Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Windows Trojan Targets Android, iOS Devices via USB Connection

A relatively new Windows Trojan is capable of loading malicious applications onto Android and iOS devices connected to the infected machine via USB.

A relatively new Windows Trojan is capable of loading malicious applications onto Android and iOS devices connected to the infected machine via USB.

The threat, dubbed “DualToy” by Palo Alto Networks, has been around since January 2015. While the malware has mainly targeted users in China, the security firm reported that individuals and organizations in the United States, United Kingdom, Thailand, Spain and Ireland were also impacted.

Researchers discovered more than 8,000 unique DualToy samples. Earlier variants were only capable of infecting Android devices, but the Trojan’s developers added iOS capabilities within six months after the threat was first spotted.

On infected Windows PCs, DualToy injects processes, modifies browser settings and displays ads. When an Android or iOS device is connected to the infected PC via USB, the malware starts conducting various activities.

The malware’s developers are counting on the fact that when a user connects a mobile device to the infected computer, that device is likely already authorized, making it easier to use existing pairing records to interact with it in the background.

“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Palo Alto Networks researcher Claud Xiao explained in a blog post.

In order to infect Android and iOS devices, the Trojan checks for the presence of the Android Debug Bridge (ADB) and iTunes on the compromised Windows machine. If these applications are not found, the malware downloads and installs them.

Advertisement. Scroll to continue reading.

ADB and iTunes are used by DualToy to install various applications on Android and iOS devices connected via USB to the infected computer. In the case of Android, several Chinese-language games were downloaded from a third-party app store.

On iOS phones and tablets, the malware collects system information and sends it back to its command and control (C&C) server. The data includes the device’s name, type, version, model number, serial number, IMEI, IMSI, firmware, and phone number.

DualToy also downloads several .ipa files (iOS application archives), including one that asks users to provide their Apple ID and password. The harvested credentials are encrypted and sent to a remote server.

This app, named Kuaiyong, is a third-party iOS app store, similar to ZergHelper, which in February managed to slip through Apple’s review process and made it onto the official App Store.

Palo Alto Networks has compared DualToy to AceDeceiver and WireLurker, both of which target iOS devices when they are connected to an infected computer.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...