Android Trojan HongTouTou Found in Chinese Alternative App Markets

Two variants of the latest Android malware have been spotted in two alternative Android application markets that primarily target Chinese customers, according to security researchers.

Dubbed "BD.HongTouTou.A" and "BD.HongTouTou.B," the latest Trojan variants are repackaged inside popular Android apps and distributed through alternative app markets and forums, NetQin, a Chinese mobile security service provider said on Feb. 22. The malware has been found in the popular game "RoboDefense" and a number of wallpaper apps, according to NetQin.

Even though these apps have been repackaged with the Trojan and are being distributed in alternative markets, "the original versions available in the official Google Android Market have not been affected," Lookout Security, another mobile security firm, said on Feb. 15 in its initial alert.

The malware requests additional user permissions beyond what the host application legitimately requests, according to Lookout. The additional permissions include receiving notification that the phone has finished rebooting, writing to external storage, obtaining network information, opening network sockets, turning the phone on or off and other settings, as well as changing 3G connection settings, according to Lookout.

When the app hosting HongTouTou starts, it sends encrypted data containing the device's IMEI and IMSI information to a remote host. The malware receives a set of search engine targets and a set of search keywords from the remote host, which it uses to emulate a series of search queries, Lookout said. The malware also simulates looking at the top search results and clicking on specific results. As far as the search engine is concerned, these queries appear to be legitimate searches performed by a mobile user.

 "The virus is also capable of analyzing the user's private information using keywords," NetQin said.

In addition, it has the ability to download an Android package file and install it, although Lookout researchers said they have not yet seen the Trojan attempt to do so. The APK appears to have the ability to monitor SMS conversations and insert specific keywords into the conversation, Lookout researchers wrote.

Lookout security researchers identified 14 instances of HongTouTou repackaged inside Android apps, the company said on its blog. In a recent apps market report, Lookout analyzed two different alternative markets that target Chinese customers and found nearly 11 percent of the redistributed apps that existed on the official Google market were either repackaged or not submitted to the alternative market by the original developer.

In its second App Genome Project report, Lookout analyzed more than 500,000 mobile apps across different device platforms and app markets. While the markets serve a legitimate need for local apps, there is great likelihood of malware or other security vulnerabilities being introduced in these repackaged apps, Lookout found. These apps can hide a number of illegitimate activities, such as ad fraud, piracy or bundling malware, Lookout said.

Of the redistributed apps, nearly a quarter requested more permissions than the original app did, Lookout said. The additional permissions requested by repackaged apps include access to location, contact information, phone state, Internet access and the ability to make phone calls.

In December 2010, Lookout discovered a sophisticated Trojan named "Geinimi" in an alternative app store in China that could compromise a significant amount of personal data on a user's phone and send it to remote servers.