With the recent discovery of Android.Adrd, I thought it was really interesting that a few security companies decided to bundle this threat with the same detection name as Android.Geinimi, even though Android.Adrd is unique in its own right. This is the first Trojan horse for Android whose purpose is search engine manipulation. In today’s blog, I will compare these two threats.
Propagation
Both of the threats use pirated software to infect user devices. The threat author has selected popular apps to “Trojanize” and deliver malicious content on top of clean content.
Initialization
Both threats register themselves to run at boot time. Android.Adrd also registers itself when a phone call is made or network connectivity settings are changed.
Functionality
Android.Geinimi opens a back door on a device. It has over twenty functions, such as making calls, sending SMS messages, and stealing sensitive information. On the other hand, Android.Adrd is very basic in comparison. When Android.Adrd is running, it receives a collection of strings from a remote server and then repeatedly performs search operations in the background (i.e. not visible to the user). The search operations are made through HTTP requests in the following format:
wap.baidu.com/s?word=[ENCODED SEARCH STRING] &vit=uni&from=[ID]
Interestingly, the immediate goal of these requests is to boost the site ranking of a Chinese mobile Web site known as 聚焦网(Focus Online) through Baidu’s Traffic Union program. The HTTP requests result in many artificial “searches” for the terms supplied by the Trojan’s author(s), thereby artificially increasing the mobile site’s ranking in the Baidu search engine’s “Recommended Sites” listings for certain search terms.
Encryption
Both threats use DES encryption to encrypt communication.
The Money Trail
Android.Adrd doesn’t beat about the bush; its primary intent is search engine manipulation/click fraud from a mobile device. To make sure the threat is continuously productive, the creators have even gone to the extent of adding routines to identify the connection method being used (WiFi or 3G access). The interesting twist here is that fraudulent apps running on mobile devices have an advantage in that they can switch between connection methods, which can help them evade fraudulent click-checking mechanisms. In contrast, there currently is no definitive financial motive that can be attributed to Android.Geinimi.
Even though Android.Adrd does not appear to be hugely complex, one should bear in mind that it includes an update function that allows the attacker to update and modify functionality or behavior when required. Given this, please ensure that your mobile device antivirus product is up to date.