Beginning in 2012 NQ Mobile’s Security Research Center began looking out for a possible evolution of cross-platform malware. That is malware that infects a mobile and a desktop platform at the same time.
Malware authors needed to find novel ways of infecting mobile devices more rapidly. One way to do that was to infect an already established ecosystem such as personal computers. The Windows operating systems are the most widely used in the world. So, this would be a likely place for a malware author to start. With this in mind, a malware author could hijack a legitimate Google Android app that would then exploit wireless and USB synchronization between the Android device and the PC. These threats have recently been discovered and the NQ Mobile Security Research Center expects to see more of these types of threats in the near future.
Infection path 1 – AutoRun at USB synchronization between mobile device and PC
The NQ Mobile Security Center was able to identify and confirm a threat that appeared last month on Google Play1,which uses USB synchronization. The malware hijacked a legitimate Android cache cleaning app. When the mobile device was synchronized with the PC, the malicious app delivered a “USB AutoRun Attack”. Many will recognize AutoPlay as the feature that starts when a CD/DVD is inserted or when a device is connected via USB on Windows platforms.
What is AutoRun? It is a plain text-based configuration file (Autorun.inf) that enables designated files to automatically run when an AutoRun-enabled drive (i.e. USB, flash drive) is inserted into the PC. Therefore, it’s very easy for malware writers to obfuscate their malicious code.
What is the threat? Malware writers will target the Autorun.inf file on Windows-based systems with a worm or Trojan that then attempts to load a rootkit. The malware, which may be also be a worm or Trojan, will try to copy itself to all drives including removable drives such as, flash drives, MP3/MP4 players and mapped network drives. Some worms/Trojans will also attempt to disable Windows-based antivirus software.
The difference in this most recent discovery is that it delivers a svhosts.exe file to a Windows machine once a user connects via USB to their Android device. More than one instance of svhosts can be running services/applications by default on a Windows PC. It is this multiple instance of svhosts running on Window, which is where the problem lies.
Malware authors can inject a backdoor into an svhosts file which allows cyber criminals to access a Windows machine and download a malicious file that steals sensitive data or capture keystrokes (called a keylogger) as the user accesses an online bank account or other financial site. This information is normally encrypted and sent to a command & control server (C&C) in locations such as the Ukraine, Russia or Brazil.
Did you know? svhosts doesn’t use .exe to load files. It uses .dll instead, which is why this malware may evolve into a self-propagating variant.
Infection path 2 – Android is used to deliver the Windows malware payload
In addition to the root of the SD card, it’s also possible that malware authors could store these files in the “miscellaneous files” folder or any other non-system Android folder in the device’s memory. Once the Android device connects to Windows, svhosts would be automatically executed.
Did you know? Android Jelly Bean now has the ability to apply a permission to read contents of an SD card. This isn’t being enforced by Google right now.
Protecting Windows AutoRun from cross-platform attack
Given the malware threat posed by the Autorun.inf file, NQ Mobile suggests two options ALL users should consider:
This type of attack will not work if the user is running Windows XP/Vista with a February 2011 “AutoRun disabled by default” patch. It isn’t known right now, just how many users who are running XP/Vista without this patch – probably a high percentage given this patch was not an automatic install! Check out: http://support.microsoft.com/kb/971029 on how to download and install this patch.
Windows 7 & 8
Microsoft fixed this issue with Windows 7 and 8, disabling the AutoRun feature by default. It is also worth noting that Win32/AutoRun remains the most popular for malware families on Windows platforms. Expect malware authors to find work-arounds here and with wireless synchronizing.
Disable the AutoRun functionality in Windows. Here is one simple way to disable AutoRun using a Windows Registry hack:
- Open Notepad and copy/paste the following text >
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
- Change the “Save File as Type” to “All Files” before saving.
- Save as ‘disableautorun.reg’ to your desktop
- Double-click the file to run it. This will add the data above to the Windows Registry
Did you know? Mobile security apps provide ongoing protection beginning before the download of apps and software. NQ Mobile Security™ detects and quarantines this malware prior to installation of the malicious files on an SD card.
1Google Bouncer cloud scans apps before they are released to the Play Store. Android 4.2 also has a function called ‘Verify Apps’. This disallows or warns users before installation of potentially malicious Play Store and 3rd-party market apps. This option is enabled on Android 4.2 devices by default.
Note: Recent investigation from a respected researcher suggested ‘Verify Apps’ only detected 15% of known malware. Given this research, it’s even more important to also use a mobile security solution to protect an Android device.
As the world’s largest mobile security provider, NQ Mobile believes families should possess the most comprehensive knowledgebase on all aspects of mobile security and privacy when using Android, BlackBerry, Symbian, Windows Phone and Apple iOS devices. NQ Mobile aims to inform and educate families on the current and future threats and suggest simple methods on how to stay safe and not end up in financial debt when using a mobile device.