ANDROIDOS_ADRD.A

 Analysis by: jasperm

 ALIASES:

Trojan:Android/Adrd.A (F-Secure)

 THREAT SUBTYPE:

Information Stealer, Click Fraud, Malicious Downloader

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This Trojan uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it conceals itself as a legitimate wallpaper application.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This malware conceals itself as a legitimate wallpaper application. It gathers information from affected device. It then sends the said information to a specific website.It also downloads an updated component from a certain URL. Based on its behavior, the purpose of this Trojan is click fraud, which in turn may lead to increased and expensive data charges.

This backdoor may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

  TECHNICAL DETAILS

File Size:

1,659,365 bytes

File Type:

Other

Memory Resident:

Yes

Initial Samples Received Date:

16 Feb 2011

Payload:

Downloads files, Steals information

Arrival Details

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

It may be manually installed by a user.

Other Details

This backdoor does the following:

  • Conceals itself as a legitimate wallpaper application.
  • Gathers the following information from affected device:
    • IMEI
    • IMSI
    • Access Point Name (cmnet, 3gwap, 3gnet, uniwap, uninet)
    • Local Date
  • Sends the said information to the following website:
    • http://adrd.{BLOCKED}b.com/pic.aspx?im=
  • Waits for certain reply from the servers. Based on its code, the reply may contain strings to be used to execute a search using http://wap.{BLOCKED}u.com.
  • Downloads an updated component from the following site:
    • http://adrd.{BLOCKED}n.net/index.aspx?im=
    The downloaded file is saved as /sdcard/uc/myupdate.apk.
  • Re-executes itself during any of the following instances:
    • When the device receives a phone call
    • During phone start-up
    • Whenever a new network connection is started

NOTES:
This Trojan arrives bundled with legitimate but Trojanized applications. Based on its behavior, its purpose is click fraud, which in turn may lead to increased and expensive data charges.

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.105.00

TMMS Pattern Date:

13 Jun 2011

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.