Android malware carries Windows snooping app

Kaspersky is reporting on malware found in the Google Play store that is loaded with more than just Android malware. The trick in this case is to covert the smartphone into a version of a rather traditional vector for PC malware.

The "Superclean" application and its twin "DroidCleaner" offer themselves as phone clean-up applications which will boost your smartphone's performance by clearing out old data. All the "cleaners" apparently do when run is show all the running services and then step through restarting all the applications on the phone. But behind the scenes it is a different story: the app moves on to quietly download three files and save them as "autorun.inf", "folder.ico" and "svchosts.exe" in the root directory of the SD card. Now the phone is ready to infect any PC that it is plugged into when in USB drive emulation mode – if, of course, it still autoruns removable media, and will trigger the running of "svchosts.exe". In current versions of Windows though, autorun is disabled so the attack should only be a threat to users running older unpatched operating system versions.

Kaspersky says that what was found in the svchosts.exe was in fact what it labels Backdoor.MSIL.Ssucl.a. Ssucl.a is "not a particularly sophisticated piece of malware". Using the free NAudio library code, the malware sets itself up to monitor the default audio recording device and then listens in. When it hears audio it automatically records it and then encrypts it and uploads it to an FTP server. It is far from clear what an attacker would have to gain though from thousands of audio snippets from an assortment of un-targeted computer users.

Superclean on the Russian Play Store
Source: Kaspersky The Android app itself offered numerous features for malware masters. For example, it could enable Wi-Fi, gather device information or open arbitrary links in the browser. SMS messages were particularly vulnerable as it could not only send them, but also upload all received SMS messages or delete them. Its information-stealing capabilities included either uploading the contents of the SD card or an arbitrary file or folder to the master server or uploading all the contacts, photos and coordinates on the phone to that server.

Apart from noting that this was one of the more extensive ranges of functionality in a mobile app, Kaspersky was not clear whether this was done after the user had granted permission to the app to carry out these functions, and did not elaborate on any command and control networks used by the "Superclean" or "DroidCleaner" apps.

Both apps have been removed from the Google Play store but may, of course, appear in other less trustworthy app stores. That both apps appeared to have the signature functionality of malware but were not picked up by Google's own defences should though be a concern for Android users.

(djwm)