Kaspersky Lab claims that DroidCleaner demonstrates a new attack vector against PCs. While it has come across PC malware that infects connected smartphones, this is the first time it has found malware going from phone to PC.
When it discovered the malware, it was available from the official Google Play app store (Google has since removed it). It’s an app that promises to accelerate Android smartphones by freeing up memory – but it doesn’t. A very basic GUI display 'pretends' this is happening to deceive the user; but, in reality, it first downloads a trojan known to Kaspersky as Backdoor.MSIL.Ssucl.a, and then waits for the user to connect the device to a PC – “for example,” suggests Kaspersky, “to change the music files on the device.”
Successful transfer from the device to the PC is via autorun.inf. This is perhaps the least efficient part of the malware since the latest Windows operating systems have AutoRun disabled by default for external drives. However, Kaspersky suspects that there are enough older versions used by enough ‘unsophisticated’ users to make the malware worthwhile for the attacker. “It is those users who use outdated OS versions that are targeted by this attack vector,” says the company.
The trojan includes the NAudio library. Its purpose is to covertly record, encrypt and transmit audio files back to the hacker. The malware is neither new nor sophisticated, but the attack method is both: “using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector,” says Kaspersky. “It is worth noting that the approach used by the author of these applications is very well thought out,” it adds. “For the attack to be more successful, it only lacks a broader distribution scheme.”
Nevertheless, it seems strange that the malware author should go to so much trouble to install audio-recording malware when the same method could be used to install a full blown RAT. “I don't see a lot of point to that capability for general purpose malware: trawling through lots of miscellaneous sound files from a number of infected machines sounds like a lot of work that in most cases wouldn't pay off significantly,” ESET senior research fellow David Harley told Infosecurity.
He postulates two possibilities. “It might be general Proof of Concept dabbling – just to look at ways of slipping malware through Google Play and onto a Windows machine” – an ‘experiment in heterogenous malware transmission’ he suggests. But he also wonders if “this is a test of functionality intended for a more targeted attack, using a mobile device for access to a desktop/laptop device that might be used for ‘interesting’ audio content – conferencing or Skype conversations, perhaps?”
Kaspersky’s David Emm suspects it may simply be a way of increasing the attacker’s knowledge base. “By recording sound, an attacker broadens the pool of data available to them – e.g., recording meetings, either formal or informal, that take place in a business. Such data might provide the first step in framing a spear-phishing attack on a company.”