There’s a new type of Android malware out there that is masking itself as a “cleaner” app, but what it’s really doing is infecting both your smartphone and your PC. Kaspersky researchers discovered the “cleaner” apps, called Superclean and DroidCleaner, in the Google Play store which makes it all the more scarier. The apps are supposed to free up memory in Android, but instead does an extensive feature set of other harmful things. Here’s a list:
- Sends SMS messages
- Enables WiFi
- Gathers information from the device
- Opens random links in the browser
- Uploads the entire content of your SD card
- Uploads arbitrary files and folders to the master’s server
- Uploads all of your SMS messages
- Deletes all of your SMS messages
- Uploads all of your contacts, photos, and coordinates to the master
Once the “cleaner” app is installed and running, it begins listing processes on your device and restarts them in the foreground to make it appear as if it’s really “cleaning” your device. However, in the background, the app downloads three files (autorun.inf, folder.ico, and svchosts.exe) to the root of your SD card.
When you connect your smartphone to your Windows computer, the SVhosts.exe file (Backdoor.MSIL.Ssucl.a) will automatically execute itself onto your PC. It then takes control of your microphone and records you. It encrypts those recordings and sends them back to the master.
Kaspersky released a statement on how the malware creators are expecting this threat to spread:
Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector. In the current versions of Microsoft Windows, the AutoRun feature is disabled by default for external drives; however, not all users have migrated to modern operating systems. It is those users who use outdated OS versions that are targeted by this attack vector.
Thus, a typical attack victim is the owner of an inexpensive Android smartphone who connects his or her smartphone to a PC from time to time, for example, to change the music files on the device. Judging by the sales statistics for Android smartphones, I would say that such people are quite numerous. For the attack to be more successful, it only lacks a broader distribution scheme.
There’s still no word on how many actual apps like this one are out there, so the best thing to do at the moment is just stick to apps that have a high number of downloads/comments and also apps from trusted developers.
This is the first time Kaspersky has discovered a mobile malware with such an extensive feature set.
Have you been hit by an Android malware before?