Kaspersky Lab has discovered the first ever Android malware app that appears to have been designed not to attack the host smartphone but any PCs it is subsequently connected to.
Discovered on Google Play (yes, Play hosts malware despite Google’s attempts to clean it up), targeting Russian-speakers disguised as a memory-killer utility, innocent downloaders will end up with three malware files on any SD card plugged into their smartphones.
Any PC that connects to the phone while in USB emulation mode (which treats attached smartphone drives as external disks) and old enough not to disallow Windows Autorun, will end up being hit with Backdoor.MSIL.Ssucl.a.
It’s a novel route to attack a PC but why engineer malware to do it?
Strangely, the primary purpose of the malware is to record any audio detected by the PC’s microphone, saving this to a file that is then uploaded to a server in an encrypted format.
The malware also takes complete control of the smartphone but that could be a secondary activity.
“Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware,” said a baffled Kaspersky Lab researcher, Victor Chebyshev.
“At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector.
The dependence on Autorun strong suggested that the malware was deliberately looking for victims running versions of Windows prior to 7, a declining population in countries such as the UK and US but still remarkably in former Soviet republics.
Google has removed the two apps associated with the attack from Play but not before it was downloaded by several thousand users.