Kaspersky Labs identified a new kind of Android malware that does more than infect your mobile phone, as it also infiltrates your Windows PC.
In January, Kaspersky identified two apps on Google Play that pretend to clean your phone’s system: Super Clean and DroidCleaner. If you download the apps, it pretends to do some legit work when it is launched. The app lists running processes on your device and restarts them in the foreground, giving the appearance of a legit app. But the worst of it is what’s going on behind the scenes. While you’re busy thinking that you’re freeing up some space, the app downloads three files: autorun.inf, folder.ico, and svchosts.exe, in your SD card’s root directory.
If you connect your phone to a Windows PC in USB drive emulation mode, the svchosts.exe file (Backdoor.MSIL.Ssucl.a) is automatically executed on your PC. The malware takes control of your PC’s microphone and when it detects sounds, it begins to record audio files, encrypts the data, then sends it to the malware author.
“Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector. In the current versions of Microsoft Windows, the AutoRun feature is disabled by default for external drives; however, not all users have migrated to modern operating systems. It is those users who use outdated OS versions that are targeted by this attack vector,” Victor Chebyshev, Kaspersky Lab Expert, wrote in a blog post.
Chebyshev also noted that people using low-end Android phones that needs to be connected to a PC in order to transfer files are the ones greatly affected by this kind of malware.
Contributing Editor John Casaretto shares his thoughts on the latest Android malware scare, appearing on this morning’s NewsDesk program with Kristin Feledy:
The malware does not leave your Android device unscathed either, as it sends text messages, enables Wi-Fi, gathers information about the device, opens arbitrary links in a browser, uploads the SD card’s entire contents,uploads an arbitrary file (or folder) to the master’s server, uploads all SMS messages, deletes all SMS messages, and uploads all the contacts/photos/coordinates from the device to the master.
The apps have been removed from Google Play, but what’s concerning is that the apps have good ratings. Though the apps weren’t downloaded by a lot of users, the high ratings makes it that much more difficult to discern malware from legitimate apps.
Quick tips for safe app downloads
Google Play is notorious for harboring malware-laced apps, and it’s getting a bit tricky to dodge these pesky bullets. But it’s still the recommended place to get your official Android apps. If you want to stay clear from these malware-laced apps, remember to:
- Download apps only from trusted developers
- Download apps with high a download count
- Read comments about the app to see if people are generally satisfied with how the app works
Apps with high ratings are also still recommended, but make sure that you check how many people have already downloaded them. If only five people download the app but it has a 5-star rating, better think twice before you download the app – it could be a trap!