Bogus cleaning apps on Google Play install backdoor on PCs

Malicious Android apps able to infect and set up a backdoor on PCs running pre-Windows 7 operating systems have been recently spotted by researchers of several security companies.

Both Kaspersky Lab and McAfee spotted two fake “cleaner” apps by the name of “DroidCleaner” and “SuperClean,” offered by a developer named “Smart.Apps” on Google Play.

Once installed, these apps would fake the cleaning up of the Android system (browser cache cleaning, optimizing network settings, and so on), but in the background they would establish communication with a remote C&C server, allowing the crooks behind this attack to do any of the following things:

  • Harvest device and network information, as well as more personal information such as that contained in contacts, SMS messages, installed apps and more
  • Send and delete SMS messages
  • Map the contents of the device’s SD card for future upload to the server
  • Execute shell commands
  • Reboot the device
  • Launching other apps without user consent
  • Set call forwarding and change the ringer mode
  • Enable Wi-Fi
  • Open arbitrary links in a browser
  • Steal passwords for Google and Dropbox accounts by randomly showing fake login interfaces
  • Download three files – autorun.inf, folder.ico, and svchost.exe from the remote server and place them in the root directory of the SD card so that once the device is connected to a PC, the system automatically executes the svchosts.exe file.

Kaspersky researchers analyzed the file in question, and it turns out to be backdoor Backdoor.MSIL.Ssucl.a – an unsophisticated piece of malware that can execute a number of commands sent by the master. Among them is the ability to write audio data as soon as the PC microphone detects sounds, then encrypt and send the data to the server.

The number of Android devices compromised by these apps is rather low, and the apps themselves (as well as their “developer”) have been booted out of Google Play. Still, there might be still undiscovered ones on the market, so be careful.

“Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector,” Kaspersky researchers pointed out.

“It is worth noting that the approach used by the author of these applications is very well thought out. This is the first time we have seen such an extensive feature set in one mobile application.”

Don't miss