The development of Android malware recently reached a new milestone. Android malware Android.Backdoor.Ssucl.A can use some Android mobile devices to attack Windows PCs as soon as the infected mobile device is connected to the PC via USB cable. It also uses a number of remotely controlled functions to turn the mobile device into a mindless zombie.
At the end of January, malware experts found the first versions of Ssucl.A on the Internet. Among other places, the malware was found in the Play Store, Google's official Android app store, as well as in third-party markets.
Older Android devices in particular often have serious problems with insufficient memory. Many users of older devices are therefore looking for a solution to this and use different types of optimisation software. The malware authors took advantage of this and disguised their malware in such a program, which only masqueraded as useful. In this way, the app infected with Ssucl.A was downloaded at least a thousand times from the Google Play Store alone. In a third-party market, the malware was offered in an app called "SuperClean", a free application for cleaning the system to free up space.
Experts at the G Data SecurityLabs analysed several samples of the malware code, for example, the file with the SHA256 hash value 7b1746778d0196bf01251fd1cf5110a2ef41d707dc7c67734550dbdf3e577bb9.
The analysis of this sample showed that the malware enables the attackers to execute a whole range of functions on the infected device:
The above-mentioned option to make calls to any number bears more risks than obvious at first glance. The phone's dial function can be used to execute control codes that are intended for functions such as (de)activating voice mail, prepaid balance enquiries etc. Some devices even allow the attackers to use these codes to restart the device, restore the factory settings or permanently damage the SIM card in the phone. G Data's free USSD Filter, which is available in the Google Play Store provides protection against this. For more information on this subject, see the G Data USSD info page (German).
As described above, the malware can download files when prompted to do so by the attacker. The analysed malware code downloaded three files to the infected mobile device: autorun.inf, folder.ico and svchosts.exe.
The .ico file is an icon that is displayed to the user in Windows Explorer for the "drive" that is provided. An autorun.inf file contains information about which actions are to be executed automatically (in this case the installation of PC malware) as soon as a data medium (in this case the infected mobile device) has been made available for the Windows PC.
If the device with the downloaded files is now connected to a Windows PC via USB cable, and the Autorun function is activated on this device, it automatically connects the device to the computer as an external drive and the Windows autostart function executes the svchosts.exe file downloaded to the device, thus infecting the Windows PC.
Thankfully, however, this does not work for all devices. The attackers cannot use mobile devices that use the Media Transfer Protocol (MTP for short) and no longer make the internal memory available as an external mass storage device to transfer this malware. Here, however, there is a risk that a user could accidentally execute the Windows malware provided by Ssucl.A when he or she sees the files in Windows Explorer.
Your device manual or the manufacturer's website can often tell you whether your mobile device uses the Media Transfer Protocol. However, manufacturers sometimes describe MTP without mentioning it by its name.
The PC malware is typical bot-style malware. Once started, an autostart entry is first created in the registry so that the malware becomes active again when the PC is restarted. Following that, the malware connects to a C&C server to first transfer some general information about the user, for example, user name and computer name, whereby the communication with the server is encrypted with AES. However, the AES key is included in plain text in the malware file so it can be "read easily". As is typical for a bot, it then waits for a command from the server.
However, what sets this malware apart from other malware is the hard-coded "listening function," which uses a microphone connected to the computer. As soon as the level of noise in the microphone's environment exceeds a certain level, audio recording is started and subsequently uploaded to a server in encrypted form.
In addition to this, the malware also has functions for creating screenshots and stealing user data from popular browsers like Firefox or Chrome.
In general, the attack on Windows PCs the malware authors use in Ssucl.A is nothing new. However, this is the first case in which the Android operating system acts as the infector. In 2005, the malware "Cardtrap" for the Symbian mobile operating system used this trick to infect Windows machines.
G Data is constantly warning computer users against the risks of an infection through the activated Windows Autorun function. The monthly G Data MII statistics regularly feature Autorun malware and this type of malware has been among the top 10 risks for quite some time! So far, distribution has been mainly limited to data media like CDs, DVDs or USB sticks.
However, with the lasting success of Android mobile devices and the resulting increased appeal for attackers, attackers will now also focus on mobile devices as PC infection vectors. For more details and analyses regarding Android, see the G Data MalwareReport for the second half of 2012.