Android Hack-Tool Steals PC Info

Yeh, one of our Security Response Analysts, came across an interesting report on a Chinese forum over the weekend about an Android app that basically turns the device into a hack-tool capable of stealing information from a connected Windows machine.

He managed to find a sample (Md5:283d16309a5a35a13f8fa4c5e1ae01b1) for further investigation. When executed, the sample (we detect it as Hack-Tool:Android/UsbCleaver.A) installs an app named USBCleaver on the device:

hacktool_android_usbcleaver_0 (53k image)

When the app is launched, it directs the user to download a ZIP file from a remote server:

hacktool_android_usbcleaver_1 (188k image)

Then unzips the downloaded file to the location /mnt/sdcard/usbcleaver/system folder. The files saved are essentially utilities used to retrieve specific pieces of information when the device is connected via USB to a Windows machine. Note: we detect most of the files with older detections.

The following details are grabbed from the connected PC machine:

 •   Browser passwords (Firefox, Chrome and IE)
 •  The PC’s Wi-Fi password
 •  The PC’s network information

The app gives the user the option of choosing what information they want to retrieve:

hacktool_android_usbcleaver_2 (178k image) hacktool_android_usbcleaver_3 (196k image) hacktool_android_usbcleaver_4 (185k image)

To run the utilities, the sample creates an autorun.inf and go.bat file at /mnt/sdcard. When the device is plugged into a Windows machine, the autorun script gets triggered, which then silently runs the go.bat file in the background, which in turn runs the specified files from the usbcleaver/system folder.

The collected details are stored on the device at /mnt/sdcard/usbcleaver/logs.The app’s user can click on the ‘Log Files’ button to view the information retrieved from the PC:

hacktool_android_usbcleaver_5 (186k image)

This isn’t the first Android trojan reported this year with PC-infecting capabilities, since that ‘distinction’ belongs to the trojan-spy apps family we detect as Sscul (listed in our Q1 2013 Mobile Threat Report).

Unlike the Sscul malware however, which is more focused on remote eavesdropping, USBCleaver seems to be designed to facilitate a targeted attack by gathering details that would be helpful in a later infiltration attempt.

Fortunately, the UsbCleaver’s Windows-infecting routine can be blocked by a simple measure that’s been standard security advice for the last couple years: disabling the Autorun by default (this is already standard on Windows 7 machines). An additional mitigating factor is that most older Windows systems need to have mobile drivers manually installed in order for this attack to work.

———————-
Analysis by – Yeh

Source: Android Hack-Tool Steals PC Info

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.