Doctored Apps Hide Android HongTouTou Trojan

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,
Android malware

New Android Trojans in repackaged popular apps running wild on Chinese app markets and forums

Two variants of the latest Android malware have been spotted in two alternative Android app markets that primarily target Chinese customers, according to security researchers.

Dubbed “BD.HongTouTou.A” and “BD.HongTouTou.B”, the latest Trojan variants are repackaged inside popular Android apps and distributed through alternative app markets and forums, NetQin, a Chinese mobile security service provider said. The malware has been found in the popular game RoboDefense and a number of wallpaper apps, according to NetQin.

Original Apps Uncontaminated

It was important to remember that even though these apps had been repackaged with the Trojan and were being distributed in alternative markets, “the original versions available in the official Google Android Market have not been affected”, Lookout Security, another mobile security firm, said on February 15 in its initial alert.

The malware requests additional user permissions beyond what the host application legitimately requests, according to Lookout. The additional permissions include receiving notification that the phone has finished rebooting, writing to external storage, obtaining network information, opening network sockets, turning the phone on or off and other settings as well as changing 3G connection settings, according to Lookout.

When the app hosting HongTouTou starts, it sends encrypted data containing the device’s IMEI and IMSI information to a remote host. The malware receives a set of search engine targets and a set of search keywords from the remote host, which it uses to emulate a series of search queries, Lookout said. The malware also simulates looking at the top search results and clicking on specific results. As far as the search engine is concerned, these queries appear to be legitimate searches performed by a mobile user.

“The virus is also capable of analysing the user’s private information using key words,” NetQin said.

It also has the ability to download an Android package file and install it, although Lookout researchers said they have not yet seen the Trojan attempt to do so. The APK appears to have the ability to monitor SMS conversations and insert specific keywords into the conversation, Lookout researchers wrote.

Lookout security researchers identified 14 instances of HongTouTou repackaged inside Android apps, the company said on its blog. In a recent apps market report, Lookout analysed two different alternative markets that target Chinese customers and found nearly 11 percent of the redistributed apps that existed on the official Google market were either repackaged or not submitted to the alternative market by the original developer.

In its second App Genome Project report, the Lookout analysed more than 500,000 mobile apps across different device platforms and app markets. While the markets serve a legitimate need for local apps, there was a great likelihood of malware or other security vulnerabilities being introduced in these repackaged apps, Lookout found. These apps could hide a number of illegitimate activities, such as ad fraud, piracy or bundling malware, Lookout said.

Of the redistributed apps, nearly a quarter requested more permissions than the original app did, Lookout said. The additional permissions requested by repackaged apps include access to location, contact information, phone state, Internet access and the ability to make phone calls.

In December 2010, Lookout discovered a sophisticated Trojan named “Geinimi” in an alternative app store in China which could compromise a significant amount of personal data on a user’s phone and send it to remote servers.