Vulnerabilities / Threats
01:53 PM
Connect Directly

Android Trojan Practices Click Fraud

HongTouTou malware hidden with repackaged -- typically, pirated -- applications first surfaced on third-party online software markets in China.

A new Android Trojan has surfaced in third-party software marketplaces. Dubbed HongTouTou (aka the ADRD Trojan), the malware requests additional permissions from the device user, and appears to surreptitiously search the device for information, as well as click on specific search results.

According to a blog post from Tim Strazzere, a security engineer at smartphone security firm Lookout, which discovered the malware, his company "identified 14 separate instances of the HongTouTou Trojan repackaged in Android apps including RoboDefense (a well known game) and a variety of wallpaper apps."

When an application that includes the HongTouTou Trojan starts up, it dispatches encrypted data to a remote host, which returns a list of search terms. "HongTouTou then emulates the search process using these keywords to create searches in the search engine, crawls the top search results for those keywords, and emulates clicks on specific results," said Strazzere. The goal appears simple: to commit click fraud, albeit at the expense of the device owner's data plan.

The malware also has the ability to execute an Android package file (APK), although it doesn't appear to be doing this, at least so far. "The APK appears to have the ability to monitor SMS conversations and insert content related to specific keywords -- potentially spam -- into the SMS conversation," said Stazzere.

HongTouTou is reminiscent of the Geinimi attack code that recently surfaced. While that malware was first seen bundled with applications available on Chinese app markets, it's since spread to U.S. and European app markets.

When it comes to smartphone applications that may have questionable behavior, 11% of Apple App Store apps can access contacts, and 34% can access location, according to new research from Lookout. Compare that to Android Market, for which only 7.5% of apps can access contacts, and 28% location. "For both markets these percentages have decreased slightly over the last 6 months, which may be driven by an increased level of developer sophistication and a heightened awareness of privacy concerns amongst both users and developers," said Lookout.

But whereas Apple takes a walled garden approach to iOS application security by vetting all applications, Google allows Android devices to work not only with the official application store, Android Market, but also any number of third-party app stores.

Unfortunately, third-party markets pose security risks. For example, Lookout examined two markets that target Chinese customers, and found that 11% of the applications they contained were repackaged -- and thus, likely pirated. Of these applications, nearly 25% had been altered to request more permissions than the original application.

Such alterations often involve fraud -- retooling advertising links to benefit the pirate, not the developer -- or including malware in the application, such as fraud click software, keystroke loggers, or premium-rate telephone dialing software.

Unfortunately, Chinese consumers who want their Angry Birds fix have little choice but to use third-party app stores as authorities have been blocking access to Android Market.

"The Android Market is blocked for Chinese customers," said a Lookout spokesperson via email. "We haven't heard or seen anything otherwise."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.