Android/Claco.A!tr is a new mobile malware that has been in the news recently for it’s unique ability to infect PCs.
Even though we’ve seen an attack vector of this kind on the Symbian OS before (SymbOS/CardTrap), this would be the first of it’s kind on the Android platform.
The malicious packages come under the names SuperClean and DroidCleaner and claim to be applications that can speed up your phone.
Upon looking into the code, we realize that the “strategy” used to speed up the phone is to mainly restart the running applications.
BOTNET CAPABILITIES :
In the background, the application registers the infected device with a C&C server and then listens for commands.
Corresponding to these commands, the malware has the capability to perform functions such as
- Making phone calls and sending out SMS messages with specifications received by the C&C
- Stealing Android and Dropbox credentials (ref Fig1 and 2)
- Uploading directory listings and files to the the C&C
- Uploading SMS records and contact information to the C&C
- Deleting SMS messages from specific numbers
- Rebooting the device
- Toggling the Wifi state
- Changing Ringer state
among others.
(More details can be found in the virus description)
Fig1 : Android Credentials stealing
Fig2: Dropbox credentials stealing
HOW IT INFECTS PCs :
However, the most interesting of these capabilities is the usb_autorun_attack.
When this command is received, the malware downloads files autorun.inf, folder.ico and svchosts.exe to the external SDCard of the phone.
As you would have guessed by now, these are well known Windows system file names
The autorun.inf file is used to transfer the files to the PC when the phone is connected to it in USB mode. This method of infection is not so effective on new versions of the Windows platform but, would still work on machines running older versions of Windows.
Seeing the capabilities of files downloaded, my hypothesis would be that the intent of the malware authors was to explore the effectiveness and efficiency of this new attack vector, more than causing damage.
In conclusion:
- There are chances that we might see other malware in the future that exploit this attack vector.
- Exploiting an attack vector like this could be beneficial to an attacker since it allows complete ownership of a victim’s data from BOTH his/her PC and phone. This becomes particularly interesting for intercepting SMS messages used for Two Factor Authentication. For instance, it can be used to steal tokens and One Time Passwords for banks and even services like Gmail (if 2-step-verification is activated).
- And finally, if used by cybercriminals to steal banking credentials, a system of propagation akin to a “reverse Zitmo” could be implemented.
Since news of their malicious behavior was revealed, the applications have been retracted from the Google Play store and the C&C servers are down.
Thanks to Victor Chebyshev and Mila Parkour for the samples.
