Symantec researchers have found what they are calling the first known
example of Windows malware specifically designed to infect Android devices. “We’ve
seen Android malware that attempts to infect Windows systems before,” mentioned
Flora Lui, author of the Symantec post announcing Droidpak. “Interestingly, we recently came across something that works the other
way round: a Windows threat that attempts to infect Android devices.”

Exploits Windows
first

Droidpak is a trojan designed to exploit the Windows operating system
and gain a foothold on the victim’s computer. After Droidpak settles in, it
contacts a remote command & control server. Then, according to Symantec SecurityResponse, the remote server sends a configuration file back to the infected
Windows computer similar to the example below:

[http://]xia2.dyndns-web.com/iconf[REMOVED]

Notice the configuration file references a website. The infected
computer tries connecting to the website. If successful, an Android malware
file similar to the one below will begin downloading:

%Windir%\CrainingApkConfig\AV-cdk.apk(Android.Fakebank.B)

The remote server may also download tools, such as Android Debug Bridge
in order to install the Android PacKage (APK) or other malware destined for the
target Android device (phone or tablet) connected to the infected computer via
a USB cable.

Success: Android.Fakebank.B
installed

Several things have to happen in order for Droidpak to successfully
install its payload—Android.Fakebank.B. We will look at
those in a bit. First, let’s look at what the malware developers designed
Android.Fakebank.B
to do once installed as an application on an Android device.

Android.Fakebank.B will show up as a “Google App Store” application as
shown in the slide below.

 

 

 

Once installed, Android.Fakebank.B looks to see if there are any mobile
banking apps installed on the Android device. Symantec said the version of Android.Fakebank.B
studied was specifically targeting Korean-banking applications. If Android.Fakebank.B
finds a familiar banking app; it attempts to make the user believe the
currently installed banking app is malware, should be removed, and replaced by Android.Fakebank.B.
If the user agrees and loads Android.Fakebank.B, the malware is in position to steal
login credentials and possibly account information when the user logs in using
what is thought to be the correct banking app. 

Symantec mentions that, “Android.Fakebank.B also intercepts SMS messages
on the compromised device and sends them to the following location.”

http://www.slmoney.co.kr[REMOVED]

Users need to
agree

Now it’s time to talk about what needs to happen for Droidpak/ Android.Fakebank.B
to be successful. Users must agree to install any program on an Android device.
This is where social engineering comes into play, and we all know the bad guys are getting good at it.

Symantec, and other Android experts, I talked to, suggest turning off USB debugging on Android devices.
Most people will not use USB debugging as it’s a developer tool, and used to
sideload Android applications from a computer—why Droidpak works. This link explains how to
disable USB debugging.

The Android experts also said they would be remiss for not mentioning
the importance of having AV applications on both computers and Android devices.
With Droidpak unmasked, AV companies will have their products looking for it.

Just released
AV-Test results

Speaking of antivirus applications for Android, Andreas Marx, CEO of AV-TEST Institute, just sent me the latest Android
antivirus app test results. Marx wrote, “30 Android security apps were tested:
only two products failed in our latest review against 2,191 malicious apps.”

In the email, Marx included what he considered to be key elements of the
latest test:

  • The average malware
    protection rate was 96 percent (almost 1 percent less than last review).
  • Only four security
    apps created false positives on our test systems, two out of them related to
    clean Apps from Google Play (Comodo and Panda), two more from 3rd party App
    stores (AegisLab and AhnLab).
  • Features offered
    by the free and paid-for security apps differed significantly. Therefore, we
    recommend a close review of security features like anti-theft, backup and
    encryption.

The test results will show up on the AV-TEST website today, Feb. 3.

Final thoughts

Several things have to go right before the Droidpak/Android.Fakebank.B
malware combination can successfully steal banking information, but that was
also the case with the first versions of banking malware targeting PCs. Now, Zeus and Neverquest are highly
successful banking malware.

I would prefer to be wrong, but due to the popularity of mobile devices
and the number of banking apps: I’m afraid bad guys are going to make sure
malware like Droidpak succeeds.