Android Trojan Practices Click Fraud

HongTouTou malware hidden with repackaged -- typically, pirated -- applications first surfaced on third-party online software markets in China.

Mathew J. Schwartz, Contributor

February 16, 2011

3 Min Read

A new Android Trojan has surfaced in third-party software marketplaces. Dubbed HongTouTou (aka the ADRD Trojan), the malware requests additional permissions from the device user, and appears to surreptitiously search the device for information, as well as click on specific search results.

According to a blog post from Tim Strazzere, a security engineer at smartphone security firm Lookout, which discovered the malware, his company "identified 14 separate instances of the HongTouTou Trojan repackaged in Android apps including RoboDefense (a well known game) and a variety of wallpaper apps."

When an application that includes the HongTouTou Trojan starts up, it dispatches encrypted data to a remote host, which returns a list of search terms. "HongTouTou then emulates the search process using these keywords to create searches in the search engine, crawls the top search results for those keywords, and emulates clicks on specific results," said Strazzere. The goal appears simple: to commit click fraud, albeit at the expense of the device owner's data plan.

The malware also has the ability to execute an Android package file (APK), although it doesn't appear to be doing this, at least so far. "The APK appears to have the ability to monitor SMS conversations and insert content related to specific keywords -- potentially spam -- into the SMS conversation," said Stazzere.

HongTouTou is reminiscent of the Geinimi attack code that recently surfaced. While that malware was first seen bundled with applications available on Chinese app markets, it's since spread to U.S. and European app markets.

When it comes to smartphone applications that may have questionable behavior, 11% of Apple App Store apps can access contacts, and 34% can access location, according to new research from Lookout. Compare that to Android Market, for which only 7.5% of apps can access contacts, and 28% location. "For both markets these percentages have decreased slightly over the last 6 months, which may be driven by an increased level of developer sophistication and a heightened awareness of privacy concerns amongst both users and developers," said Lookout.

But whereas Apple takes a walled garden approach to iOS application security by vetting all applications, Google allows Android devices to work not only with the official application store, Android Market, but also any number of third-party app stores.

Unfortunately, third-party markets pose security risks. For example, Lookout examined two markets that target Chinese customers, and found that 11% of the applications they contained were repackaged -- and thus, likely pirated. Of these applications, nearly 25% had been altered to request more permissions than the original application.

Such alterations often involve fraud -- retooling advertising links to benefit the pirate, not the developer -- or including malware in the application, such as fraud click software, keystroke loggers, or premium-rate telephone dialing software.

Unfortunately, Chinese consumers who want their Angry Birds fix have little choice but to use third-party app stores as authorities have been blocking access to Android Market.

"The Android Market is blocked for Chinese customers," said a Lookout spokesperson via email. "We haven't heard or seen anything otherwise."

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights