For the past several years, we have seen a rapid rise of devices that are able to access the Internet. This has also resulted in rise of various malwares that target such devices. One of the most targeted of these devices being our web-savvy mobile phones. According to our Threat Report for Fourth Quarter of 2010 malware targeting mobile devices rose by 46% in 2010. Android OS which overtook Symbian in terms of popularity in the last quarter of 2010 is beginning to become the preferred choice for cybercriminals to carry out their malicious intent. Much inline with this trend is some recent malware that targeted the Android OS that we came across called the Android/DRAD bot.
Distribution Mechanism
The malicious application comes bundled in legitimate applications distributed by third party app stores. The malware authors download the legitimate applications, repackage them to contain the Trojan and upload them again to app stores for users to download. The infected application that we analyzed was related to a wallpaper application called Dandelion.
Application Characteristics
The application requires Android 2.1 or later in order to install and execute.
Here is screenshot of the application when installed:
The installed application has the below permissions:
As we can see the application can access contact info, access internet, modify/delete SD card contents and even write access point settings.
The application executes when one of the below conditions is met.
1) 2 minutes have passed since the OS started/booted.
2) Change in network connectivity i.e. the device lost network connectivity and then re-established it.
3) Call state on the device is changed i.e. received a call.
A quick look at the AndroidMainfest.xml confirms the above conditions.
On Execution
Below is the screenshot of the Trojan when executed:
The Trojan on execution contacts the below remote hosts:
1) adrd.xiaxiab.com
2) adrd.taxuan.net
and sends the following device info:
IMEI : International Mobile Equipment Identity
IMSI : International Mobile Subscriber Identity.
The data transmitted is DES encrypted with the key “48734154”.
Below screenshot shows the information being transmitted by an infected Android mobile device:
The encoded data transmitted is of the form:
Encoded String = IMEI + IMSI + Netway + iversion + oversion
where,
iversion = “6” ( Hardcoded)
oversion = “adrd.zt.cw.4” (Hardcoded)
The server then responds with a list of urls. The Trojan randomly picks one of these url’s and tries to contact it. As a response to this the server returns a search string that the Trojan uses to perform web search in the background. It does this by issuing multiple HTTP search requests to the location.
For example :
hxxp://wap.baidu.com/s?word=%e7%83%a9%e5%b9%8a%e5%9a%bd%e7%ba%a7&vit=uni&from=952b
Based on this we suspect that the malware author intends to use the Trojan to perform SEO (Search Engine Optimization) i.e. to increase site rankings for a website. The Trojan is also capable of updating itself. It downloads the update and saves it to /sdcard/uc folder with the file name myupdate.apk.
During our analysis we found traces of code which checked for the Access Point Names CMNET, CMWAP, UNINET, and UNIWAP which belong to Chinese Mobile Network. Based on this, we suspect that the Trojan primarily targets Chinese Android mobile users.
User devices infected with ADRD may suffer from data disclosure and higher network bandwidth consumption resulting in high data charges.
McAfee IPS Coverage
McAfee Network Security Platform (formerly called IntruShield) has released coverage for this bot under the attack signature – HTTP: HongTouTou-ADRD Trojan Detected (0x4840b500). McAfee customers with up-to-date installations are protected against this malware.
