Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Windows Malware Attempts to Infect Android Devices

Created: 23 Jan 2014 07:14:03 GMT • Updated: 24 Jan 2014 23:46:26 GMT • Translations available: 日本語, Español
Flora Liu's picture
+3 3 Votes
Login to vote

We’ve seen Android malware that attempts to infect Windows systems before. Android.Claco, for instance, downloads a malicious PE file along with an autorun.inf file and places them in the root directory of the SD card. When the compromised mobile device is connected to a computer in USB mode, and if the AutoRun feature is enabled on the computer, Windows will automatically execute the malicious PE file.

Interestingly, we recently came across something that works the other way round: a Windows threat that attempts to infect Android devices.

The infection starts with a Trojan named Trojan.Droidpak. It drops a malicious DLL (also detected as Trojan.Droidpak) and registers it as a system service. This DLL then downloads a configuration file from the following remote server:

  • http://xia2.dy[REMOVED]s-web.com/iconfig.txt

It then parses the configuration file in order to download a malicious APK to the following location on the compromised computer:

  • %Windir%\CrainingApkConfig\AV-cdk.apk

The DLL may also download necessary tools such as Android Debug Bridge (ADB).

Next, it installs ADB and uses the command shown in Figure 1 to install the malicious APK to any Android devices connected to the compromised computer:

figure1_11.png

Figure 1. Command to install the malicious APK

The installation is attempted repeatedly in order to ensure a mobile device is infected when connected. Successful installation also requires the USB debugging Mode is enabled on the Android device.

The malicious APK is a variant of Android.Fakebank.B and poses as a Google App Store application.

figure2_10.png

Figure 2. Malicious APK posing as Google App Store

However, the malicious APK actually looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions. Android.Fakebank.B also intercepts SMS messages on the compromised device and sends them to the following location:

  • http://www.slmoney.co.kr[REMOVED]

figure3_6.png

Figure 3. Malicious APK code snippet

To avoid falling victim to this new infection vector, Symantec suggests users follow these best practices:

  • Turn off USB debugging on your Android device when you are not using it
  • Exercise caution when connecting your mobile device to untrustworthy computers
  • Install reputable security software, such as Norton Mobile Security
  • Visit the Symantec Mobile Security website for general safety tips