Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Killer apps: The performance of networked applications

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

Bogus cleaning apps on Google Play install backdoor on PCs

Posted on 08.02.2013

Malicious Android apps able to infect and set up a backdoor on PCs running pre-Windows 7 operating systems have been recently spotted by researchers of several security companies.

Both Kaspersky Lab and McAfee spotted two fake "cleaner" apps by the name of "DroidCleaner" and "SuperClean," offered by a developer named "Smart.Apps" on Google Play.

Once installed, these apps would fake the cleaning up of the Android system (browser cache cleaning, optimizing network settings, and so on), but in the background they would establish communication with a remote C&C server, allowing the crooks behind this attack to do any of the following things:

Harvest device and network information, as well as more personal information such as that contained in contacts, SMS messages, installed apps and more
Send and delete SMS messages
Map the contents of the device's SD card for future upload to the server
Execute shell commands
Reboot the device
Launching other apps without user consent
Set call forwarding and change the ringer mode
Enable Wi-Fi
Open arbitrary links in a browser
Steal passwords for Google and Dropbox accounts by randomly showing fake login interfaces
Download three files - autorun.inf, folder.ico, and svchost.exe from the remote server and place them in the root directory of the SD card so that once the device is connected to a PC, the system automatically executes the svchosts.exe file.

Kaspersky researchers analyzed the file in question, and it turns out to be backdoor Backdoor.MSIL.Ssucl.a - an unsophisticated piece of malware that can execute a number of commands sent by the master. Among them is the ability to write audio data as soon as the PC microphone detects sounds, then encrypt and send the data to the server.

The number of Android devices compromised by these apps is rather low, and the apps themselves (as well as their "developer") have been booted out of Google Play. Still, there might be still undiscovered ones on the market, so be careful.

"Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector," Kaspersky researchers pointed out.

"It is worth noting that the approach used by the author of these applications is very well thought out. This is the first time we have seen such an extensive feature set in one mobile application."