On the heels of the Geinimi Trojan, Lookout has discovered a new Android Trojan that is repackaged in popular Android apps and distributed through app markets and forums serving Chinese-speaking users. Called HongTouTou (also known as ADRD trojan), this malware requests additional user permissions and appears to be executing a set of search-related activities in the background (unknown to the user) including emulating keyword searches and clicks on specific search results.
Lookout has already delivered an over-the-air update for its Android users to protect them against known instances of HongTouTou. If you are already a Lookout user (free or premium), you are already protected and no action is needed.
How it Works:
HongTouTou is included in repackaged apps made available through a variety of alternative app markets and forums targeting Chinese-speaking users. To date Lookout security researchers have identified fourteen separate instances of the HongTouTou Trojan repackaged in Android apps including RoboDefense (a well known game) and a variety of wallpaper apps.
Apps with HongTouTou attached request the following permissions over and above their legitimate counterparts:
android.permission.WRITE_APN_SETTINGS android.permission.RECEIVE_BOOT_COMPLETED android.permission.ACCESS_NETWORK_STATE android.permission.READ_PHONE_STATE android.permission.WRITE_EXTERNAL_STORAGE
When an app containing HongTouTou starts, it sends encrypted data containing the device IMEI and the IMSI to a remote host. In response, the HongTouTou receives a set of search engine target URIs and a set of search keywords to send as queries. HongTouTou then emulates the search process using these keywords to create searches in the search engine, crawls the top search results for those keywords, and emulates clicks on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser (J2ME/UCWEB126.96.36.199).
HongTouTou can also process a command instructing it to download an APK (Android package file). Although we have not yet seen it attempt to install the APK, the APK appears to have the ability to monitor SMS conversations and insert content related to specific keywords (potentially spam) into the SMS conversation.
Who is Affected:
Currently we only have evidence that HongTouTou is distributed through alternative Chinese app markets and forums. To download an app from a third-party app store, Android users need to enable the installation of apps from “Unknown sources” (often called “sideloading”).
While we have seen the HongTouTou Trojan packaged in fourteen separate Android applications including RoboDefense and a variety of wallpaper apps, it is important to remember that even though these apps are repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected.
As stated above, Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan.
How to Stay Safe:
- Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
- Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
- Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
- Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.
As the number of malware exploits on smartphones increase, it is more important than ever to pay attention to what you’re downloading. Stay alert and carefully review every app you download. Stay tuned for more details on this threat.