiting a vulnerability in Google.

    Google Trends [google.com] lists "hot searches", what's being searched for in Google in recent hours. Google Trends drives Google Suggest, the hinting system for Google. That in turn drives Google Instant. Which, in turn, aims users at the target sites. Which are probably full of ads. Profit!

    Spamming of Google Trends has been around for a while. It used to be easier, and you'd see things like the name of some mattress discounter at the top of Google Trends for 15 minutes or so. (I ran a program to follow the trends in Google Trends for a while. It was amusing.) Google seems to now be averaging over more hours, so the spammers have to up their game and use a distributed attack to push their keywords up.

    This is the trouble with "crowdsourcing" recommendations. It's too easy to fake a crowd. Yelp, CitySearch, Google Places - they're all choked with recommendation spam. Anonymous recommendations are junk information. And no, requiring a Facebook account won't help. There's an app for that. [facebookdevil.com]

    Google is now trying a "mark as spam" button in Chrome to identify "content farms". If that starts mattering, it will be spammed. The same applies to Blekko's "slashtags".

  • Written by the service provider because the execs thought they needed a little more income? Not as far fetched as you think in China where the usual is whatever it takes to get what you want.
  • Be sure not to download anything from a source you don't trust, because then you might get viruses, and then bad things can happen.

    Its incredibly stupid when stuff like this happens, because its not really 'malware' in the sense of Android having a flaw which allows code to be executed, but rather idiots who expressly give this permission to this code to run, when they get it from a non-trusted source.

    User Error. If Problem persists consult your user vendor.

  • It's just a trojan horse on an alternative app market.

    Just like on the PC you have to exercise caution as to where you get your apps.

    Good thing it's not a security vulnerability, like one that allows an attacker to get root access to a phone, that needs patching to fix.

  • My understanding* is that at install time, an Android app has to list what permissions it wants to be able to operate [android.com]. If I was installing some new wallpaper and it demanded internet access, I'd abort instantly. So does this attack only work against naive users?

    * I don't have, and have not used, an Android or other smart phone

    • by jeff4747 (256583)

      No, the app would simply bill itself as needing to download new wallpaper occasionally.

  • It's a travesty that Linux has such a good firewall system available in its kernel, yet Google is not using it to enhance security of Android devices as standard. The Android permissions checks alone are not enough, far too coarse and inflexible.

    It's true that you can root your Android and install a firewall yourself, but that invalidates your warranty, and if you bought a high-end phone or tablet then you don't want to lose your warranty in case the hardware fails.

    It's a very poor situation, and it's gett

    • How would a firewall help in the slightest? This is http traffic from an app that has already been approved (buy the user on install) as having full internet access. All you could do with a firewall is pop up a message on the first use saying something like:
      "Oh I know you already said this app could access the internet but it looks like it actually is. Are you _sure_ this is ok?"
      Not that I don't think that Android permissions can improved but firewalls are _hard_ to do in a protective and useful way

  • It seems that it is the first post for adrd analysis from aegislab blog: http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1 [aegislab.com] adrd schedules an alarm to wake itself up when firstly deployed. It acts less frequently than other trojans like GEINIMI found in China, and thus harder to trace once launched. All transmissions are encrypted by DES, but can be easily decode by using key found in DEX file.
  • FTFA: "Below is the application info screen, which doesn't say much that's informative."
    Really? The Big Red Text kinda catches my attention. It's supposed to. You even get a pop-up when installing that informs you about the app's resource usage.

    It's not like the application circumvented Active-X or IE, or somethigng to get installed. It needs ignorance to work. Google the friggin app and author before installing. This is no different than installing crap from warez sites or bittorren
  • Has it come to this? Needing to have something to look at on your phone even when you aren't using it for something useful? Sheesh!
  • by bobbutts (927504) <bobbutts@gmail.com> on Friday February 18, 2011 @11:02AM (#35243484)
    Just a note is that a large percent of the geek population is trusting ROMs with full root access. Just internet access for some sandbox app is small potatoes. Here's an example of a "good" developer making a simple mistake with their ROM http://www.droidforums.net/forum/liberty-rom-d2/125447-so-who-just-had-their-phone-taken-control-liberty-1-5-a.html [droidforums.net] Imagine what a malicious developer could accomplish.
  • The android security model is fairly fine grained, certainly much more so than what we see on conventional desktop OS's, and has a pretty tall wall between apps. Note that the malware was not stealing user data from other apps, it is just a spambot, only stealing CPU cycles and bandwidth.

    The main problem I have with the android security model is that the only recourse you have for a questionable app is to not install it in the first place. I'd prefer see the ability to selectively deny permissions, so you

"If value corrupts then absolute value corrupts absolutely."

Working...