Sign in with
Sign up | Sign in

New Android Malware Uses PC Microphone to Record Victims

By - Source: Kaspersky Lab | B 13 comments

This Android malware actually infects Windows-based PCs, taking control of the user's microphone.

Kaspersky Lab claims it has discovered two apps on Google Play that are designed to infect PCs, not Android devices: Superclean and DroidCleaner from Smart Apps. The catch for infection is that the Android device must be connected to a PC in USB drive emulation mode so that the malware can be automatically installed in older versions of Windows.

According to the report, when the Android device owner runs one of the two apps (looking to speed up the mobile OS), it downloads three files onto the user's installed SD card: autorun.inf, folder.ico and svhosts.exe. Once the device is connected to the PC via USB, Windows will automatically execute the svhosts.exe file.

This file is actually the Backdoor.MSIL.Ssucl.a malware, and most of it is comprised of the freely-distributed NAUDIO library. This library is used to configure and monitor the default audio recording device to that when the microphone detects sound, it will start recording. The audio files are thus sent back to the malware author.

Clever.

"Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware," said Kaspersky's Victor Chebyshev. "At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector. In the current versions of Microsoft Windows, the AutoRun feature is disabled by default for external drives; however, not all users have migrated to modern operating systems. It is those users who use outdated OS versions that are targeted by this attack vector."

The Android apps are just as devious. Chebyshev said they can send SMS messages, enable Wi-Fi, gather information about the device, open arbitrary links in a browser, upload the SD card's entire contents, and upload an arbitrary file (or folder) to the author's server. The apps can even upload SMS messages, delete all SMS messages, and upload the device's entire contact list, photos and coordinates to the malware author.

"A typical attack victim is the owner of an inexpensive Android smartphone who connects his or her smartphone to a PC from time to time, for example, to change the music files on the device. Judging by the sales statistics for Android smartphones, I would say that such people are quite numerous. For the attack to be more successful, it only lacks a broader distribution scheme," he said.

Chebyshev added that this was the first time Kaspersky had seen such an extensive feature set in one mobile application. Still, what will hackers do with audio captured by the microphone? Are they looking for verbalized passwords, bank account numbers and whatnot? Creepy.

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • -6 Hide
    wemakeourfuture , February 5, 2013 5:52 PM
    Thought Google stepped up their game on App approving, guess not.
  • 0 Hide
    neodude007 , February 5, 2013 5:58 PM
    So I am assuming the people that run these apps see the permission "This app can access your SMS etc... blah blah" and think that is NORMAL behavior for some type of "cleaning" app? lol... deez people. It is funny to see what the uninformed fall for.
  • Display all 13 comments.
  • 0 Hide
    plasmastorm , February 5, 2013 6:23 PM
    "Windows and Android users are proven masochists so they welcome this new malware"
    yes..... we welcome it in the same way an apple fan welcomes an iphone/pad 's' a week after they buy the normal one lol
  • 7 Hide
    mightymaxio , February 5, 2013 8:01 PM
    Apple gets Malware too you know lol, Twit.TV was just talking how all these anti-virus companies are starting to offer protection for the mac and Ipad because they are big targets as well.
  • 6 Hide
    joytech22 , February 5, 2013 8:04 PM
    wemakeourfutureThought Google stepped up their game on App approving, guess not.


    They did, but the fact remains that idiots like to stray away from the safety of the Play Store and download third party markets which are riddled with malware.

    Play store is still somewhat vulnerable, but the rating and review system (As well as reporting apps) generally gives a user an idea before downloading what they are getting into.

    If the user proceeds anyway, its their own fault.
  • 2 Hide
    wemakeourfuture , February 5, 2013 8:36 PM
    joytech22They did, but the fact remains that idiots like to stray away from the safety of the Play Store and download third party markets which are riddled with malware.Play store is still somewhat vulnerable, but the rating and review system (As well as reporting apps) generally gives a user an idea before downloading what they are getting into.If the user proceeds anyway, its their own fault.


    1. It's on Google Play store not a third party. No one should be surprised if someone downloads something from a third party app store and get malware, fact remains it was reported this was on Google Play.

    2. Ratings and reviews are not a replacement for Google to do their job in scanning, validating, and reviewing their apps. This should never have passed Google's review process to get into their App store. That's bad on them more so than the end user who has the expectation Google has decent screening and would not allow a malware infested app on their App store. Of course things can slip through the cracks, just seems to happen significantly more with Google than Apple and Apple has more apps.

    Conclusion: Google needs to enhance their screening process and cleanup their app store. There's more talk about malware on Google app store than all the other App stores combined (Apple, Windows, Rim, etc.) [of course the latter 2 have significantly less apps than Google but the former has more].
  • 0 Hide
    Anonymous , February 5, 2013 9:05 PM
    thats why i stay away from all this not so smart phone (unless your the hacker then they must love this tech) disaster waiting to happen if you ask me ... surly the people who make this tech knows how easy it to hack but they carry on selling this tech with out a care in the world lol i still say smart phones are more at risk than pc's are now, even more so as people seem to live their lives on them now.
  • 0 Hide
    dalethepcman , February 5, 2013 9:18 PM
    Do the author of this a favor and install this malware on every campus/library PC around and see how quickly he decides to abandon his effort's after receiving millions of sound bytes a day...
  • 2 Hide
    in_the_loop , February 5, 2013 10:37 PM
    Sorry, but this is no fault on Googles side.
    A person that actually is that stupid to just trust an app to put the device in USB-debugging mode and the let it connect to the PC (for what reason???) almost deserves to get infected.
    There are no security solutions for sheer stupidity!
  • 3 Hide
    Kami3k , February 6, 2013 12:10 AM
    stevevnicksthats why i stay away from all this not so smart phone (unless your the hacker then they must love this tech) disaster waiting to happen if you ask me ... surly the people who make this tech knows how easy it to hack but they carry on selling this tech with out a care in the world lol i still say smart phones are more at risk than pc's are now, even more so as people seem to live their lives on them now.


    Given how poor your comment was typed, I have a feeling a smartphone would outsmart you.
  • 0 Hide
    virtualban , February 6, 2013 6:09 AM
    I don't trust anything with autoplay, mine or other people's.
    I always click on the little plus sign to expand, not doubleclicking. (yes, W7 too, thanks to ClassicShell).
    And when I can, I put a folder named "autorun.inf" and a file named "recycler" on removable drives of family members, and if by any chance I find autorun.inf is no longer a folder but a file instead, I declare the device infected, recover what I can, format, and put the folder again.
    Never had a virus coming from USB, old or new OS. Android devices as Usb drive will not change that.

    That old virus that made the phone behave as a keyboard when attached to the USB, that, on the other hand, I don't know how to counter.
  • 1 Hide
    wemakeourfuture , February 6, 2013 10:30 AM
    virtualbanI don't trust anything with autoplay, mine or other people's.I always click on the little plus sign to expand, not doubleclicking. (yes, W7 too, thanks to ClassicShell).And when I can, I put a folder named "autorun.inf" and a file named "recycler" on removable drives of family members, and if by any chance I find autorun.inf is no longer a folder but a file instead, I declare the device infected, recover what I can, format, and put the folder again.Never had a virus coming from USB, old or new OS. Android devices as Usb drive will not change that.That old virus that made the phone behave as a keyboard when attached to the USB, that, on the other hand, I don't know how to counter.


    Wish more people were like you. Fact is 98% of end users do not know how to use a computer securely and they are the target.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter