SuperClean Android Malware that can infect your PC (Feb 21, 2013)
Dell SonicWALL Threats Research Team received reports of SuperClean Android Malware that can execute a host of commands once it infects the device, but this Malware has a more sinister purpose that makes it unique. This Malware is one of the first of its kind to have capabilities to infect Windows machine if the infected mobile device is connected to it via USB. The Malware on the phone downloads and drops a different Malware on the Windows machine and infects it, thus effectively converting the phone into a Malware Dropper. Additionally both the Malwares have a huge arsenal of commands which they can receive from the Command & Control (C&C) server and execute.
Infection Cycle
The Malware disguises itself in the form of a ‘useful’ app and has been reported to be present on Google Play in the past with the name ‘Superclean’ made by Smart.Apps. Strangely enough it received good reviews for the time it was available for download. The app claims to clean up the system and make the device run faster, there is an abundance of such cleaner apps on Google Play indicating a cleverly chosen disguise.
In an ideal case the first stage of infection is when the malicious app gets installed on the users mobile device through Google Play. The second stage of infection is when the user connects the infected mobile device to his home/business computer and a new Malware gets dropped on the connected machine thereby infecting it. During installation the following permissions are requested:
- Receive_Boot_Completed
- Internet
- Read_SMS
- Receive_SMS
- Send_SMS
- Write_SMS
- Call_Phone
- Get_Accounts
- Access_Wifi_State
- Change_Wifi_State
- Access_Network_State
- Reboot
- Read_Contacts
- Kill_Background_Processes
- Write_External_Storage
- Read_Phone_State
- Access_Fine_Location
The fact that a simple memory cleaner requires permissions to read contacts, access location and SMS should raise suspicion in the minds of users before granting these permissions. Upon installation the app appears in the App drawer as:
When the app is clicked the user sees the following screen:
This indicates that the memory has been optimized to improve the phones performance but in reality the app just lists the processes which are currently active on the device and simply restarts them. The app then tries to connect to claco.kicks-ass.net and announces the successful installation on a device. The app sends this announcement in the following format:
|NEW_HELLOW| app version + Google account registered to the device + port|/NEW_HELLOW/|
The attacker can now execute a host of commands on the device through this Malware. We found the Malware to be equipped with nearly 25 different commands, few of the more intrusive ones are listed below:
- get_packages – Get a list of installed packages on the device
- wifi – Toggle WiFi on or off
- get_sms – Retrieve and forward all SMS’s on the device to the attacker
- ringer – Set the ringer to ‘normal’ or ‘silent’
- get_pics – Retrieve all pictures on the device and forward to the attacker
- get_contacts – Retrieve all contacts on the device and forward to the attacker
- forward – Enable call forwarding to a number specified by the attacker
- start_track and stop_track – Track the location of the device via GPS
- device – Reboot the device
The command and functionality that distinguishes this Malware from the rest of Android Malwares is usb_autorun_attack. Upon receiving this command the Malware tries to download three files from claco.hopto.org:
These three files are stored on /mnt/sdcard/ of the device. Android users connect their phones to computers for many reasons, primary being transferring media files like photos, music and movies from the phone to the computer and vice versa. When the mobile device is connected to the computer in USB drive emulation mode svchosts.exe is automatically executed on the computer via autorun.inf provided AutoRun feature on the machine is enabled.
The dropped executable svchosts.exe [detected as GAV:MSIL.RCD (Trojan)] is capable of receiving and executing commands from the C&C. Upon execution it drops the following file on the system:
- %WINDOWS%system32svchost.exe (copy of itself)
It makes the following changes to the registry to ensure that it runs each time the machine starts :
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “%WINDOWS%system32svchost.exe”
It makes the following changes to the registry in order to bypass firewalls:
- HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapProxyBypass=”1″
- HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapIntranetName=”1″
- HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapUNCAsIntranet=”1″
Once executed this Malware announces its presence to the same server and uses almost the same format:
|NEW_HELLOW| username + machine name + port + build |/NEW_HELLOW/|
This Malware, similar to the Android malware that downloaded it, is capable of executing a number of commands on the infected machines. Again we list a few commands from the entire roster of around 36 commands coded into the executable:
- |GET_DRIVES| – Get information about all the drives on the system
- |GET_FILES| – Get specified files from the system
- |_EXE_CUTE_| – Execute a specific command on the system
- |CR_ACCOUNT| – Create a user account on the system
- |SCREEN_CAP| – Take a screenshot of the Desktop
- |FIREFOXDAT| & |CHROMEDATA| – Get user data saved by these browsers on the system
- |RECORD_STR| & |RECORD_STP| – Record from the microphone of the users system
The information collected by both the Malwares is sent to the attacker over FTP to claco.hopto.org. We observed a good chunk of the Windows Malware to have modules from NAudio which is an open source audio library. These modules are useful for the recording functionality of the Malware.
As we saw, both the Malwares involved here have significant capabilities to gather sensitive information about the user through his phone as well as his computer thereby exposing a wealth of information for the attacker.
Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures: