The Kaspersky Lab‘s team has found a new type of malware that infects the user’s computer when it is connected with smartphones or tablets.
Users typically look for ways to accelerate their devices by freeing up memory. They search for applications that make their tablets or smartphones work faster, and install apps which may have malware hidden.
PC malware that infects mobile devices have been discovered before. However, in this case, it’s the other way around: an app that runs on a mobile device was designed to infect PCs.
On January 22nd, 2013, Kaspersky Lab discovered the applications “Superclean” and “DroidCleaner” on Google Play. Both were very popular with a respectable rating.
After users download the application and finish the install, the app displays a list of all running processes and restarts the device. Later, in the background, the app downloads three files: autorun.inf, folder.ico, and svchosts.exe. When users connect the infected Android device to any Windows computer with active Autorun or Autoplay functionality for USB devices, the svchosts.exe file is automatically executed on the computer.
The malicious code starts capturing the sound instantly from the system’s microphone, and all recorded data is sent to remote servers after encrypting files. The malware is also capable of sending SMS messages, enabling Wi-Fi, gathering information about the device, opening arbitrary links in a browser, uploading the SD card’s content, uploading an arbitrary file to the master’s server, uploading all SMS messages, deleting all SMS messages, or uploading all contacts/photos/coordinates and sensitive information such as passwords or Corporate e-mails from the device to the master server.
Before those apps were removed by Google, they were downloaded more than 6,000 times. If you have recently downloaded or run those apps in any of your Android devices, it is strong recommended that they are removed and your computer is scanned as soon as possible.
Kaspersky Labs updated this thread on their database on February 1st, so businesses should ensure that their network administrator updates the Kaspersky virus signature database and runs a deep scan to prevent any data loss.