We’ve seen malware for PCs that infects mobile devices, but it turns out there’s also malware for mobile devices designed to infect PCs. Kaspersky researchers have discovered a new piece of Android malware that masquerades as a “cleaner” app meant to free memory for Google’s operating system but wreaks havoc on your smartphone in the background and on Microsoft’s operating system when it’s connected to a PC.

The security firm says the malware has the most “extensive feature set” it has ever seen in one mobile app. Here’s the list:

  • Sending SMS messages.
  • Enabling Wi-Fi.
  • Gathering information about the device.
  • Opening arbitrary links in a browser.
  • Uploading the SD card’s entire contents.
  • Uploading an arbitrary file (or folder) to the master’s server.
  • Uploading all SMS messages.
  • Deleting all SMS messages.
  • Uploading all the contacts/photos/coordinates from the device to the master.

Once installed and executed on Android, the malicious app lists the running processes on your device and restarts them in the foreground to make it look like it’s doing what it’s designed to do. In the background, however, the app downloads three files (autorun.inf, folder.ico, and svchosts.exe) to the root of your SD card. When the smartphone is connected to a Windows computer in USB drive emulation mode, the svchosts.exe file (Backdoor.MSIL.Ssucl.a) is automatically executed on your PC.

The Windows part of the malware is not particularly sophisticated, but it is capable of taking control of the microphone to record you. It then encrypts all its recordings and sends them back to the attacker. Kaspersky explains how the malware authors are expecting this threat to spread:

Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector. In the current versions of Microsoft Windows, the AutoRun feature is disabled by default for external drives; however, not all users have migrated to modern operating systems. It is those users who use outdated OS versions that are targeted by this attack vector.

Thus, a typical attack victim is the owner of an inexpensive Android smartphone who connects his or her smartphone to a PC from time to time, for example, to change the music files on the device. Judging by the sales statistics for Android smartphones, I would say that such people are quite numerous. For the attack to be more successful, it only lacks a broader distribution scheme.

The fact this threat was distributed on Google Play is worrying but not unheard of. While I usually recommend sticking to Google Play to avoid the larger majority of Android threats, in this case the best advice is to only download apps with high download numbers and from trusted developers.

In short, this malware threat isn’t one that you will likely be hit with, but it is very interesting to see the way Android malware is evolving. Furthermore, we find it odd that Kaspersky says this is the first time it has seen mobile malware with such an extensive feature set, given that there is much more complex mobile malware out there.

See also – FinFisher malware goes mobile: Infects Android, iPhone, BlackBerry

Image credit: Flavio Takemoto