In a nod to the increasingly mobile age that we live in, Symantec has uncovered a new Windows OS threat that banks on people plugging their phones into their machines to charge or sync. A trojan named Trojan.Droidpak has the sole purpose of infecting tethered Android devices from the PC.
The Android malware itself is a variant of Android.Fakebank.B, which poses as a Google Play Store application. Symantec researcher Flora Liu said that it looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions. It also intercepts SMS messages on the compromised device and sends them off to the hackers.
“We’ve seen Android malware that attempts to infect Windows systems before,” Liu wrote in a blog. “Android.Claco, for instance, downloads a malicious PE file along with an autorun.inf file and places them in the root directory of the SD card. When the compromised mobile device is connected to a computer in USB mode, and if the AutoRun feature is enabled on the computer, Windows will automatically execute the malicious PE file. Interestingly, we recently came across something that works the other way round.”
She explained that the Droidpak infection starts with dropping a malicious DLL onto a Windows hard drive, and registers it as a system service. This DLL then downloads a configuration file from a remote server and parses it in order to download a malicious APK (the Android application interface). It then goes about installing that malicious APK on any Android devices connected to the compromised computer.
The APK installation is attempted repeatedly in order to ensure a mobile device is infected when connected. There is one obstacle for the malware purveyors: successful installation also requires the USB debugging Mode is enabled on the Android device, Lui said.
The approach makes sense; while there is a growing preponderance of Android malware out there in the wild, there is evidence that not that much of it actually makes its way onto the devices themselves (well, according to Google anyway). Mobile attackers rely on social engineering and bogus apps hosted in third-party app stores to worm their way onto phones, which can be less effective than PC infection techniques. Why not take the easier path, infesting the unsuspecting from a brand-new conduit?
To avoid falling victim to this new infection vector, users should turn off USB debugging on the Android device when they’re not using it, and exercise caution when connecting mobile devices to unknown computers.