Lookout and NetQin discover a new Android Trojan that is repackaged in popular Android apps and distributed through app markets and forums serving Chinese-speaking users.
Two variants of the latest Android malware have been spotted in two
alternative Android application markets that primarily target Chinese customers,
according to security researchers.
Dubbed "BD.HongTouTou.A" and "BD.HongTouTou.B," the
latest Trojan variants are repackaged inside popular Android apps and
distributed through alternative app markets and forums, NetQin, a Chinese
mobile security service provider said on Feb. 22. The malware has been found in
the popular game "RoboDefense" and a number of wallpaper apps,
according to NetQin.
Even though these apps have been repackaged with the Trojan and are being distributed
in alternative markets, "the original versions available in the official
Google Android Market have not been affected," Lookout
, another mobile security firm, said on Feb. 15 in its initial
The malware requests additional user permissions beyond what the host
application legitimately requests, according to Lookout. The additional
include receiving notification that the phone has finished
rebooting, writing to external storage, obtaining network information, opening
network sockets, turning the phone on or off and other settings, as well as
changing 3G connection settings, according to Lookout.
When the app hosting HongTouTou starts, it sends encrypted data containing
the device's IMEI and IMSI information to a
remote host. The malware receives a set of search engine targets and a set of
search keywords from the remote host, which it uses to emulate a series of
search queries, Lookout said. The malware also simulates looking at the top
search results and clicking on specific results. As far as the search engine is
concerned, these queries appear to be legitimate searches performed by a mobile
"The virus is also capable of analyzing the user's private
information using keywords," NetQin said.
In addition, it has the ability to download an Android package file and
install it, although Lookout researchers said they have not yet seen the Trojan
attempt to do so. The APK appears to have the ability to monitor SMS
conversations and insert specific keywords into the conversation, Lookout
Lookout security researchers identified 14 instances of HongTouTou
repackaged inside Android apps, the company said on its blog. In a recent apps
market report, Lookout analyzed two different alternative markets that target
Chinese customers and found nearly 11 percent of the redistributed apps that
existed on the official Google market were either repackaged or not submitted
to the alternative market by the original developer.
In its second App Genome Project
report, Lookout analyzed more than 500,000 mobile apps across different device
platforms and app markets. While the markets serve a legitimate need for local
apps, there is great likelihood of malware or other security vulnerabilities
being introduced in these repackaged apps, Lookout found. These apps can hide a
number of illegitimate activities, such as ad fraud, piracy or bundling
malware, Lookout said.
Of the redistributed apps, nearly a quarter requested more permissions than
the original app did, Lookout said. The additional permissions requested by
repackaged apps include access to location, contact information, phone state,
Internet access and the ability to make phone calls.
In December 2010, Lookout discovered a sophisticated Trojan named "Geinimi
in an alternative app store in China
that could compromise a significant amount of personal data on a user's phone
and send it to remote servers.