HongTouTou Android Trojan spotted in the wild

A new post-Geinimi Trojan that targets Android devices has been positively identified in the wild. The HongTouTou Trojan (aka ADRD) is apparently repackaged in popular Android apps and distributed via app markets and forums serving Mandarin-speaking users.

According to Tim Strazzere of Lookout Mobile Security, the malware requests additional user permissions and appears to be executing a set of stealth search-related activities in the background – including emulating keyword searches and clicks on specific search results.

”When an app containing HongTouTou starts, it sends encrypted data containing the device IMEI and the IMSI to a remote host. In response, the HongTouTou receives a set of search engine target URIs and a set of search keywords to send as queries,” explained Strazzere.

“HongTouTou then emulates the search process using these keywords to create searches in the search engine, crawls the top search results for those keywords, and emulates clicks on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser.”

Strazzere noted that HongTouTou was also capable of processing commands instructing it to download an APK (Android package file).

“Although we have not yet seen it attempt to install the APK, the APK appears to have the ability to monitor SMS conversations and insert content related to specific keywords (potentially spam) into the SMS conversation,” he confirmed.

So, who is affected?

Well, currently HongTouTou is only being distributed via alternative Chinese app markets and forums.

To download an app from a third-party app store, Android users are required to enable the installation of apps from “unknown sources.”

“While we have seen the HongTouTou Trojan packaged in fourteen separate Android applications including RoboDefense and a variety of wallpaper apps, it is important to remember that even though these apps are repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected,” Strazzere emphasized. 

“[So], only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings… Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.”