Inexpensive Android smartphones are taking over the market and most users look for ways to speed up their devices, usually by freeing up memory. As more and more demand software that provides a speed bump, more apps pop out, some of them malicious. PC malware that infects smartphones have been around but now the reverse has happened. It seems mobile devices have become the next malware vector for PCs, malware designed to infect PCs have popped up on the Google Play store. Researchers at Kaspersky discovered some Android malware that brands itself as a “cleaner” app meant to free up memory on your Android device, but in reality it infects your device with malware that can also infect your PC when connected.
The researchers found that the formation of the attack was well thought out and it had “such an extensive feature set” in one app. Here’s the list below:
- Sending SMS messages
- Enabling Wi-Fi
- Gathering information about the device
- Opening arbitrary links in a browser
- Uploading the SD card’s entire contents
- Uploading an arbitrary file (or folder) to the master’s server
- Uploading all SMS messages
- Deleting all SMS messages
- Uploading all the contacts/photos/coordinates from the device to the master
Once the app is installed and launched on your device, the app lists the running processes on your device and restarts them so it looks like it’s doing its job. After it does that the malicious part comes in. In the background, the app downloads three files (autorun.inf, folder.ico, svchosts.exe) to the root directory of the SD card. From there it waits till the smartphone is connected to a Windows computer in USB drive emulation mode, where the svchosts.exe file executes automatically. The Windows malware isn’t particularly sophisticated, but it can take control of the microphone and record you. Then it can encrypt the audio and sends it back to the attacker.
Kaspersky states that “a typical attack victim is the owner of an inexpensive Android smartphone who connects his or her smartphone to a PC from time to time, for example, to change the music files on the device” who use outdated OS version, as AutoRun is disabled in current versions.
Both the Superclean app and its brother the DroidCleaner have been removed from the Google Play Store, but it still helps to be vigilant about device security and make sure to only download apps from trusted developers with high download numbers.