Android search engine manipulation trojan dissected

According to Takashi Katsuki, a security researcher with Symantec Asia-Pacific, Android.Adrd is unique in being the first Android operating system trojan whose purpose is search engine manipulation.

Propagation of Adrd and Geinimi, he says, is via pirated software, which allows the author to 'trojanise' the Android device and so deliver malicious content on top of clean content.

"Both threats register themselves to run at boot time. Android.Adrd also registers itself when a phone call is made or network connectivity settings are changed", he says in his latest security blog.

And here's where it gets interesting as Android.Geinimi opens a back door on a device and has more than 20 functions, such as making calls, sending text messages, and stealing sensitive information.

"On the other hand, Android.Adrd is very basic in comparison. When Android.Adrd is running, it receives a collection of strings from a remote server and then repeatedly performs search operations in the background (i.e. not visible to the user)", he says.

Katsuki claims that the search operations of the malware are made through HTTP requests in the following format:

wap.baidu.com/s?word=[ENCODED SEARCH STRING] &vit=uni&from=[ID]

Interestingly, he says, the immediate goal of these requests is to boost the site ranking of a Chinese mobile website via the popular Fas Eastern Baidu traffic union programme.

The HTTP requests result, he adds, in many artificial 'searches' for the terms supplied by the trojan's author(s), so artificially increasing the mobile site's ranking in the Baidu search engine's 'recommended sites' listings for certain search terms.

And so on to the money trail, which is where the hackers behind the trojans generate their revenue.

Android.Adrd, says Katsuki, doesn't beat about the bush, as its primary intent is search engine manipulation/click fraud from a mobile device.

"To make sure the threat is continuously productive, the creators have even gone to the extent of adding routines to identify the connection method being used (WiFi or 3G access)", he says.

The interesting twist here, adds the Symantec researcher, is that fraudulent apps running on mobile devices have an advantage in that they can switch between connection methods - which can help them evade fraudulent click-checking mechanisms.

"In contrast, there currently is no definitive financial motive that can be attributed to Android.Geinimi", he notes.

"Even though Android.Adrd does not appear to be hugely complex, one should bear in mind that it includes an update function that allows the attacker to update and modify functionality or behaviour when required. Given this, please ensure that your mobile device antivirus product is up to date", he concludes.

What’s Hot on Infosecurity Magazine?