back to article Sync'n'steal: Hackers brew Android-targeting Windows malware

Internet Igors have stitched together the first strain of Windows malware that can hop over and infect Android smartphones and tablets. The Droidpak mobile banking trojan exploits syncing between smartphones and Windows PCs to jump from a compromised PC onto an Android device. The Windows Trojan downloads a malicious .APK …

COMMENTS

This topic is closed for new posts.
  1. Wize

    What ever happened to the old connection options on Android?

    My older phone would ask every time if I wanted to connect if I plugged in to a PC to charge.

    My new one gives me the choice of MTP or PTP. It is a minor annoyance that it no longer has 'mass storage' mode but a major annoyance that it doesn't do a charge only without going in to the developer settings and putting the port into debug mode.

    I thought technology was supposed to improve, not go backwards.

    1. Anonymous Coward
      Anonymous Coward

      Re: What ever happened to the old connection options on Android?

      Right Click on USB device > Eject Device.

      However if you've altered settings / installed device syncing software, you may not get this option.

      1. Wize

        Re: What ever happened to the old connection options on Android?

        But, by that time, it has already connected to your phone.

        And it is controlled at the PC end. To prevent something writing to your memory card (malware upload or malicious delete all) surely it should be controlled at the phone end?

  2. bigtimehustler

    I can't see this affecting most people, to load an application like that you have to have USB Debugging turned on through the phones settings and the option to install applications from non signed sources. This is typically only a setup a developer would turn on.

    1. Anonymous Coward
      Anonymous Coward

      " the option to install applications from non signed sources. "?

      I guess you mean "installation...other than play store" and by that that you may mean anyone that want to download from say, Amazon?

      1. Anonymous Coward
        Anonymous Coward

        You don't need 'Unknown sources' enabled when using ADB. But you do need to go into the now hidden developer options and enable USB debugging. Since 4.0, when a PC connects via ADB, you must allow the connection on the device also.

        Having just Unknown sources enabled is not enough for this to work. So user's of Amazon's store are safe (assuming they have USB debugging disabled).

        Worryingly, I've noticed HTC Desire X's have USB debugging enabled by default.

        1. Argh

          On Android 4.3, there's also a checkbox that's enabled by default when enabling debugging that says "Verify apps via USB. Check installed apps from ADB/ADT for harmful behaviour". I'm not sure how this is checked (uploaded to Google for testing first?), but that may also pick up these apps.

    2. Brian Miller

      Also, the user needs to click yes on the notice, "Do you trust this computer?" Most will probably say yes, but as mentioned, debugging needs to be turned on, and that is now "hidden."

  3. Anonymous Coward
    Anonymous Coward

    This article is the answer to the commonly heard statement "why would I get an iOS device, you can't do as much with it".

    1. Anonymous Coward
      Anonymous Coward

      Ditto a Windows Phone...

      1. monkeyfish

        Ditto a 3210

    2. NumptyScrub

      quote: "This article is the answer to the commonly heard statement "why would I get an iOS device, you can't do as much with it"."

      At least, it is up until some sod develops malware that does the same thing to iOS (aka poses as iTunes to the mobile device and then uploads whatever codebase it likes). If you can puch apps to an iOS device from iTunes, you can pretend to be iTunes and push apps to the device...

      Luckily, only corporate customers and affluent people tend to use a lot of iOS devices coupled with Windows PCs, so hopefully malware writers won't be targeting that particular vector now they've managed a proof-of-concept with Windows->Android :)

    3. HollyHopDrive

      "This article is the answer to the commonly heard statement "why would I get an iOS device, you can't do as much with it".

      Spoken like a true idiot.

      Apart from the fact that this is a bit 'theoretical' as pointed about by the above posters I'm really confused about who is plugging their android device into a PC to sync it??? Why do you need to do that (other than unless you are a developer doing some DEV). Its by far and away the best 'cloud' O/S there is. Google's stuff is seamless, dropbox is perfect and if you really need to do some 'file moving' then ES explorer from your phone/tablet is your friend over wifi.

      Android - because you can do much with it but you can also *choose* not to.

      1. Anonymous Coward
        Anonymous Coward

        "Spoken like a true idiot. -bla bla bla"

        Spoken like a true aspergers suffering IT shut in that can't see past their own usage of a device.

        If you actually had friends outside of the world of IT professionals you would realise that a lot of them connect their phones up to their PC for transferring photos, music and movies. Very few people use WiFi for that because the setup involved is more than "Plug in, insert CD that came with device" (and it's SLOOOOW compared to Usb). Plus the fact that with more than one user in a house on a shared PC that process starts to become a bit complicated to administer. (I'm looking at you Samsung software users) Remember that the majority of Android users are not IT people, they don't know the ins and outs of backups and syncing and aren't willing to learn either.

        Apple - because after you've played with the settings and changed everything you realise that you probably should have just left them alone in the first place.

        1. Anonymous Coward
          Anonymous Coward

          « "Spoken like a true idiot. -bla bla bla"

          Spoken like a true [...] »

          De Guatemala a Guatepeor, eh compadre?

        2. Anonymous Coward
          Anonymous Coward

          What the F

          I've owned 5 android phones, 2XHTC, 1XSamsung and 2XLG I have never had a CD provided with the phone. Do you know what your talking about or are you mistakenly thinking everything is like an Iphone. I wouldn't know about Iphones btw I have never owned one thus I would not know if they came with a CD or not but my knowledge I have never had a CD provided with any phone.

          Now what the F are you talking about a shared PC, holy crap dude get out of the 90's. Most people are buying tablets to replace their PC... have you not read anything in the last 2 years, at all. I personally will always buy a PC as long as they sell them so yes I do backup my phone on my PC but since ubuntu does a better job at connecting to my phone then windows does I use linux for this (add phablet-tools repo) I don't worry. My parent use ubuntu, my sister uses ubuntu, my wife and children use ubuntu. No Windows in my house except my gaming rig, and that system is only used for gaming ... nothing else. So I have no worries about this malware, although since there is a lot of released code for people to review (AOSP) it will be the first platform that proof of concepts get made.

          In the long run security through obscurity does not and will never work... cough cough APPLE cough. Just because this is known does not mean there isn't such a beast hiding in IOS, the fact that Apple can remote kill your phone says that there are huge gaping holes in that OS as well. Been in computer security domain (reverse engineer and analyst/researcher) for over 10 years I can say if it is created by humans it is hackable period. So get the F off you high horse dumbass and think before you post.

          BTW I am currently getting a degree in Software Engineering and believe me when I say that the way universities teach comp-sci it is no wonder why there are so many vulnerabilities... Hey university Professors try to teach debugging it is more important than coding. In my opinion half of the 1st and 2nd year prog courses should be that alone, so many fail out cause they don't know how to debug.

          Also I must say since the condition are not mentioned in this article make sure if you want to be safe on any platform never unlock/root/jail-break any phone and your chances are greatly reduced.... cough cough alpine cough ;)

      2. Anonymous Coward
        Anonymous Coward

        Why? I use simple USB to drag and drop music onto my Android phone, I hate all that bollocks syncing software clogging up my machine. You install Samsung sync software and next thing you have a dozen background processes wasting your time nagging you to do this and that update. God forbid you're half asleep and the bloody software installs some wank search bar into your browsers!

        As 30 year IT veteran I find simple USB syncing to get my MP3s onto my phone ten times quicker as I get to decide the layout and naming I want for my folders on the device, a subset that mirrors the main MP3 store in the family NAS boxes.

        All that WiFi, Web 2.0, connected world bollocks is pie-in-the-sky marketing cack, most people will find the quickest, easiest and dirtiest way to do something, it may not be the best or the latest snazzy way to do something but it achieves the required end result. The mark of great technology is one that can be adapted and used easily by anyone, and that anyone can easily assimilate into their daily lives without much effort.

        1. This post has been deleted by its author

    4. Montreal Sean

      Right, iOS devices avoid this problem by only allowing the installation of Apple approved malware.

  4. Elmer Phud

    Internet Igors

    Doeth it come with a thqueaky back-door?

  5. Anonymous Coward
    Anonymous Coward

    "a utility that allows the malicious code to execute commands on Android devices connected to an infected computer."

    You could at least put some info on the required circumstances for a successful infection.

    For this to work, the following conditions must be true:

    - the Android device must have the 'Developer options' and 'USB Debugging' enabled (these are hidden in settings by pressing About and tapping 'Build number' 7 times).

    - the host PC must have ADB drivers for the device installed* (usually a separate download from the device manufacturer/Google)

    - the user must confirm the ADB connection (on the device) when the PC connects (4.0+)

    *granted these could be included in the malware, but it'll need admin rights to install them and these can range anywhere from a few MB to 100MB+.

    No end user should have any of this enabled/installed. If they have enabled it, they should perhaps learn what it is they're enabling before they do. These settings are meant for dedicated development devices which it wouldn't matter if one got infected. No "non-test" phone should have these options on, even my personal phone (and I'm an Android dev) doesn't have ADB enabled.

    1. Simon Harris

      Not particularly well hidden on my Sony (Android 4.1.2)

      Settings -> Developer options -> USB debugging all clearly labelled and available within the menus without any tap the build number 7 times malarkey.

      1. Anonymous Coward
        Anonymous Coward

        No, HTCs are the same unfortunately. When I talk Android, I talk stock (Google) Android before the manufacturers have had their evil way with it. Sorry I should have been more clear I was talking about stock Android.

  6. Anonymous Coward
    Anonymous Coward

    People are overlooking the obvious

    Yes, this particular hack has a list of preconditions that make it fairly unlikely to successful hit very many Android devices.

    That doesn't mean a future attack won't be more successful, if a bug was found in the basic USB code. And yes, it could possibly target iOS as well if a bug in its USB was found, at least those iOS devices owned by people who don't use Macs (not denying that there is some malware for Macs, just that OS X has proven to be much more difficult to compromise than Windows) The catch with iOS is that most people update frequently, but if you find a hole that's present in the latest version that's not a problem.

    It is relatively easy to own Windows machines, the problem lately has been what to do with them to monetize them. You have to do it quickly, as AV software will soon detect the infection. If you could attack people's phones, since few people worry about having their phone hacked, you could catch a lot of people unaware - especially since the malware can then quietly delete itself from the computer so AV software is unaware it was ever infected. Such an infection may stay under the radar for AV companies for a long time.

    If the strategy was well executed, millions of phones could be infected, and no one would know. Imagine if a practical joker did the attack instead of a thief, and had it make all infected phones ring at exactly the same time. It would be pretty funny if you were in say Times Square surrounded by thousands of people and suddenly 1 out of every 10 phones rang at once...

  7. Irongut

    Who syncs an Android to a PC these days?

    Google back up all your contacts, calendar, etc and updates are OTA now so what is the point? I haven't had the misfortune of trying to sync an Android and PC since the early days of my original Galaxy S.

    I know several Android users who don't even own a computer.

  8. Anonymous Coward
    Anonymous Coward

    USB....the article didn't mention USB....

    .....and there's also Bluetooth......

  9. Son 1

    I wonder how they will make my 'balance disappear?' According to my bank a hacker can pay my bills, transfer money between accounts and create a new account under my name. They cannot transfer my money out to another account unless I go to the bank and set such a transfer up. When I go there they check my photo ID and always ask me personal questions to verify my ID.

    So, again, what are they going to do?

    1. Anonymous Coward
      Anonymous Coward

      Kinky banking

      > When I go there they check my photo ID and always ask me personal questions to verify my ID.

      What sort of "personal" questions are we talking about here? 8-/

This topic is closed for new posts.

Other stories you might like