Malware found in the Google Play store comes with more than the usual code that messes with an Android, it adds one more touch where it can convert the smartphone into a vector for PC malware.
The “Superclean” application and its twin “DroidCleaner” offer themselves as phone clean-up applications which will boost your smartphone’s performance by clearing out old data, said researchers at Kaspersky.
All the “cleaners” apparently do when they run is show all the running services and then step through restarting all the applications on the phone. But behind the scenes much more is going on. The app moves on to quietly download three files and save them as “autorun.inf,” “folder.ico” and “svchosts.exe” in the root directory of the SD card. Now the phone is ready to infect any PC plugged in when in USB drive emulation mode and will trigger the running of “svchosts.exe”. In current versions of Windows though, autorun remains disabled so the attack should only be a threat to users running older unpatched operating system versions.
Kaspersky researchers said what was found in the svchosts.exe was in fact what it labels Backdoor.MSIL.Ssucl.a.
Ssucl.a is “not a particularly sophisticated piece of malware”. Using the free NAudio library code, the malware sets itself up to monitor the default audio recording device and then listens in. When it hears audio it automatically records it and then encrypts it and uploads it to an FTP server.
The Android app itself offered numerous features for malware masters. For example, it could enable Wi-Fi, gather device information or open arbitrary links in the browser. SMS messages were particularly vulnerable as it could not only send them, but also upload all received SMS messages or delete them. Its information-stealing capabilities included either uploading the contents of the SD card or an arbitrary file or folder to the master server or uploading all the contacts, photos and coordinates on the phone to that server.
Google Play store removed both apps, but they may appear in other third party app locations. Both apps appeared to have the signature functionality of malware but Google’s own defenses did not pick them up.