For the past several years, we have seen a rapid rise of devices that access the Internet. This has also resulted in rise of various malware that target such devices. One of the most targeted of these devices are our web-savvy mobile phones. According to the McAfee Threats Report: Fourth Quarter 2010 malware targeting mobile devices rose by 46 percent in 2010. The Android OS, which overtook Symbian in popularity in the last quarter of 2010, has become the preferred choice for cybercriminals. Much in line with this trend is some recent malware targeting the Android OS that we came across: the Android/DRAD bot.
The malicious application comes bundled in legitimate applications distributed by third-party app stores. The malware authors download the legitimate applications, repackage them to contain the Trojan, and upload them again to app stores for users to download. The infected application that we analyzed was related to a wallpaper application called Dandelion.
The application requires Android 2.1 or later to install and execute.
Here is a screenshot of the application once installed:
The installed application has the following permissions:
The application can access contact info, access the Internet, modify/delete SD card contents, and even write access-point settings.
The application executes when one of these conditions is met.
- Two minutes have passed since the OS started/booted
- Change in network connectivity, for example, the device lost network connectivity and then reestablished it
- Call state on the device is changed, for example, receiving a call
A quick look at the AndroidMainfest.xml confirms these conditions.
Below is the screenshot of the Trojan when executed:
The Trojan on execution contacts the following remote hosts:
and sends the following device info:
- IMEI: International Mobile Equipment Identity
- IMSI: International Mobile Subscriber Identity
The data transmitted is DES encrypted with the key “48734154.”
The next screenshot shows the information being transmitted by an infected Android mobile device:
The encoded data transmitted takes this form:
Encoded String = IMEI + IMSI + Netway + iversion + oversion
iversion = “6” ( Hardcoded)
oversion = “adrd.zt.cw.4” (Hardcoded)
The server then responds with a list of URLs. The Trojan randomly picks one of these URLs and tries to contact it. In response, the server returns a search string that the Trojan uses to perform a web search in the background. It does this by issuing multiple HTTP search requests to the location.
Based on this we suspect that the malware author intends to use the Trojan to perform search engine optimization to increase site rankings for a website. The Trojan can also update itself. It downloads the update and saves it to the /sdcard/uc folder with the filename myupdate.apk.
During our analysis we found traces of code that checked for the Access Point Names CMNET, CMWAP, UNINET, and UNIWAP, which belong to the Chinese Mobile Network. Based on this, we suspect that the Trojan primarily targets Chinese Android mobile users.
User devices infected with Android/DRAD may suffer from data disclosure and higher network bandwidth consumption resulting in high data charges.
McAfee IPS Coverage
McAfee Network Security Platform (formerly called IntruShield) has released coverage for this bot under the attack signature “HTTP: HongTouTou-ADRD Trojan Detected (0x4840b500).” McAfee customers with up-to-date installations are protected against this malware.