Fake Cleaning Apps in Google Play: an AutoRun Attack and More

Almost exactly one year ago, Google announced the addition of a “new layer to Android security,” a service codenamed Bouncer that was intended to provide automated scanning of the Android Market for potentially malicious software. However, as my colleague Jimmy Shah wrote in a previous blog post, Bouncer has not been enough to keep all the malware out of the market: We saw Android malware (for example, Android/DougaLeaker) distributed in the Google Play Market in 2012. Recently, two malicious applications from the developer Smart.Apps were found using the same official distribution method:

 

Castillo 20130207 DroidCleanerCastillo 20130207 SuperClean

Both applications present themselves as “optimizers” that make Android devices faster and more responsive by cleaning the browser cache, optimizing network settings, clearing unused log files, and so on. When the applications are executed, they display fake user interfaces:

Castillo 20130207 ExecutionCastillo 20130207 Execution2

In the case of DroidCleaner, the graphical user interface is more elaborate; the application displays three different cleaning options that lead to the same fake progress bar:

Castillo 20130207 FakeProgressBar1Castillo 20130207 FakeProgressBar2

Meanwhile, in the background and without user consent, a service establishes a communication with a control server. The commands include common actions performed by other Android malware:

  • Sending device and network information (IMEI, IMSI, phone number) to a remote server
  • Sending and deleting SMS messages (could be used to subscribe the user to premium-rate services)
  • Stealing sensitive personal information (installed applications, pictures, contacts, SMS messages, GPS coordinates)
  • Mapping the contents of the SD card (files and directories) to later upload to the remote server

Other less common functions are also implemented as available commands:

  • Executing shell commands remotely
  • Rebooting the device using the command “reboot” on rooted devices
  • Launching another application installed in the device without user consent
  • Setting call forwarding and changing the ringer mode to silent so the user is not aware that calls are being redirected to another number

One of the most interesting commands in this new Android malware is UsbAutorunAttack, which consists of downloading three files (autorun.inf, folder.ico, and svchost.exe) from a remote server to place in the SD card and infect Windows computers that have the AutoRun feature enabled. This new distribution method may not be as effective because the latest version of Windows has AutoRun disabled by default; yet it is interesting to see Android malware trying to infect Windows computers.

Another interesting command in this threat is CallOut, which aims to initiate the dialer’s pad with a specific phone number. The implementation of this command reminds me of the “Dirty USSD” vulnerability, discovered last year, because this one uses the protocol “tel:,” which can be used with a special USSD code to wipe an Android device. Although we haven’t seen this attack in the wild and the issue has already been fixed for most devices with an OTA software update, due to the fragmentation problem of Android it is possible that your device doesn’t have the latest version of the operating system. To find out if your device is vulnerable, McAfee offers a test page that performs a test with nonmalicious code. If your device is vulnerable, you can download and install the McAfee Dialer Protection app from Google Play.

This threat also executes phishing attacks aimed to steal Android (Google) and Dropbox credentials by showing the following user interface to the user when the commands creds_attack and creds_dropbox are sent by the control server:

Castillo 20130207 Dropbox_Phishing

Castillo 20130207 Android_Phishing

Once the user enters the information and taps “Login,” the stolen credentials are sent to the remote server while the message “Wrong credentials” is displayed.

McAfee Mobile Security detects this mobile threat as Android/Ssucl.A. The Windows threat is detected by McAfee VirusScan/Total Protection as Generic Dropper.p.