Malware descriptions

Mobile attacks!

Users of inexpensive Android smartphones typically look for ways to accelerate their devices, for example, by freeing up memory. Demand for software that makes smartphones work a little faster creates supply, some of which happens to be malicious. In addition to legitimate applications, apps that only pretend to clean up the system have appeared on Google Play.

We have come across PC malware that infects mobile devices before. However, in this case it’s the other way round: an app that runs on a mobile device (a smartphone) is designed to infect PCs.

On January 22, 2013 Kaspersky Lab discovered the following application on Google Play:

The app is obviously quite popular and has a good rating:

This application has a twin brother that has an identical feature list but a different name:

As for the app authors’ imagination, they did not have much to spare for the GUI.

After launching, the application shows all the running services:

At the same time, it restarts them:

This is where the ‘useful’ activity ends – and the interesting part begins.

Among the numerous commands performed at the instruction of the master, the app can execute the following code:

Note the name of the method – Tools.UsbAutoAttack. Here are the details:

This code means that the malware downloads three files from the URL specified at the beginning of the class. The following files are downloaded:


Now, we need to find out where the application saves these files. This can be determined by looking at the DownloadFile method:

It follows from this piece of code that the files will be placed in the root directory of the SD card. Therefore, if the smartphone is connected to the PC in the USB drive emulation mode, the system will automatically execute svchosts.exe file.

Now, it would be curious to find out what’s inside svchosts.exe. We managed to download the file from the cybercriminals’ server. It turns out that svchosts.exe is in fact Backdoor.MSIL.Ssucl.a.

We have observed and detected similar objects starting from the first half of 2012. However, there was no connection to mobile platforms at the time

Overall, Backdoor.MSIL.Ssucl.a is not a particularly sophisticated piece of malware. Its only feature of interest is that it includes the freely-distributed library NAUDIO (

As the screenshot below shows, the NAUDIO library is the biggest part of the application.

Below, we try to figure out why the cybercriminals decided to use this structure.

First of all, have a look at the constructor of the frmMain form:

As you can see, a “Data Received” event causes the event handler to call the con_DataReceived function.

The function has rather extensive capabilities and is designed to handle a variety of commands sent by the master, but right now we are interested in the way a specific command is handled:

It can be seen in this piece of code that the RECORD_STR command causes the StartRec function to be called:

Next, note BeginMonitoring and BeginRecording.

In the former case, monitoring of the default audio recording device is configured. The value of the recordingDevice variable is set to zero for the purpose.

In the former case, monitoring of the default audio recording device is configured. The value of the recordingDevice variable is set to zero for the purpose:

As soon as the microphone detects sound, the application immediately begins to write audio data to a file using BeginRecording:

The program encrypts files and sends them to the master:

Encryption algorithm

Uploading any file to the master’s FTP

This is where the address to which the app should connect and send files is taken from

Generally speaking, saving autorun.inf and a PE file to a flash drive is one of the most unsophisticated ways of distributing malware. At the same time, doing this using a smartphone and then waiting for the smartphone to connect to a PC is a completely new attack vector. In the current versions of Microsoft Windows, the AutoRun feature is disabled by default for external drives; however, not all users have migrated to modern operating systems. It is those users who use outdated OS versions that are targeted by this attack vector.

Thus, a typical attack victim is the owner of an inexpensive Android smartphone who connects his or her smartphone to a PC from time to time, for example, to change the music files on the device. Judging by the sales statistics for Android smartphones, I would say that such people are quite numerous. For the attack to be more successful, it only lacks a broader distribution scheme.

It is worth noting that the approach used by the author of these applications is very well thought out. The app includes a vast range of features. For instance, in addition to infecting workstations, the Android version of the bot includes the following features:

  • Sending SMS messages
  • Enabling Wi-Fi
  • Gathering information about the device
  • Opening arbitrary links in a browser
  • Uploading the SD card’s entire contents
  • Uploading an arbitrary file (or folder) to the master’s server
  • Uploading all SMS messages
  • Deleting all SMS messages
  • Uploading all the contacts/photos/coordinates from the device to the master

This is the first time we have seen such an extensive feature set in one mobile application.

Mobile attacks!

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox