Android malware infects Windows PCs with spy bot!

02/27/2013
G DATA Blog

The development of Android malware recently reached a new milestone. Android malware Android.Backdoor.Ssucl.A can use some Android mobile devices to attack Windows PCs as soon as the infected mobile device is connected to the PC via USB cable. It also uses a number of remotely controlled functions to turn the mobile device into a mindless zombie.

Screenshot of SSucl.A in a third-party marketAt the end of January, malware experts found the first versions of Ssucl.A on the Internet. Among other places, the malware was found in the Play Store, Google's official Android app store, as well as in third-party markets.

 

Screenshot of Ssucl.AOlder Android devices in particular often have serious problems with insufficient memory. Many users of older devices are therefore looking for a solution to this and use different types of optimisation software. The malware authors took advantage of this and disguised their malware in such a program, which only masqueraded as useful. In this way, the app infected with Ssucl.A was downloaded at least a thousand times from the Google Play Store alone. In a third-party market, the malware was offered in an app called "SuperClean", a free application for cleaning the system to free up space.

 

 

The malware features a wide range of functions

Experts at the G Data SecurityLabs analysed several samples of the malware code, for example, the file with the SHA256 hash value 7b1746778d0196bf01251fd1cf5110a2ef41d707dc7c67734550dbdf3e577bb9.
The analysis of this sample showed that the malware enables the attackers to execute a whole range of functions on the infected device:

  • Make calls to any number.
  • Send SMS to any number.
  • Read all photos/contacts/SMS/device information and upload them to a server specified by the attacker.
  • Upload any files from the mobile device to a server specified by the attacker.
  • Execute any command on the device.
  • Query the network status of the device (Is there a network connection? What is the IP of the device?).
  • Activate or deactivate wireless network traffic.
  • Activate or deactivate call forwarding.
  • Load data onto the device.
  • Display a fake Dropbox login dialogue and also a fake Google login dialogue and then send the data entered there to the attacker.
    If attackers can get hold of the Google account data this has serious consequences for the mobile device’s owner!
  • Record the location of the device.
  • Prepare an attack on Windows computers.

 

A risk for mobile devices: exploitation of USSD control code

The above-mentioned option to make calls to any number bears more risks than obvious at first glance. The phone's dial function can be used to execute control codes that are intended for functions such as (de)activating voice mail, prepaid balance enquiries etc. Some devices even allow the attackers to use these codes to restart the device, restore the factory settings or permanently damage the SIM card in the phone. G Data's free USSD Filter, which is available in the Google Play Store provides protection against this. For more information on this subject, see the G Data USSD info page (German).

How the Android malware infects the PC

As described above, the malware can download files when prompted to do so by the attacker. The analysed malware code downloaded three files to the infected mobile device: autorun.inf, folder.ico and svchosts.exe.

Screenshot of Ssucl.A code UsbAutoRunAttack

The .ico file is an icon that is displayed to the user in Windows Explorer for the "drive" that is provided. An autorun.inf file contains information about which actions are to be executed automatically (in this case the installation of PC malware) as soon as a data medium (in this case the infected mobile device) has been made available for the Windows PC.
If the device with the downloaded files is now connected to a Windows PC via USB cable, and the Autorun function is activated on this device, it automatically connects the device to the computer as an external drive and the Windows autostart function executes the svchosts.exe file downloaded to the device, thus infecting the Windows PC.

 

PC infection not possible through all Android mobile devices

Thankfully, however, this does not work for all devices. The attackers cannot use mobile devices that use the Media Transfer Protocol (MTP for short) and no longer make the internal memory available as an external mass storage device to transfer this malware. Here, however, there is a risk that a user could accidentally execute the Windows malware provided by Ssucl.A when he or she sees the files in Windows Explorer.
Your device manual or the manufacturer's website can often tell you whether your mobile device uses the Media Transfer Protocol. However, manufacturers sometimes describe MTP without mentioning it by its name.

The Windows malware

The PC malware is typical bot-style malware. Once started, an autostart entry is first created in the registry so that the malware becomes active again when the PC is restarted. Following that, the malware connects to a C&C server to first transfer some general information about the user, for example, user name and computer name, whereby the communication with the server is encrypted with AES. However, the AES key is included in plain text in the malware file so it can be "read easily". As is typical for a bot, it then waits for a command from the server.
However, what sets this malware apart from other malware is the hard-coded "listening function," which uses a microphone connected to the computer. As soon as the level of noise in the microphone's environment exceeds a certain level, audio recording is started and subsequently uploaded to a server in encrypted form.
In addition to this, the malware also has functions for creating screenshots and stealing user data from popular browsers like Firefox or Chrome.

Cross platform attacks:

In general, the attack on Windows PCs the malware authors use in Ssucl.A is nothing new. However, this is the first case in which the Android operating system acts as the infector. In 2005, the malware "Cardtrap" for the Symbian mobile operating system used this trick to infect Windows machines.

G Data is constantly warning computer users against the risks of an infection through the activated Windows Autorun function. The monthly G Data MII statistics regularly feature Autorun malware and this type of malware has been among the top 10 risks for quite some time! So far, distribution has been mainly limited to data media like CDs, DVDs or USB sticks.
However, with the lasting success of Android mobile devices and the resulting increased appeal for attackers, attackers will now also focus on mobile devices as PC infection vectors. For more details and analyses regarding Android, see the G Data MalwareReport for the second half of 2012.

Tips & Tricks:

  • Use a comprehensive security solution such as G Data MobileSecurity Version 2 for Android for your mobile device and, of course, make sure you also use an anti-malware product to protect your PC, for example, G Data InternetSecurity 2013.
  • Use a charger to charge your phone at a power socket and not on the PC – and do not use somebody else's PC under any circumstances.
  • Only get your apps from trustworthy sources.
  • On the app market, look for user ratings and comments.
  • Google Play also shows the authorisations required by the app. You should check and evaluate these yourself.
  • Deactivate the Autorun function on your PC. For the right instructions for your operating system, see the following Microsoft web page: http://support.microsoft.com/kb/967715/en