Slashdot Mirror
New Android Malware Robs Bandwidth For Fake Searches
adeelarshad82 writes "We've been hearing about various Android malware spreading through the Chinese markets. Well, here's another one to look out for: meet ADRD (aka Trojan:Android/Adrd.A) which is expert in sucking your bandwidth. The malware downloads a list of search URLs and then performs those searches at random in the background, which as the screen shots [in the linked article] show leads to excessive data charges. Similar to other Android malware this too is distributed through wallpapers which are infected repackaged versions of legit wallpapers."
Adds reader Trailrunner7: "Lookout, a mobile security vendor, said it has identified 14 instances of the malware repackaging itself in various wallpaper apps and specifically in the popular game RoboDefense, made available in alternative application markets. The trojan works by duping an infected app into sending encrypted data containing the device’s IMEI and IMSI to a remote host. HongTouTou then receives a set of search engine target URIs and search keywords to send as queries. It then uses these keywords to emulate search processes, creating searches in the search engine yielding the top results for those keywords and clicking on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser."
McAfee for Droid... ugh
Not only does God definitely play dice, but He sometimes confuses us by throwing them where they can't be seen. -Hawking
This is PC vs Mac all over again.
Most of the stuff on
The iOS app store can have it's fair share of malware too. It's easy to hide snooping software behind a simple game for example. In fact, all apps can access the contacts list, recent youtube searches, email settings and even non-password field keystrokes. When developers submit apps they only submit the binary and not the source code so Apple's app approval monkeys basically only cover what they can see. This "walled garden" argument is stupid for this reason.
...why Apple's "Walled Garden" for the iPhone is such a bad thing?
Because you can't choose not to use it.
The non-story here is that people carelessly installing bad software from ALTERNATIVE android marketplaces got malware.
Newsflash, if you want assurances of software without malware, don't shop at the internet equivalent of the chinatown night markets.
If you want to be as safe as apple's walled garden, stay within the official marketplaces and you get that.
Thanks for asking this. I was left scratching my head after reading the blurb, too. Other than simple malicious behavior like draining batteries and running up account charges, is there some deeper purpose to this piece of crap?
They already (sadly) make it: http://blogs.mcafee.com/enterprise/mobile/mcafee-for-android-a-mobile-security-update
Honestly though I'm tired of Lookout Mobile doing this fear mongering. I'll give them credit though, they are smart guys -- and based on their defcon presentation, they know a lot about Android sercurity. But stop with the scare tactic PR news stories. This would be akin to saying "Virus found on The Pirate Bay, news at 11." I know they need PR because they are a startup, but c'mon.
PocketPermissions Android Permission Guide
If it's doing searches in bulk like that, it's a search spam program. It's exploiting a vulnerability in Google.
Google Trends lists "hot searches", what's being searched for in Google in recent hours. Google Trends drives Google Suggest, the hinting system for Google. That in turn drives Google Instant. Which, in turn, aims users at the target sites. Which are probably full of ads. Profit!
Spamming of Google Trends has been around for a while. It used to be easier, and you'd see things like the name of some mattress discounter at the top of Google Trends for 15 minutes or so. (I ran a program to follow the trends in Google Trends for a while. It was amusing.) Google seems to now be averaging over more hours, so the spammers have to up their game and use a distributed attack to push their keywords up.
This is the trouble with "crowdsourcing" recommendations. It's too easy to fake a crowd. Yelp, CitySearch, Google Places - they're all choked with recommendation spam. Anonymous recommendations are junk information. And no, requiring a Facebook account won't help. There's an app for that.
Google is now trying a "mark as spam" button in Chrome to identify "content farms". If that starts mattering, it will be spammed. The same applies to Blekko's "slashtags".
If you stick to the market for android you would not get these trojans either. The fact that you are not forced too is a good thing.
So how do I do that without paying Mr. Jobs for the privilege of using something I already bought?
If you want to be as safe as apple's walled garden, stay within the official marketplaces and you get that.
The other alternative would be if the OS asked for user permission before an application could access the internet (just one time, not every time). This is what my old Nokia (running Symbian) used to do. It works the same way as how the iPhone prompts to allow programs to use location services.
I am more worried that a program leaks data or uses all my download quota much more than whether it knows where I am.
If you're a registered iOS dev you have a CC on file with Apple.
And surely the large, well-financed criminal organizations behind most modern malware could never possibly obtain a credit card number that's not their own.
Pre-paid Visa cards are available at Wal-Mart for $3.
Becoming an IOS dev costs, what, $99?
So it costs just $102, then, to get a shot at pushing some malware which will hopefully make the author(s) some money. This really isn't a very high bar.
Kid-proof tablet..
The other alternative would be if the OS asked for user permission before an application could access the internet (just one time, not every time).
Not very effective because almost all applications use the internet - at least a little. What would be good is if the application made a request to use the internet and provided an estimated maximum amount used in the dialog. For example, screensaver X requests to use the internet and estimates that it will use under 2MB per month. Now the user knows more about what is happening and the OS can ensure the app does not break it's promise. Advanced settings might even allow the user to restrict the application to specific domains.
While this does not offer a complete solution, it would help prevent apps from running up usage charges.
Yes, because installing third party firmware is EXACTLY like installing applications, which is what the thread has been about.
YES, you need to root most Android phones in order to install third party firmware, such as CyanogenMod. NO, you do not need to root your Android phone in order to install apps that haven't been explicitly allowed by the phone's manufacturer, included alternative app stores.
Protip: Strawman arguments work significantly better when they aren't so bloody obvious.
My sig can beat up your sig.
Perhaps the problem is simply that it isn't widely publicized. Please allow me to attempt to rectify that:
Hey, malware authors! You can pounce on unsuspecting iPhone owners for only $102! All you need to do is get a disposable pre-paid Visa from Wal-Mart, and pay Apple $99 for a disposable dev account! And remember, kids, it takes money to make money! Happy phishing!
There. That should do it.
Kid-proof tablet..
To understand this one must first understand Baidu (the top Chinese search engine)'s business model.
For a specific search term, the top results shown in Baidu search are paid for, which means the websites in question pay Baidu for prioritizing their sites and every time a user clicks the result (this may sound 'innovative' at first but I assure you it does more harm than good, considering putting names of random diseases in Baidu these days results in a full page of dodgy websites offering expensive (yet often ineffective) treatment courses).
To increase revenue, Baidu encourages equally dodgy 'vendors' to lead users into clicking these links by giving a small kick-back for each successful hit. The whole thing sounds like borderline fraud to me but hell somehow it's legal.
The trojan, HongTouTou (or 'Phantom Clicker'), is the result of such business model as a certain vendor tries to profit by creating artificial traffic.
This an actual URL generated by the malware: http://wap.baidu.com/s?word=%E8%9D%8E%E5%AD%90&vit=uni&from=963a_w1 (don't click or you'll be generating revenue for them.)
Notice the 'from' parameter, 963a_w1 being the vendor ID.
An in-depth analysis can be found here:
http://www.antiy.com/cn/news/android_adrd.htm
Oh, Chinese language knowledge required.
And going by the top 10 hits, not a single one affects non-jailbroken iPhones.
Just a note is that a large percent of the geek population is trusting ROMs with full root access. Just internet access for some sandbox app is small potatoes. Here's an example of a "good" developer making a simple mistake with their ROM http://www.droidforums.net/forum/liberty-rom-d2/125447-so-who-just-had-their-phone-taken-control-liberty-1-5-a.html Imagine what a malicious developer could accomplish.