Android/ADRD trojan analysis

It seems the Android trojan created some noise last week. So decided to have a quick look at it.Here is a very preliminary analysis of this sample.

This malware is not backward compatible. It is not installling in Android 2.0 platform. While I tried to install it in an emulator that runs on 2.0, it simply refused to install

Compatibility test

Compatibility test

A quick look at the manifest file shows the receivers and the intent filters

Receivers and intent filters

Receivers and intent filters

You can see that the sample runs in background silently.

Remote command output

Remote command output

Also, a quick look at the app-state dump shows all the receivers in action. Also, the another variant was using a custom implementation of Base64 encoding to obfuscate the URLS.

Decoding the obfuscated URLS

Decoding the obfuscated URLS

Creating a simple script to reuse the decoding function used by the malware reveals the obfuscated urls:

instrumented output of the decoded URLs

instrumented output of the decoded URLs

Looks like the the mobile platform is becoming a hot target for the malware community. We could only see the trend going upwards in the forthcoming months.

cheers 🙂

 

Tags: , ,

4 Responses to “Android/ADRD trojan analysis”

  1. anthony.desnos Says:

    Hello,

    it’s possible to have an access to the malware, or a link the the chinese forum ?

  2. Chandra Wangsa Setiadipura Says:

    Hi,
    my name is Chandra, i’m a student from Indonesia.
    Now, i’m doing a research about android malware.
    btw, i’m so interested with your article. 🙂
    i wanna ask something about the tools that you use to monitor the android malware.
    I saw a ‘Remote Command’ windows in your article.
    what tools is that?
    and how do i get it?
    thank you very much.

    • Dinesh Venkatesan Says:

      Hi,

      You can invoke process list command through Dalvik Debug Monitor. (ddms.bat). It is shipped with the default Android SDK.

      Alternatively, you can also use the adb to open a shell and execute commands.

      adb shell
      ps -x

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: