Early last year I commented on the possible evolution of what the AV industry terms “cross-platform malware”. That is malware which infects a mobile and a desktop platform such as Windows at the same time. The reason I believed this would happen was that malware authors needed to find novel ways of infecting mobile devices more rapidly and one way to do that was to infect a Windows machine (which is the most used operating system in the world). Another might be to hijack a legitimate Google Android app and look to exploit wireless and USB synchronisation.
It is this latter route that appeared last month on Google Play (see bootnote), where a legitimate Android cache cleaning app was hijacked and used to deliver what we in the industry refer to as a “USB Autorun Attack” – this is the AutoPlay feature you see when you insert a CD/DVD and or connect a device via a USB on Windows platforms. What was different about this was that it delivered a svhosts.exe* file (you can have more than one instance of svhosts running services/applications by default on your Windows machine) to a Windows machine once a user had connected via USB to their Android device. It is the multiple instance of svhosts running which is where the Windows problem lays. Why?
Malware authors can inject a backdoor into an svhosts file which allows cyber criminals to access your Windows machine and look to download a malicious file to steal your sensitive data or capture keystrokes (called a keylogger) as you access your online bank account. This information is normally encrypted and sent to a Command & Control server (C&C) in locations such as Ukraine, Russia or China.
*svhosts doesn’t use .exe to load files it uses .dll instead.
As for the Android infection path, this was achieved through storing the Autorun and Pre-installation file onto the root of the SD card. It’s also possible that malware authors could store these files in say the “miscellaneous files” folder (or any other non-system Android folder) in device memory if an SD card wasn’t present on the Android device. Once you connected your Android device to Windows, svhosts.exe would be automatically executed. This type of attack vector would not work though if the user is running Windows XP/Vista with a Feb 2011 “AutoRun disabled by default” patch. It isn’t known right now, just how many users who are running XP/Vista without this patch – probably a high percentage given this patch was not an automatic install! Check out: http://support.microsoft.com/kb/971029 on how to download and install this patch.
On a more positive note, Microsoft did fix this issue with Windows 7 and 8 disabling the AutoRun feature by default. It is also worth noting that Win32/Autorun remains the most popular malware families to date on Windows platforms. I’m sure malware authors will look for work arounds here and with wireless synchronising.
Further reading – How to disable the Windows Autorun malware threat
Bootnote: Google uses Bouncer to cloud scan apps before they are released to the Play Store. Android 4.2 also has a function called ‘Verify apps’ – this is Google’s answer to anti-virus protection – well not quite. This disallows or warns users before installation of potentially malicious Play Store and 3rd-party market apps. This option is checked by default. Note: Recent research from a researcher we know well suggested ‘Verify apps’ only detected 15% of known malware. Given this research, it’s even more important you also use a mobile security solution to protect your Android device.
Safe surfing folks!