Remember the good old days when a malware only threatened the operating system that it was infecting? Times have changed as hackers are finding devious ways to infect Android devices by first targeting the Windows operating system. The concept is that when an Android device is connected to an infected Windows computer the Trojan installs a mobile banking malware on the connected phone.
This is a new way of spreading malware on Android as the most commonly used methods are social engineering or fake apps hosted on third party markets.
Symantec researcher Flora Liu, said in a blog post that “We’ve seen Android malware that attempts to infect Windows systems before. Android.Claco, for instance, downloads a malicious PE [portable executable] file along with an autorun.inf file and places them in the root directory of the SD card. When the compromised mobile device is connected to a computer in USB mode, and if the AutoRun feature is enabled on the computer, Windows will automatically execute the malicious PE file.”
“Interestingly, we recently came across something that works the other way round: a Windows threat that attempts to infect Android devices.”
The latest threat discovered is called Trojan.Droidpak which drops a malicious DLL (also called Trojan.Droidpak) on a Windows computer and registers it as a system service which allows it to be active even if the system is rebooted.
Once the Trojan exists in a computer it then downloads a configuration file from a remote server which contains a malicious Android file called AV-cdk.apk. The Android Debug Bridge is also downloaded which is needed to execute Android commands connected to a PC.
The Trojan will then execute the command “adb.exe install AV-cdk.apk” repeatedly so that if an Android device is connected to the infected computer it will install the AV-cdk.apk file silently on the device.
The good news is that this malware has limitations as it can only infect an Android device that has its “USB Debugging” setting enabled.
USB Debugging is commonly used by Android developers or those who wish to root their device and install a custom firmware.
Symantec has identified the malicious Android file that is being installed as Android.Fakebank.B which tricks users into thinking that it is an official Google Play application. It even uses the name “Google App Store: and uses the same icon.
Liu says that the malware targets online bankers in South Korea. “The malicious APK actually looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions. It also intercepts SMS messages received by the user and sends them a remote server.”
One of the best methods to protect against this malware is to turn off USB Debugging when not needed.