Android trojanLookout Mobile Security discovered a new Android based Trojan called HongTouTou (aka ADRD Trojan) that is packaging itself in popular Android apps and delivering itself through app markets and Chinese forums.

This piece of malware is requesting additional permissions from users and may also be executing search related activities under the radar, including keyword searches, the company warned.

Lookout, a mobile security vendor, said it has identified 14 instances of the malware repackaging itself in various wallpaper apps and specifically in the popular game, RoboDefense, made available in alternative application markets. The trojan works by duping an infected app into sending encrypted data containing the device’s IMEI and IMSI to a remote host. HongTouTou then receives a set of search engine target URIs and search keywords to send as queries. It then uses these keywords to emulate search processes, creating searches in the search engine yielding the top results for those keywords and clicking on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser.

The Trojan is also capable of processing commands instructing it to download an APK (Android package file) that could allow the malware to monitor SMS conversations and insert content related to specific keywords (spam) into the SMS conversations. However, Lookout cautions that it has not yet seen it attempt to install the APK.

Mobile devices, specifically those running on the Android OS, are becoming increasingly popular targets for malware authors. Part of the reason is that Android’s app market is outpacing Apple’s by three times. Furthermore, many of these apps are being written with the capability to access sensitive user information. Compound that with the fact that many Android apps, some 11% of which have been repackaged (not submitted by the original developer), are being peddled on an alternative application markets not regulated by Google and one realizes it would be stupid not to target Android.

Security experts are warning that mobile applications and loosely monitored application exchanges pose a major security risk to consumers and corporations. At a symposium on mobile security in San Francisco sponsored by SRA International on Monday, Rob Smith of the firm Mobile Active Defense said that malicious or suspicious apps should be a huge concern to corporations and public sector organizations that are allowing employees to bring mobile devices in to work. 

“I think app(lication) stores are the greatest malware delivery mechanism in the history of man,” Smith said. “Apple has 300,000 mobile applications, but there’s no check of the underlying source code.” 

As of now, Lookout Security is only aware of the HongTouTou Trojan affecting users on Chinese forums. It does not affect any apps in their original versions available on the Google Android Market.

Categories: Malware, Web Security

Comment (1)

  1. Anonymous

    Smith says: “Apple has 300,000 mobile applications, but there’s no check of the underlying source code.”


    But there is a check of the source code. That is what their app store approval process does. It’s not perfect, and both bad and good, but the check is there.

Comments are closed.