ANDROIDOS_ADRD.B

This Android OS Trojan uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it conceals itself as a legitimate wallpaper.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

Based on its behavior, the purpose of this Trojan is click fraud which in turn may lead to increased and expensive data charges.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be manually installed by a user.

Other Details

This Trojan does the following:

• Conceals itself as a legitimate wallpaper application.
• Gathers the following information from affected device:
  • IMEI
  • IMSI
  • Access Point Name (cmnet, 3gwap, 3gnet, uniwap, uninet)
  • Local Date
• Sends the said information to the following website: http://adrd.{BLOCKED}an.ne/pic.aspx?im={encrypted data}
• Waits for certain reply from the servers. Based on its code, the reply may contain strings to be used to execute a search using http://wap.baidu.com.
• Downloads an updated component from the following site:
  • http://adrd.{BLOCKED}n.net/index.aspx?im=
  The downloaded file is saved as /sdcard/uc/myupdate.apk.
• Re-executes itself during any of the following instances:
  • When the device receives a phone call
  • During phone start-up
  • Whenever a new network connection is started
• Modifies the applications' permission to the following:
  
  

NOTES:

Based on its behavior, the purpose of this Trojan is click fraud which in turn may lead to increased and expensive data charges.