Over the weekend, Yeh, one of our Security Response Analysts, came across some interesting analysis on a Chinese language forum about an Android app that basically turns a mobile device into a hack-tool capable of stealing information from a connected Windows machine.
He managed to find a sample (MD5:283d16309a5a35a13f8fa4c5e1ae01b1) for further investigation. When executed, the sample (detected as Hack-Tool:Android/UsbCleaver.A) installs an app named USBCleaver on the device:
When the app is launched, it directs the user to download a ZIP file from a remote server:
It then unzips the downloaded file to the following location: /mnt/sdcard/usbcleaver/system folder.
The files saved are essentially utilities used to retrieve specific pieces of information when the device is connected via USB to a Windows machine. Note: we detect most of the files with older detections.
The following details are grabbed from the connected PC machine:
• Browser passwords (Firefox, Chrome and IE) • The PC's Wi-Fi password • The PC's network information
The app gives the user the option of choosing what information they want to retrieve:
To run the utilities, the sample creates an autorun.inf and go.bat file at /mnt/sdcard. When the device is connected to a Windows computer, the autorun script gets triggered, which then silently runs the go.bat file in the background, which in turn runs the specified files from the usbcleaver/system folder.
The collected details are stored on the device at /mnt/sdcard/usbcleaver/logs.The app's user can click on the "Log Files" button to view the information retrieved from the PC:
This isn't the first Android trojan reported this year with PC-infecting capabilities, since that "distinction" belongs to the trojan-spy apps family we detect as Sscul (listed in our Q1 2013 Mobile Threat Report).
Unlike the Sscul malware however, which is more focused on remote eavesdropping, USBCleaver seems to be designed to facilitate a targeted attack by gathering details that would be helpful in a later infiltration attempt.
Fortunately, USBCleaver's Windows-infecting routine can be blocked by a simple measure that's been standard security advice for the last couple years: disabling the Autorun by default (this is already standard on Windows 7 machines). An additional mitigating factor is that most older Windows systems need to have mobile drivers manually installed in order for this attack to work.