Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Android Malware Robs Bandwidth For Fake Searches

Posted by timothy on from the what-would-the-appropriate-penalty-be? dept.

adeelarshad82 writes "We've been hearing about various Android malware spreading through the Chinese markets. Well, here's another one to look out for: meet ADRD (aka Trojan:Android/Adrd.A) which is expert in sucking your bandwidth. The malware downloads a list of search URLs and then performs those searches at random in the background, which as the screen shots [in the linked article] show leads to excessive data charges. Similar to other Android malware this too is distributed through wallpapers which are infected repackaged versions of legit wallpapers." Adds reader Trailrunner7: "Lookout, a mobile security vendor, said it has identified 14 instances of the malware repackaging itself in various wallpaper apps and specifically in the popular game RoboDefense, made available in alternative application markets. The trojan works by duping an infected app into sending encrypted data containing the device’s IMEI and IMSI to a remote host. HongTouTou then receives a set of search engine target URIs and search keywords to send as queries. It then uses these keywords to emulate search processes, creating searches in the search engine yielding the top results for those keywords and clicking on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser."

9 of 236 comments (clear)

  1. Re:So remind me again... by vinng86 · · Score: 4, Informative

    The iOS app store can have it's fair share of malware too. It's easy to hide snooping software behind a simple game for example. In fact, all apps can access the contacts list, recent youtube searches, email settings and even non-password field keystrokes. When developers submit apps they only submit the binary and not the source code so Apple's app approval monkeys basically only cover what they can see. This "walled garden" argument is stupid for this reason.

  2. Re:So remind me again... by vux984 · · Score: 4, Insightful

    ...why Apple's "Walled Garden" for the iPhone is such a bad thing?

    Because you can't choose not to use it.

    The non-story here is that people carelessly installing bad software from ALTERNATIVE android marketplaces got malware.

    Newsflash, if you want assurances of software without malware, don't shop at the internet equivalent of the chinatown night markets.

    If you want to be as safe as apple's walled garden, stay within the official marketplaces and you get that.

  3. It's spamming Google Trends / Suggest / Instant by Animats · · Score: 4, Insightful

    If it's doing searches in bulk like that, it's a search spam program. It's exploiting a vulnerability in Google.

    Google Trends lists "hot searches", what's being searched for in Google in recent hours. Google Trends drives Google Suggest, the hinting system for Google. That in turn drives Google Instant. Which, in turn, aims users at the target sites. Which are probably full of ads. Profit!

    Spamming of Google Trends has been around for a while. It used to be easier, and you'd see things like the name of some mattress discounter at the top of Google Trends for 15 minutes or so. (I ran a program to follow the trends in Google Trends for a while. It was amusing.) Google seems to now be averaging over more hours, so the spammers have to up their game and use a distributed attack to push their keywords up.

    This is the trouble with "crowdsourcing" recommendations. It's too easy to fake a crowd. Yelp, CitySearch, Google Places - they're all choked with recommendation spam. Anonymous recommendations are junk information. And no, requiring a Facebook account won't help. There's an app for that.

    Google is now trying a "mark as spam" button in Chrome to identify "content farms". If that starts mattering, it will be spammed. The same applies to Blekko's "slashtags".

  4. Re:So remind me again... by h4rr4r · · Score: 4, Insightful

    If you stick to the market for android you would not get these trojans either. The fact that you are not forced too is a good thing.

  5. Re:So remind me again... by Gadget_Guy · · Score: 4, Insightful

    If you want to be as safe as apple's walled garden, stay within the official marketplaces and you get that.

    The other alternative would be if the OS asked for user permission before an application could access the internet (just one time, not every time). This is what my old Nokia (running Symbian) used to do. It works the same way as how the iPhone prompts to allow programs to use location services.

    I am more worried that a program leaks data or uses all my download quota much more than whether it knows where I am.

  6. Re:So remind me again... by Anonymous Coward · · Score: 5, Insightful

    If you're a registered iOS dev you have a CC on file with Apple.

    And surely the large, well-financed criminal organizations behind most modern malware could never possibly obtain a credit card number that's not their own.

  7. Re:So remind me again... by SCPRedMage · · Score: 4, Informative

    Yes, because installing third party firmware is EXACTLY like installing applications, which is what the thread has been about.

    YES, you need to root most Android phones in order to install third party firmware, such as CyanogenMod. NO, you do not need to root your Android phone in order to install apps that haven't been explicitly allowed by the phone's manufacturer, included alternative app stores.

    Protip: Strawman arguments work significantly better when they aren't so bloody obvious.

    --
    My sig can beat up your sig.
  8. Re:So remind me again... by adolf · · Score: 4, Informative

    Perhaps the problem is simply that it isn't widely publicized. Please allow me to attempt to rectify that:

    Hey, malware authors! You can pounce on unsuspecting iPhone owners for only $102! All you need to do is get a disposable pre-paid Visa from Wal-Mart, and pay Apple $99 for a disposable dev account! And remember, kids, it takes money to make money! Happy phishing!

    There. That should do it.

    --
    Kid-proof tablet..
  9. Re:One serious question: Why? by mynickslongerthanurs · · Score: 4, Informative

    To understand this one must first understand Baidu (the top Chinese search engine)'s business model.

    For a specific search term, the top results shown in Baidu search are paid for, which means the websites in question pay Baidu for prioritizing their sites and every time a user clicks the result (this may sound 'innovative' at first but I assure you it does more harm than good, considering putting names of random diseases in Baidu these days results in a full page of dodgy websites offering expensive (yet often ineffective) treatment courses).
    To increase revenue, Baidu encourages equally dodgy 'vendors' to lead users into clicking these links by giving a small kick-back for each successful hit. The whole thing sounds like borderline fraud to me but hell somehow it's legal.

    The trojan, HongTouTou (or 'Phantom Clicker'), is the result of such business model as a certain vendor tries to profit by creating artificial traffic.

    This an actual URL generated by the malware: http://wap.baidu.com/s?word=%E8%9D%8E%E5%AD%90&vit=uni&from=963a_w1 (don't click or you'll be generating revenue for them.)
    Notice the 'from' parameter, 963a_w1 being the vendor ID.

    An in-depth analysis can be found here:
    http://www.antiy.com/cn/news/android_adrd.htm
    Oh, Chinese language knowledge required.