NEWS FROM THE LAB - Wednesday, February 16, 2011

Trojan:Android/Adrd.A Posted by Response @ 08:46 GMT

A few days back, Mikko tweeted about a new Android trojan named ADRD (we detect it as as Trojan:Android/Adrd.A).

ADRD was mostly found included in several applications from a third-party application provider in China, with the applications repackaged to contain the trojan. So far, most of the infected applications have been wallpaper-related.

Here is an example of an infected application:

An installed application infected with ADRD may show these permissions:

These permissions enable ADRD to start its routine during phone start up, changing of data connection such as enabling/disabling network data access. Some of its permissions may include access to the SD card, the phone and the Access Point Name(APN) settings.

ADRD's functionality appears to involve contacting a remote host, which may be:

  •  adrd.tax[..].net
  •  adrd.xiax[..].com

and sending the phone's info — specifically, the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI). Data being transmitted is DES encrypted.

The remote host will reply with a list of links, one of which ADRD will randomly select and connect to using its simple internal random generator. When the selected link is contacted, it returns a predefined search string that ADRD processes and runs the search in the background.


1. The ADRD random number generator produces a number pointing to its array of list obtained from the remote host,
let us say http: //59.[...].12.105 /g /g.[...]?w=959a_w1.

2. This link actually contains the search criteria that the ADRD will use,
an example would be:

http://wap.baidu.com/s?word=%e5%[...]e5%89%a7%e7%85%a7 &vit=uni&from=979a

which ADRD will process and run in the background.

Another functionality is the possible downloading of an APK named myupdate.apk, which is saved to /sdcard/uc /folder. This is possibly for its update component.

ADRD's network access may lead to high data usage, which in turn may lead to high data charges. ADRD appears to be distributed only in Chinese markets and may only be specific to Chinese networks, as we've seen it connect to "cmnet", "cmwap" (China Mobile Net), "uniwap", and "uninet" (China Unicom).

Response Post by — Zimry Ong


Updated to add on Feb 11, 2011: Aegislab (who discovered this trojan) have shared some of their samples with us and we did several comparisons to verify these were the same ADRD we had discovered. As it turns out, there are several mostly minor differences between the two sets. Most of the changes are actually fixes of URL handling and improved exception handling on most of its routine. So we are guessing that this trojan has probably been in the wild and fixed at some point.

Since there is not much change in its functionality, we have decided to still detect them as Trojan:Android/Adrd.A. Here are some SHA1s of the Android Application (APK) for reference:


By the way, it may come to your attention that some other AV vendors are classifying ADRD as a Geinimi variant (179e1c69ceaf2a98fdca1817a3f3f1fa28236b13), so hopefully if you are closely following Geinimi or ADRD, you will not get confused. From our point of view, Geinimi and ADRD differ due to the fact that Geinimi can be classified as a a classic Backdoor for its vast command and control commands, whereas ADRD can be classified as a classic Trojan-Clicker.