Skip to main content

Recently, two applications designed with malicious intent were discovered within the Google Play application store.  The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers. 

 

The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer.  The malware was designed to record audio through the computer’s microphone.

 

AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates.

 

An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security.  With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network.

 

While Webroot has already classified the apps, and they have been removed from the Google Play application market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection.  Below, we will highlight the steps you can take to help stay protected from attacks like these.

 

Android Devices:


  • Ensure latest version of Webroot SecureAnywhere is downloaded from official Android app stores.
Webroot SecureAnywhere (PC users)


  • Ensure USB shield is enabled
    • Steps: Open Webroot > Select PC Security Tab > Select Shields > Slide USB Shield to on (green)
    • Advanced users: Ensure USB Shield is Enabledilist]
    • Steps: Open Webroot > Select PC Security Tab > Select Scan > Select Change Scan Settings > Select Heuristics > Select USB > Select desired protection settings
[/list]For all users, we recommend ensuring that AutoRun is disabled on your computer.  Even though Microsoft rolled out updates to disable, it is possible AutoRun could still be enabled.  Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs.

 

Source: SecureList - http://www.securelist.com/en/blog/805/Mobile_attacks

 
Thank you Richard!  Great information.
Thanks Richard for the warning.



I am really scared to learn that some cleaners could do more than are supposed to because I also use on my Android device a cleaner application. Luckily this application seems fine and moreover I have WSA Complete installed ;)



I appreciate your recommendations against such attacks but I would add another one, especially being truly valid for Google Play:



- Before downloading an application please look carefuly how many downloads have been done and what is public popularity (rating) of such application. Trust only these which are popular and have many downloads. Also please read user reviews which can give you some kind of a feeling how good or bad an application is.



Sorry Richard for hijacking your original post.
Well that sucks.

 

Still, I blame Java. :D
Thanks. 

 

Do you have an actual link for instructions on how to disable AutoRun in Windows 7 Pro 64 bit?  I quit looking!

 

Few links even discuss how to disable AutoRun and most discuss Win XP, even if the question was about Win 7.  Microsoft discusses Win XP but the link for Win 7 leads to a page with no information.

 

AutoPlay has been disabled. 
There are some detailed instructions on how to do that in this Microsoft KB article.  There's an automated "Fix-It" method and a manual method.
Thanks.

 

Instructions for Win 7 Home and Win 7 Home Premium can be found by searching Microsoft.

 

The following link appears to have a registry hack for Win 7 Pro (No mention of Win 7 Pro 64 bit, but it may be the same) .

http://windows.microsoft.com/en-US/windows/answers?tId=f74e4d8a-c4ba-4bd3-b521-97596ea39734

 

In Win 7 Pro 64 Bit

AutoPlay can be disabled in Group Policy.  However, AutoRun can't fully be disabled.  The Win 7 help states that if AutoRun is disabled then Windows Vista will prompt the user whether the autorun command is to be run.

 

Thanks for your help.

 
This Android Malware Will Install A Trojan Onto Your PC And Record You Through Your Microphone.

There’s a new type of Android malware out there that is masking itself as a “cleaner” app, but what it’s really doing is infecting both your Smartphone and your PC. Researchers discovered the “cleaner” apps, called Superclean and DroidCleaner, in the Google Play store which makes it all the more scarier. The apps are supposed to free up memory in Android, but instead does an extensive feature set of other harmful things. Here’s a list:

 

Sends SMS messages

Enables WiFi

Gathers information from the device

Opens random links in the browser

Uploads the entire content of your SD card

Uploads arbitrary files and folders to the master server

Uploads all of your SMS messages

Deletes all of your SMS messages

Uploads all of your contacts, photos, and coordinates to the master

 

Once installed and executed on Android, the malicious app lists the running processes on your device and restarts them in the foreground to make it look like it’s doing what it’s designed to do. In the background, however, the app downloads three files (autorun.inf, folder.ico, and svchosts.exe) to the root of your SD card. When the Smartphone is connected to a Windows computer in USB drive emulation mode, the svchosts.exe file (Backdoor. MSIL. Ssucl. a) Is automatically executed on your PC.

 

The Windows part of the malware is not particularly sophisticated, but it is capable of taking control of the microphone to record your. It then encrypts all its recordings and sends them back to the attacker. How the malware authors are expecting this threat to spread:

 

Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a Smartphone and then waiting for the Smartphone to connect to a PC is a completely new attack vector. In the current versions of Microsoft Windows, the AutoRun feature is disabled by default for external drives; however, not all users have migrated to modern operating systems. It is those users who use outdated OS versions that are targeted by this attack vector.

 

Thus, a typical attack victim is the owner of an inexpensive Android Smartphone who connects his or her Smartphone to a PC from time to time, for example, to change the music files on the device. Judging by the sales statistics for Android Smartphones, I would say that such people are quite numerous. For the attack to be more successful, it only lacks a broader distribution scheme.

 

The fact this threat was distributed on Google Play is worrying but not unheard of. While I usually recommend sticking to Google Play to avoid the larger majority of Android threats, in this case the best advice is to only download apps with high download numbers and from trusted developers.

In short, this malware threat isn’t one that you will likely be hit with, but it is very interesting to see the way Android malware is evolving.

 

Hi Maurizio.

 

😃
@ wrote:

Well that sucks.

 

Still, I blame Java. :D

Same here.... Sucks how I have to have it for 2 jobs I got 😞 Wish places would stop using java and use standard stuff. 

 

But convincing companies to switch is like trying to get a fat kid out of golden corral.... just aint happenin' 😞 They cling to thier old java crap like I do to cats... but cats are much better to cling to. I think they should cling to a cat instead.

Reply