Android Malware That Infiltrates Your PC

There has been a rise in the demand and purchase of Android-based devices. Typically, the reason is the easiness of use, accessibility and cost. Inexpensive Android smartphones have been taking over much of the market since the OS was first introduced and people who purchase low-cost Android phones look for ways to speed up their devices. This leads to them trusting third-party applications on Play Store. Where some of these apps are legit, most of them happen to be malicious and only fake the process of cleaning up the system. An app with the likes of the above example has recently been discovered and reported by Kaspersky Lab.


The app, Superclean, basically spreads from your Android smartphone to your PC and can be found on the Play Store. Ironically, it has a rating of 4.5 on the Play Store which is not bad for a malware.


Another app that is identical to Superclean is DroidCleaner.



If you launch these apps, they will appear to show you the details of the services running on your smartphone. The interface is not to-die-for and unimpressive. It then restarts them.



At this moment, the app begins to "jiggy with it",


and performs a number of commands executing the following code:



The name of the method used is Tools.UsbAutoAttack.


Three files are downloaded executing the above code from a URL. These files are:

autorun.inf
folder.ico
svchosts.exe

To determine where the application saves these files we will use the DownloadFile method.


These files are placed in the root directory of the SD card due to the master application's code. Hence, when the affected smartphone is connected to the PC via the USB cable in the USB drive emulation mode, it will automatically execute svchosts.exe file which is actually Backdoor.MSIL.Ssucl.a. This file  isn't particular of interest, however, it includes a freely distributed library NAUDIO (http://naudio.codeplex.com). NAUDIO constitutes most part of the application.


Let's learn why this specific command was used for this application. Victor Chebyshev, an expert at the Kaspersky Lab has decided to explain it to us in detail:


First of all, have a look at the constructor of the frmMain form:

As you can see, a “Data Received” event causes the event handler to call the con_DataReceived function.
The function has rather extensive capabilities and is designed to handle a variety of commands sent by the master, but right now we are interested in the way a specific command is handled:

It can be seen in this piece of code that the RECORD_STR command causes the StartRec function to be called:

Next, note BeginMonitoring and BeginRecording.
In the former case, monitoring of the default audio recording device is configured. The value of the recordingDevice variable is set to zero for the purpose.

In the former case, monitoring of the default audio recording device is configured. The value of the recordingDevice variable is set to zero for the purpose:

As soon as the microphone detects sound, the application immediately begins to write audio data to a file using BeginRecording:

The program encrypts files and sends them to the master:
Encryption algorithm
Uploading any file to the master’s FTP
This is where the address to which the app should connect and send files is taken from
This has to be one of the most unsophisticated ways to spread malware but doing so via a smartphone is a new attack vector. The autorun feature is disabled by default for external drives in the newer versions of Microsoft Windows. This poses a threat mainly to the users of outdated versions of Microsoft Windows. An owner of an inexpensive Android smartphone who connects his/her device to the PC regularly is most prone to such an attack.
According to Victor Chebyshev;
It is worth noting that the approach used by the author of these applications is very well thought out. The app includes a vast range of features. For instance, in addition to infecting workstations, the Android version of the bot includes the following features:
  • Sending SMS messages
  • Enabling Wi-Fi
  • Gathering information about the device
  • Opening arbitrary links in a browser
  • Uploading the SD card’s entire contents
  • Uploading an arbitrary file (or folder) to the master’s server
  • Uploading all SMS messages
  • Deleting all SMS messages
  • Uploading all the contacts/photos/coordinates from the device to the master
This is the first time we have seen such an extensive feature set in one mobile application.
Its better to stay safe then be sorry. Remember that and you shall prevail.

Cheers!

About The Author

This article is written by Sindhia Javed Junejo. She is one of the core members of RHA team.