The Inquirer-Home

Symantec uncovers malware that uses Windows to infect Android devices

Malware authors shift to targeting Android as its popularity grows
Thu Jan 23 2014, 15:22

SECURITY FIRM Symantec has discovered a form of Windows malware that infects Android devices, as opposed to more established forms that work the other way around.

"We've seen Android malware that attempts to infect Windows systems before," the firm said in a post on its company blog. "Interestingly, we recently came across something that works the other way round: a Windows threat that attempts to infect Android devices."

Symantec said that it's more common to see Android malware that attempts to infect Windows systems. A common malware called "Android.Claco", is an example of this. It downloads a malicious PE file along with an autorun.inf file and places them in the root directory of the SD card. When the compromised mobile device is connected to a computer in USB mode, and if the Autorun feature is enabled on the computer, Windows will automatically execute the malicious PE file.

However, the recently discovered Windows malware that infects Android starts with a Trojan named Trojan.Droidpak. This works by dropping a malicious DLL (Trojan.Droidpak) and registering it as a system service. It then parses the configuration file in order to download a malicious APK on the compromised computer.

Next, it installs an Android Debug Bridge (ADB) command line tool and uses a command to install the malicious APK to any Android devices connected to the compromised computer.

"The installation is attempted repeatedly in order to ensure a mobile device is infected when connected," Symantec explained. "Successful installation also requires the USB debugging Mode is enabled on the Android device.

"However, the malicious APK actually looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions," Symantec added.

The malicious APK is a variant of Android.Fakebank.B and poses as an app from the Google Play store. Android.Fakebank.B also intercepts SMS messages on the compromised device.

Symantec advised users to turn off USB debugging on Android devices when it's not in use to avoid falling victim to this new infection vector.

"Exercise caution when connecting your mobile device to untrustworthy computers [and] install reputable security software," the firm warned.

It seems that Windows is rapidly going out of style even among malware authors, who apparently are starting to target Android instead. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015