Kaspersky Lab Expert
Posted February 01, 12:31 GMT
We have come across PC malware that infects mobile devices before. However, in this case it’s the other way round: an app that runs on a mobile device (a smartphone) is designed to infect PCs.
On January 22, 2013 Kaspersky Lab discovered the following application on Google Play:
The app is obviously quite popular and has a good rating:
This application has a twin brother that has an identical feature list but a different name:
As for the app authors’ imagination, they did not have much to spare for the GUI.
After launching, the application shows all the running services:
At the same time, it restarts them:
This is where the ‘useful’ activity ends – and the interesting part begins.
Among the numerous commands performed at the instruction of the master, the app can execute the following code:
Note the name of the method – Tools.UsbAutoAttack. Here are the details:
This code means that the malware downloads three files from the URL specified at the beginning of the class. The following files are downloaded:
autorun.inf,
folder.ico,
svchosts.exe.
Now, we need to find out where the application saves these files. This can be determined by looking at the DownloadFile method:
It follows from this piece of code that the files will be placed in the root directory of the SD card. Therefore, if the smartphone is connected to the PC in the USB drive emulation mode, the system will automatically execute svchosts.exe file.
Now, it would be curious to find out what’s inside svchosts.exe. We managed to download the file from the cybercriminals’ server. It turns out that svchosts.exe is in fact Backdoor.MSIL.Ssucl.a.
We have observed and detected similar objects starting from the first half of 2012. However, there was no connection to mobile platforms at the time
Overall, Backdoor.MSIL.Ssucl.a is not a particularly sophisticated piece of malware. Its only feature of interest is that it includes the freely-distributed library NAUDIO (http://naudio.codeplex.com).
As the screenshot below shows, the NAUDIO library is the biggest part of the application.
Below, we try to figure out why the cybercriminals decided to use this structure.
First of all, have a look at the constructor of the frmMain form:
As you can see, a “Data Received” event causes the event handler to call the con_DataReceived function.
The function has rather extensive capabilities and is designed to handle a variety of commands sent by the master, but right now we are interested in the way a specific command is handled:
It can be seen in this piece of code that the RECORD_STR command causes the StartRec function to be called:
Next, note BeginMonitoring and BeginRecording.
In the former case, monitoring of the default audio recording device is configured. The value of the recordingDevice variable is set to zero for the purpose.
In the former case, monitoring of the default audio recording device is configured. The value of the recordingDevice variable is set to zero for the purpose:
As soon as the microphone detects sound, the application immediately begins to write audio data to a file using BeginRecording:
The program encrypts files and sends them to the master:
Uploading any file to the master’s FTP
This is where the address to which the app should connect and send files is taken from
Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector. In the current versions of Microsoft Windows, the AutoRun feature is disabled by default for external drives; however, not all users have migrated to modern operating systems. It is those users who use outdated OS versions that are targeted by this attack vector.
Thus, a typical attack victim is the owner of an inexpensive Android smartphone who connects his or her smartphone to a PC from time to time, for example, to change the music files on the device. Judging by the sales statistics for Android smartphones, I would say that such people are quite numerous. For the attack to be more successful, it only lacks a broader distribution scheme.
It is worth noting that the approach used by the author of these applications is very well thought out. The app includes a vast range of features. For instance, in addition to infecting workstations, the Android version of the bot includes the following features:
- Sending SMS messages
- Enabling Wi-Fi
- Gathering information about the device
- Opening arbitrary links in a browser
- Uploading the SD card’s entire contents
- Uploading an arbitrary file (or folder) to the master’s server
- Uploading all SMS messages
- Deleting all SMS messages
- Uploading all the contacts/photos/coordinates from the device to the master
This is the first time we have seen such an extensive feature set in one mobile application.