February 15, 2011

Security Alert: HongTouTou, New Android Trojan, Found in China

The Threat:
On the heels of the Geinimi Trojan, Lookout has discovered a new Android Trojan that is repackaged in popular Android apps and distributed through app markets and forums serving Chinese-speaking users.  Called HongTouTou (also known as ADRD trojan), this malware requests additional user permissions and appears to be executing a set of search-related activities in the background (unknown to the user) including emulating keyword searches and clicks on specific search results.

Lookout has already delivered an over-the-air update for its Android users to protect them against known instances of HongTouTou. If you are already a Lookout user (free or premium), you are already protected and no action is needed.

How it Works:
HongTouTou is included in repackaged apps made available through a variety of alternative app markets and forums targeting Chinese-speaking users.  To date Lookout security researchers have identified fourteen separate instances of the HongTouTou Trojan repackaged in Android apps including RoboDefense (a well known game) and a variety of wallpaper apps.

Apps with HongTouTou attached request the following permissions over and above their legitimate counterparts:

android.permission.WRITE_APN_SETTINGS android.permission.RECEIVE_BOOT_COMPLETED android.permission.ACCESS_NETWORK_STATE android.permission.READ_PHONE_STATE android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET
android.permission.MODIFY_PHONE_STATE

When an app containing HongTouTou starts, it sends encrypted data containing the device IMEI and the IMSI to a remote host. In response, the HongTouTou receives a set of search engine target URIs and a set of search keywords to send as queries.  HongTouTou then emulates the search process using these keywords to create searches in the search engine, crawls the top search results for those keywords, and emulates clicks on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser (J2ME/UCWEB7.4.0.57).

HongTouTou can also process a command instructing it to download an APK (Android package file). Although we have not yet seen it attempt to install the APK, the APK appears to have the ability to monitor SMS conversations and insert content related to specific keywords (potentially spam) into the SMS conversation.

Who is Affected:
Currently we only have evidence that HongTouTou is distributed through alternative Chinese app markets and forums. To download an app from a third-party app store, Android users need to enable the installation of apps from “Unknown sources” (often called “sideloading”).

While we have seen the HongTouTou Trojan packaged in fourteen separate Android applications including RoboDefense and a variety of wallpaper apps, it is important to remember that even though these apps are repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected.

As stated above, Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan.

How to Stay Safe:

  • Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.

As the number of malware exploits on smartphones increase, it is more important than ever to pay attention to what you’re downloading. Stay alert and carefully review every app you download. Stay tuned for more details on this threat.



8 comments
  1. Steven says:

    Can I get a sample of this? That’d make my day, thanks

  2. earlwallace says:

    Lookout is the best anti-malware available for Android. The company got in the game very early in Android’s growth. I would place Lookout in the same class as NOD32 is to PC’s. I would not have bought my droidx and gotten an Iphone instead if it were not for this app. (not a Lookout employee)
    earlwallace

  3. jonny rocket says:

    “* Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
    * Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
    * Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
    * Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan”

    ===========================================

    not for long. it’s software. it can be broke into at anytime, anywhere, without any reviews, being root, permissions, open source, etc… mobile devices are the next step in the web/network world. people are drooling to infect mobile phones. $$$

  4. Alexander says:

    Are these the only type of threats to android. A friend of mine said any malicious website that can infect windows can infect the android. I guess Im asking is the only actor vector from downloading applications not in the android market? Thanks in advance

    • alicia says:

      @Alexander There are a number of attacks against browsers demonstrated by researchers, though there hasn’t been widespread exploitation. It’s important to only visit sites you trust to decrease your risk.

  5. topcentech says:

    Can I get a sample of this?

  6. Keep ISRAEL safe says:

    @ topcentech says:
    February 16, 2011 at 7:58 pm

    Q:”Can I get a sample of this?”

    A: NO

  7. Michael says:

    @Alexander

    The statement “any malicious website that can infect windows can infect the android” is completely false. That’s like expecting a key made for your car to work on every other car in the neighborhood.
    When you use Windows, you aren’t using the same browser as is on your Android device. The closest browser to the native android browser is probably Chrome, which is one of the most secure browsers available (one of the only 2 for Windows that use sandboxing to protect the host machine).
    Further, exploits that work on the Windows OS will not work on Android. Android does not run the same code or function the same way. Android has no registry, for instance. Android uses a very different security model than Windows does.

    Is it possible to exploit the Android browser? I’m sure somehow, somewhere it is possible simply because it is not perfect.

Leave a comment