Both Kaspersky Lab and McAfee spotted two fake "cleaner" apps by the name of "DroidCleaner" and "SuperClean," offered by a developer named "Smart.Apps" on Google Play.
Once installed, these apps would fake the cleaning up of the Android system (browser cache cleaning, optimizing network settings, and so on), but in the background they would establish communication with a remote C&C server, allowing the crooks behind this attack to do any of the following things:
- Harvest device and network information, as well as more personal information such as that contained in contacts, SMS messages, installed apps and more
- Send and delete SMS messages
- Map the contents of the device's SD card for future upload to the server
- Execute shell commands
- Reboot the device
- Launching other apps without user consent
- Set call forwarding and change the ringer mode
- Enable Wi-Fi
- Open arbitrary links in a browser
- Steal passwords for Google and Dropbox accounts by randomly showing fake login interfaces
- Download three files - autorun.inf, folder.ico, and svchost.exe from the remote server and place them in the root directory of the SD card so that once the device is connected to a PC, the system automatically executes the svchosts.exe file.
The number of Android devices compromised by these apps is rather low, and the apps themselves (as well as their "developer") have been booted out of Google Play. Still, there might be still undiscovered ones on the market, so be careful.
"Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector," Kaspersky researchers pointed out.
"It is worth noting that the approach used by the author of these applications is very well thought out. This is the first time we have seen such an extensive feature set in one mobile application."