Doctored Apps Hide Android HongTouTou Trojan

Two variants of the latest Android malware have been spotted in two alternative Android app markets that primarily target Chinese customers, according to security researchers.

Dubbed “BD.HongTouTou.A” and “BD.HongTouTou.B”, the latest Trojan variants are repackaged inside popular Android apps and distributed through alternative app markets and forums, NetQin, a Chinese mobile security service provider said. The malware has been found in the popular game RoboDefense and a number of wallpaper apps, according to NetQin.

Original Apps Uncontaminated

It was important to remember that even though these apps had been repackaged with the Trojan and were being distributed in alternative markets, “the original versions available in the official Google Android Market have not been affected”, Lookout Security, another mobile security firm, said on February 15 in its initial alert.

The malware requests additional user permissions beyond what the host application legitimately requests, according to Lookout. The additional permissions include receiving notification that the phone has finished rebooting, writing to external storage, obtaining network information, opening network sockets, turning the phone on or off and other settings as well as changing 3G connection settings, according to Lookout.

When the app hosting HongTouTou starts, it sends encrypted data containing the device’s IMEI and IMSI information to a remote host. The malware receives a set of search engine targets and a set of search keywords from the remote host, which it uses to emulate a series of search queries, Lookout said. The malware also simulates looking at the top search results and clicking on specific results. As far as the search engine is concerned, these queries appear to be legitimate searches performed by a mobile user.

“The virus is also capable of analysing the user’s private information using key words,” NetQin said.

It also has the ability to download an Android package file and install it, although Lookout researchers said they have not yet seen the Trojan attempt to do so. The APK appears to have the ability to monitor SMS conversations and insert specific keywords into the conversation, Lookout researchers wrote.

Lookout security researchers identified 14 instances of HongTouTou repackaged inside Android apps, the company said on its blog. In a recent apps market report, Lookout analysed two different alternative markets that target Chinese customers and found nearly 11 percent of the redistributed apps that existed on the official Google market were either repackaged or not submitted to the alternative market by the original developer.

In its second App Genome Project report, the Lookout analysed more than 500,000 mobile apps across different device platforms and app markets. While the markets serve a legitimate need for local apps, there was a great likelihood of malware or other security vulnerabilities being introduced in these repackaged apps, Lookout found. These apps could hide a number of illegitimate activities, such as ad fraud, piracy or bundling malware, Lookout said.

Of the redistributed apps, nearly a quarter requested more permissions than the original app did, Lookout said. The additional permissions requested by repackaged apps include access to location, contact information, phone state, Internet access and the ability to make phone calls.

In December 2010, Lookout discovered a sophisticated Trojan named “Geinimi” in an alternative app store in China which could compromise a significant amount of personal data on a user’s phone and send it to remote servers.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

2 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

4 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

5 hours ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

6 hours ago

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

22 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

23 hours ago