AegisLab is devoted in protecting the security of mobile users, we collect and analyaze the Android packages for two years. Today, we found a new Android trojan, we call it "ADRD", which was not reported by any security vendors before.
In our analysis, the malware writer repackaged(infected) legal apps, especially wallpapers that do not usually appear on apps panel, therefore users may rarely notice it. This trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. The infected applications request extensive permissions like RECEIVE_BOOT_COMPLETED, ACCESS_NETWORK_STATE to be able to run in the background once the event occurs. It also schedules an alerm to wake itself up regularly. However, it's somewhat lower profile than 'GEIMINI' trojan found last year. Fewer messages/commands sent and less bandwidth consumed by this trojan. Users may not even notice it after weeks but still suffer data leakage and bandwidth consumption.
How it works:
It registers several receivers to intercept events such as boot complete, net connectivity change, and etc. Then starts a service in the background once the event occurs. The service firstly connects back to the server via http with DES encoded string like
After decoded, we have:
It sends back IMEI/IMSI of the phone together with some version numbers of the trojan for the server to decide next step. Later the server responded a list of urls:
After few http requests sent back and forth, it gets a URL to connect in the background (in this case analyzed): http://wap.baidu.com/s?word=%e7%83%a8%e4%b9%8b%e5%9b%bd%e5%ba%a6&vit=uni&from=961a_w1
The malware writer may benefit from the random link users connect, and users are sufferred by data disclosure as well as bandwidth consumption(higher net bill).