New Android Malware Uses PC Microphone to Record Victims

Kaspersky Lab claims it has discovered two apps on Google Play that are designed to infect PCs, not Android devices: Superclean and DroidCleaner from Smart Apps. The catch for infection is that the Android device must be connected to a PC in USB drive emulation mode so that the malware can be automatically installed in older versions of Windows.

According to the report, when the Android device owner runs one of the two apps (looking to speed up the mobile OS), it downloads three files onto the user's installed SD card: autorun.inf, folder.ico and svhosts.exe. Once the device is connected to the PC via USB, Windows will automatically execute the svhosts.exe file.

This file is actually the Backdoor.MSIL.Ssucl.a malware, and most of it is comprised of the freely-distributed NAUDIO library. This library is used to configure and monitor the default audio recording device to that when the microphone detects sound, it will start recording. The audio files are thus sent back to the malware author.


"Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware," said Kaspersky's Victor Chebyshev. "At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector. In the current versions of Microsoft Windows, the AutoRun feature is disabled by default for external drives; however, not all users have migrated to modern operating systems. It is those users who use outdated OS versions that are targeted by this attack vector."

The Android apps are just as devious. Chebyshev said they can send SMS messages, enable Wi-Fi, gather information about the device, open arbitrary links in a browser, upload the SD card's entire contents, and upload an arbitrary file (or folder) to the author's server. The apps can even upload SMS messages, delete all SMS messages, and upload the device's entire contact list, photos and coordinates to the malware author.

"A typical attack victim is the owner of an inexpensive Android smartphone who connects his or her smartphone to a PC from time to time, for example, to change the music files on the device. Judging by the sales statistics for Android smartphones, I would say that such people are quite numerous. For the attack to be more successful, it only lacks a broader distribution scheme," he said.

Chebyshev added that this was the first time Kaspersky had seen such an extensive feature set in one mobile application. Still, what will hackers do with audio captured by the microphone? Are they looking for verbalized passwords, bank account numbers and whatnot? Creepy.


Contact Us for News Tips, Corrections and Feedback

This thread is closed for comments
    Your comment
  • wemakeourfuture
    Thought Google stepped up their game on App approving, guess not.
  • Windows and Android users are proven masochists so they welcome this new malware.
  • So I am assuming the people that run these apps see the permission "This app can access your SMS etc... blah blah" and think that is NORMAL behavior for some type of "cleaning" app? lol... deez people. It is funny to see what the uninformed fall for.