This application requires Javascript for optimal performance.

Android/Hongtoutou.A!tr - Released Feb 15, 2011

Alias/es

ADRD (Aegislab), HongTouTou (lookout)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Battery drain
Abnormally high bill due to Internet connections.

Detailed Analysis

Android/Hongtoutou.A!tr is a Trojan for Android platforms >= 2.1.
The trojan is packaged with a live wallpaper for Android mobile phones. This is particularly convenient for malware authors because wallpapers are not listed on the phone's application panel, so the victim will more difficulties detecting his/her mobile phone is infected.
It retrieves the phone's IMEI and IMSI, posts the information to a remote web site and downloads from those web site a list of URLs to visit.


Technical Details


The malicious Android package contains a classes.dex (standard Android Dalvik bytecode) with the malicious classes located in com.xxx.yyy.
The main part of the trojan is contained within the class MyService and will be activated every 13 hour. It retrieves the IMEI and the IMSI of the infected device, and will then post this information to a malicious remote server: 
http://[REMOVED]uan.net/index.aspx?im=[ENCRYPTED STRING]
Precisely, the information which is posted consists of the following parameters:
  1. IMSI: infected device's IMSI
  2. IMEI: infected device's IMEI
  3. netway: this integer defines how the mobile connects to Internet. 1 means WAP, 2 means WIFI.
  4. iversion: internal version of the malware. For example, 6.
Each of those parameters are separated by a '&', and the resulting string is encrypted using the DES algorithm with CBC chaining.
The encryption key is hard-coded in the malware (see the qzl class). The Initialization Vector (IV) is equal to the key.
The remote website is contacted using a hard-coded mobile agent string: J2ME/UCWEB7.4.0.57

The trojan also contacts another malicious URL: 
http://[REMOVED]xiab.com/pic.aspx?im=[ENCRYPTED STRING]
This remote server returns a DES encrypted list parameters and URLs to visit. The parameters are separated by hashes (#) or pipes (|). URLs to visit are for example: 
http://[REMOVED].105/g/g.ashx?w=963a_w1
http://[REMOVED].105/g/g.ashx?w=979a_w1
When visited, those URLs return a string to search for on wap.baidu.com (Chinese search engine - legitimate): 
http://wap.baidu.com/s?word=%e6%88%91%e6%95%85%e6%84%8f&vit=uni&from=780b_w1

The trojan is re-started when the phone reboots (see MyBoolService class).
It also shows the ability to update itself. The new update shall be located on the SD card at /sdcard/uc/myupdate.apk.
It requests the following permission to run: 
android.permission.ACCESS_WIFI_STATE
android.permission.READ_CONTACTS
android.permission.WRITE_APN_SETTINGS
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.ACCESS_NETWORK_STATE
android.permission.READ_PHONE_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET
android.permission.MODIFY_PHONE_STATE
This malware targets Chinese end-users in particular.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 2494321