Slashdot Mirror
New Android Malware Robs Bandwidth For Fake Searches
adeelarshad82 writes "We've been hearing about various Android malware spreading through the Chinese markets. Well, here's another one to look out for: meet ADRD (aka Trojan:Android/Adrd.A) which is expert in sucking your bandwidth. The malware downloads a list of search URLs and then performs those searches at random in the background, which as the screen shots [in the linked article] show leads to excessive data charges. Similar to other Android malware this too is distributed through wallpapers which are infected repackaged versions of legit wallpapers."
Adds reader Trailrunner7: "Lookout, a mobile security vendor, said it has identified 14 instances of the malware repackaging itself in various wallpaper apps and specifically in the popular game RoboDefense, made available in alternative application markets. The trojan works by duping an infected app into sending encrypted data containing the device’s IMEI and IMSI to a remote host. HongTouTou then receives a set of search engine target URIs and search keywords to send as queries. It then uses these keywords to emulate search processes, creating searches in the search engine yielding the top results for those keywords and clicking on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser."
...why Apple's "Walled Garden" for the iPhone is such a bad thing?
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
It's not surprising that malware vendors are focusing on the fastest growing segment of the computer market. Android is going to be attacked with malicious intent from all sides. It's all part of the game: Success == Target
I guess it's running fake searches to up the 'autofill' for items on Google? Let's just hope it's not searching for iPhone related items. Man, wouldn't that be embarrassing?
So was this malware put together by, on on the orders of, a mobile company itself, seeking to boost revenues? What other reasons would there be for this malware to exist? Does simply searching for terms do something for SEO?
Curious,
"What in the name of Fats Waller is that?"
"A four-foot prune."
McAfee for Droid... ugh
Not only does God definitely play dice, but He sometimes confuses us by throwing them where they can't be seen. -Hawking
This is PC vs Mac all over again.
Most of the stuff on
Good bye link farming, hello click farming.
It's full of smug fanboys patting eachother on the back and there's no room left.
They already (sadly) make it: http://blogs.mcafee.com/enterprise/mobile/mcafee-for-android-a-mobile-security-update
Honestly though I'm tired of Lookout Mobile doing this fear mongering. I'll give them credit though, they are smart guys -- and based on their defcon presentation, they know a lot about Android sercurity. But stop with the scare tactic PR news stories. This would be akin to saying "Virus found on The Pirate Bay, news at 11." I know they need PR because they are a startup, but c'mon.
PocketPermissions Android Permission Guide
"It does not affect any apps in their original versions available on the Google Android Market."
So pretty much you stay away from the untrusted markets where they download the app from the trusted market, append virus, rinse, and repeat and you should be pretty good...
... (yet) according to the article. It's affecting users in China who get repackaged apps from alternative-market Chinese sites. There been reports of suspicious apps on the official Android Market, but they are very few and quickly removed (http://bit.ly/5FOeM3). Does anyone know if there has ever been a confirmed threat? FTA: As of now, Lookout Security is only aware of the HongTouTou Trojan affecting users on Chinese forums. It does not affect any apps in their original versions available on the Google Android Market.
Wallpaper APPS?!?!? Why in gods name would you need to package wallpaper in an executable, that's a security issue waiting to happen...
Bing's found another way to scrape Google's search results!
If it's doing searches in bulk like that, it's a search spam program. It's exploiting a vulnerability in Google.
Google Trends lists "hot searches", what's being searched for in Google in recent hours. Google Trends drives Google Suggest, the hinting system for Google. That in turn drives Google Instant. Which, in turn, aims users at the target sites. Which are probably full of ads. Profit!
Spamming of Google Trends has been around for a while. It used to be easier, and you'd see things like the name of some mattress discounter at the top of Google Trends for 15 minutes or so. (I ran a program to follow the trends in Google Trends for a while. It was amusing.) Google seems to now be averaging over more hours, so the spammers have to up their game and use a distributed attack to push their keywords up.
This is the trouble with "crowdsourcing" recommendations. It's too easy to fake a crowd. Yelp, CitySearch, Google Places - they're all choked with recommendation spam. Anonymous recommendations are junk information. And no, requiring a Facebook account won't help. There's an app for that.
Google is now trying a "mark as spam" button in Chrome to identify "content farms". If that starts mattering, it will be spammed. The same applies to Blekko's "slashtags".
Written by the service provider because the execs thought they needed a little more income? Not as far fetched as you think in China where the usual is whatever it takes to get what you want.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
And the Fandroids are doing what again? They're being full of Schmidt. He'll steal your data then sell it back to you and everyone else. No thanks. I was on the fence and supportive of Android until this.
Just. Opt. Out.
After the recent Windows Phone 7 / Yahoo data suck incident. Trojan as corporate sabotage, perhaps?
Be sure not to download anything from a source you don't trust, because then you might get viruses, and then bad things can happen.
Its incredibly stupid when stuff like this happens, because its not really 'malware' in the sense of Android having a flaw which allows code to be executed, but rather idiots who expressly give this permission to this code to run, when they get it from a non-trusted source.
User Error. If Problem persists consult your user vendor.
Bwah ha ha ha...... Really? I always love it when people install cocktail umbrellas in thier swiss army knife.
But you can have approved apps on the Apple appstore and write your own apps and install them. Just join the developer program ($99), write your xCode and install it on your phone. Bam! Mr. Jobs doesn't come and tell you you can't do it. It's legit.
This is exactly how it works in the corporate world. Just today, the head of my accounting department was fretting over the cost of a new GL package she needed to purchase. I was all "50 grand? Dude, why not just download Visual Studio Express and code that shit ourselves?" That conversation was at noon, and by 5:30 we had already skipped over the alpha version and were pussy deep in testing out the beta.
It's all downhill for iOS from here on. Jobs will kick the bucket ending both the reality distortion field and Apple's market responsiveness.
Android will gradually take most developers and users by virtue of being "just open enough", much like Windows. We've even got Blackberry going for Android apps, ala Dr. DOS. A behemoth spewing a billion dollars on marketing and payola pushing their unwanted child called WP7 (OS2). And we'll all end up running MeeGo (Linux) on phones originally designed to run Android.
Imho, we should continue pushing for MeeGo on the phone because the whole Android plus Debian on a dual core phone sounds silly & slow, well plus Maemo has a better user interface and better phone functionality than Android. (gsm, sip, and skype calls are integrated)
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
It's just a trojan horse on an alternative app market.
Just like on the PC you have to exercise caution as to where you get your apps.
Good thing it's not a security vulnerability, like one that allows an attacker to get root access to a phone, that needs patching to fix.
My understanding* is that at install time, an Android app has to list what permissions it wants to be able to operate. If I was installing some new wallpaper and it demanded internet access, I'd abort instantly. So does this attack only work against naive users?
* I don't have, and have not used, an Android or other smart phone
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
There's a lot of money connected with clicking on ads. They could be clicking their competitors' ads to drain their budgets.
It's a travesty that Linux has such a good firewall system available in its kernel, yet Google is not using it to enhance security of Android devices as standard. The Android permissions checks alone are not enough, far too coarse and inflexible.
It's true that you can root your Android and install a firewall yourself, but that invalidates your warranty, and if you bought a high-end phone or tablet then you don't want to lose your warranty in case the hardware fails.
It's a very poor situation, and it's getting worse as the attacks on Android increase. Come on Google, provide a firewall as standard. "Too complex for phone users" is not an adequate excuse for not doing so, because it can be made totally transparent by default if you wish, and only the security-conscious few would need to configure it in detail.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
The iOS app store can have it's fair share of malware too.
Actually it can't. Because even the small level of review Apple goes through prevents some things, the greater degree of sandboxing prevents others, the lack of external storage prevents still other data mining trips from coming back with gold.
And then on top of that you have to provide some details to Apple to get certified as a developer.
Any one thing alone might not stop anyone, but in total they have prevented iOS from seeing issues like Android has had.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The iPhone has firewalls.
The thing is, people running the stock OS have no need of a firewall.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
AegisLab is the first company who discover this ADRD.
http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1
They have 15 instances of ADRD.
There are two ways to deal with that though, get rid of useful stuff or try to manage any issues. I prefer to keep the useful stuff.
The third way is to control background access to the useful stuff so you get that but nothing arbitrary. That's the way Apple chose.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Because in the long run it's better to support the platform looking out for the consumer's best interests.
I 100% agree with that statement.
And that's why I stick with iOS development, possibly moving into WP7 development at some point.
Because I have lived through years of the PC model of security, and see the whole system brought to its knees by malware and spyware. Going forward into a new platform, I simply refuse to support a system that I see as trying to carry forward the old PC "anything goes" model in Android.
Consumers best interests as far as computing go, are things where they cannot hurt themselves much. For the more technically inclined there will always be backdoors and paths we can open to gain the sweet control and functionality we desire, but the default shipping state should be such that I am not going to ever have to have daily conversations again with friends about how to clean out systems.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It seems that it is the earliest post for adrd analysis from aegislab blog:
http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1
adrd schedules an alarm to wake itself up when firstly deployed. It acts less frequently than other trojans like GEINIMI found in China,
and thus harder to trace once launched. All transmissions are encrypted by DES, but can be easily decode by using key found in DEX file.
It seems that it is the first post for adrd analysis from aegislab blog: http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1 adrd schedules an alarm to wake itself up when firstly deployed. It acts less frequently than other trojans like GEINIMI found in China, and thus harder to trace once launched. All transmissions are encrypted by DES, but can be easily decode by using key found in DEX file.
Has anybody seen if those bogus apps are in the official Android Market or are in bogus Markets ? I must have missed that from the summary.
I mean in those were Android says a warning message like: do not install anything from non-official Market who you don't whole-fully trust.
FTFA: "Below is the application info screen, which doesn't say much that's informative."
Really? The Big Red Text kinda catches my attention. It's supposed to. You even get a pop-up when installing that informs you about the app's resource usage.
It's not like the application circumvented Active-X or IE, or somethigng to get installed. It needs ignorance to work. Google the friggin app and author before installing. This is no different than installing crap from warez sites or bittorrent. Actually, Android is better in that regard because at least you get an enumerated list of the application's resource usage.
"A basic Android application has no permissions associated with it, meaning it can not do anything that would adversely impact the user experience or any data on the device. " *
"At application install time, permissions requested by the application are granted to it by the package installer, based on checks against the signatures of the applications declaring those permissions and/or interaction with the user. No checks with the user are done while an application is running: it either was granted a particular permission when installed, and can use that feature as desired, or the permission was not granted and any attempt to use the feature will fail without prompting the user."
* http://developer.android.com/guide/topics/security/security.html
boycott slashdot February 10th - 17th check out: altSlashdot.org
Has it come to this? Needing to have something to look at on your phone even when you aren't using it for something useful? Sheesh!
Just a note is that a large percent of the geek population is trusting ROMs with full root access. Just internet access for some sandbox app is small potatoes. Here's an example of a "good" developer making a simple mistake with their ROM http://www.droidforums.net/forum/liberty-rom-d2/125447-so-who-just-had-their-phone-taken-control-liberty-1-5-a.html Imagine what a malicious developer could accomplish.
The android security model is fairly fine grained, certainly much more so than what we see on conventional desktop OS's, and has a pretty tall wall between apps. Note that the malware was not stealing user data from other apps, it is just a spambot, only stealing CPU cycles and bandwidth.
The main problem I have with the android security model is that the only recourse you have for a questionable app is to not install it in the first place. I'd prefer see the ability to selectively deny permissions, so you could specify that (for example) an app that requests a network connection be denied access. In this case, that would effectively neuter the spambot while possibly still being able to set wallpapers as the app is advertised to do. Sure, the app might just crash, but that would provide some feedback to the user as well (and cause you to uninstall it).
Unfortunately, a lot of apps probably ask for more permissions than they actually use due to poor Android documentation in describing which SDK functions require which permissions. In my experience, this leads developers to take a scattershot approach of adding permissions semi-randomly in an attempt to debug why their app is crashing with permissions errors (of course, there is little incentive to remove those unnecessary permissions). Also some permissions need to be further split up; a music app that needs to know when a phone call is coming in in order to pause playback should only need permissions to that particular event, it shouldn't have to request full access to make and receive calls. Because there isn't enough information to make an informed decision, this quickly causes even technical users to stop paying attention to the "required permissions" page in the android market.
This is where you dumb fuck fosstards get what's coming to you.
Aww, is APK stalking me? That's his quote style!
What's the matter, upset that I'm not offering to blow you for your hosts file?
APK == OFF TOPIC TROLL!