Some in the media (and in my security circle) claim that USB Cleaver is a repackaged hacking tool, which is capable of stealing information from a connected (USB) Windows 2000 and above computer. Let us clarify – USB Cleaver is a “password recovery” tool, not a hacking tool.
There are many PC-based password recovery tools (that are classified as Trojans, which shouldn’t be) available including some I use from Nirsoft (no promotions on this blog please 🙂 ). USB Cleaver isn’t new, as it has been around since May 2012. The developer of the app can also be found on XDA.
Once the app is installed (I installed on a Samsung S3 running 4.1.2), it downloads a ZIP file (2 packets) tools from a remote server (IP: 188.8.131.52) and then unpackages to /mnt/sdcard/usbcleaver/system folder. This app is designed to capture browser passwords from Firefox, Chrome and Internet Explorer, a PC Wi-Fi password, network data (IP addresses), LSA secrets and more. It requires permission to Storage; network communication (full and view) as well as Development tools.
When you connect your Android device via USB (with the app running) to a Windows 2000 and above computer /mnt/sdcard is mounted, but only if Autorun.inf is enabled (older Windows systems require mobile drivers for this app to work). Read more about AutoRun.
The go.bat and payload* will be executed. The app allows the user to select the type of information that would be collected (not harvested). The results of the “password recovery” is saved to /mnt/sdcard/usbcleaver/logs. You can view the captured passwords by clicking “Log files” inside the app. In my opinion, you would use this app if you have lost your credentials and or wanted to explore your Windows-based system.
*Payload dumps systems information; IE passwords; Chrome passwords; Firefox passwords and WiFI passwords
Note: Symantec are classifying the app as a Trojan: com.novaspirit.usbcleaver. I suggest you visit this page, so you can make up your mind as to whether you need to install this app.
Safe surfing folks!