RSS Alerts
Kaspersky Lab claims that DroidCleaner demonstrates a new attack vector against PCs

Share

More services

Related Links

Related Stories

  • New Android malware infects 620,000 mobile phones
    Dubbed ‘Bill Shocker’ because it sends surreptitious and costly text messages, the malware is largely confined to China but has the potential to infect any Android user anywhere.
  • Cybersecurity faces mostly 'post-PC' threats
    Even as the existing cybersecurity threat landscape becomes more complex, IT departments should be looking to the next wrinkle: cybercriminals have moved beyond the PC, targeting Android, social media and the Mac OS X with new attacks.
  • Fake Android app market infects thousands of devices with malware
    File under “don’t get off the boat:” A fake apps market for Android devices is serving up malware that has already stolen between 75,000 and 450,000 pieces of personal information from unwitting consumers within the first two weeks of its existence. The takeaway? Stick with official mobile apps, of course.
  • 99% of mobile malware targets Android
    The fact that Android malware is an escalating issue comes as no surprise, but a recent analysis of its sheer 'market share' of the mobile malware universe is noteworthy.
  • Smartphone security checker from the FCC
    The FCC has published an online smartphone security checker – a checklist of what users should and should not do to secure their iPhone, Android, Blackberry or Windows phone.

Top 5 Stories

News

DroidCleaner: Android malware that infects PCs

04 February 2013

DroidCleaner, an Android app that claims to free up smartphone memory but actually infects connected PCs, has been removed from Google Play but is still available from third-party app stores.

Kaspersky Lab claims that DroidCleaner demonstrates a new attack vector against PCs. While it has come across PC malware that infects connected smartphones, this is the first time it has found malware going from phone to PC.

When it discovered the malware, it was available from the official Google Play app store (Google has since removed it). It’s an app that promises to accelerate Android smartphones by freeing up memory – but it doesn’t. A very basic GUI display 'pretends' this is happening to deceive the user; but, in reality, it first downloads a trojan known to Kaspersky as Backdoor.MSIL.Ssucl.a, and then waits for the user to connect the device to a PC – “for example,” suggests Kaspersky, “to change the music files on the device.”

Successful transfer from the device to the PC is via autorun.inf. This is perhaps the least efficient part of the malware since the latest Windows operating systems have AutoRun disabled by default for external drives. However, Kaspersky suspects that there are enough older versions used by enough ‘unsophisticated’ users to make the malware worthwhile for the attacker. “It is those users who use outdated OS versions that are targeted by this attack vector,” says the company.

The trojan includes the NAudio library. Its purpose is to covertly record, encrypt and transmit audio files back to the hacker. The malware is neither new nor sophisticated, but the attack method is both: “using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector,” says Kaspersky. “It is worth noting that the approach used by the author of these applications is very well thought out,” it adds. “For the attack to be more successful, it only lacks a broader distribution scheme.”

Nevertheless, it seems strange that the malware author should go to so much trouble to install audio-recording malware when the same method could be used to install a full blown RAT. “I don't see a lot of point to that capability for general purpose malware: trawling through lots of miscellaneous sound files from a number of infected machines sounds like a lot of work that in most cases wouldn't pay off significantly,” ESET senior research fellow David Harley told Infosecurity.

He postulates two possibilities. “It might be general Proof of Concept dabbling – just to look at ways of slipping malware through Google Play and onto a Windows machine” – an ‘experiment in heterogenous malware transmission’ he suggests. But he also wonders if “this is a test of functionality intended for a more targeted attack, using a mobile device for access to a desktop/laptop device that might be used for ‘interesting’ audio content – conferencing or Skype conversations, perhaps?”

Kaspersky’s David Emm suspects it may simply be a way of increasing the attacker’s knowledge base. “By recording sound, an attacker broadens the pool of data available to them – e.g., recording meetings, either formal or informal, that take place in a business. Such data might provide the first step in framing a spear-phishing attack on a company.”

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions | Privacy | Website Design| Reed Exhibitions. All rights reserved. Copyright © 2013
We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×