A relatively new Windows Trojan is capable of loading malicious applications onto Android and iOS devices connected to the infected machine via USB.
The threat, dubbed “DualToy” by Palo Alto Networks, has been around since January 2015. While the malware has mainly targeted users in China, the security firm reported that individuals and organizations in the United States, United Kingdom, Thailand, Spain and Ireland were also impacted.
Researchers discovered more than 8,000 unique DualToy samples. Earlier variants were only capable of infecting Android devices, but the Trojan’s developers added iOS capabilities within six months after the threat was first spotted.
On infected Windows PCs, DualToy injects processes, modifies browser settings and displays ads. When an Android or iOS device is connected to the infected PC via USB, the malware starts conducting various activities.
The malware’s developers are counting on the fact that when a user connects a mobile device to the infected computer, that device is likely already authorized, making it easier to use existing pairing records to interact with it in the background.
“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Palo Alto Networks researcher Claud Xiao explained in a blog post.
In order to infect Android and iOS devices, the Trojan checks for the presence of the Android Debug Bridge (ADB) and iTunes on the compromised Windows machine. If these applications are not found, the malware downloads and installs them.
ADB and iTunes are used by DualToy to install various applications on Android and iOS devices connected via USB to the infected computer. In the case of Android, several Chinese-language games were downloaded from a third-party app store.
On iOS phones and tablets, the malware collects system information and sends it back to its command and control (C&C) server. The data includes the device’s name, type, version, model number, serial number, IMEI, IMSI, firmware, and phone number.
DualToy also downloads several .ipa files (iOS application archives), including one that asks users to provide their Apple ID and password. The harvested credentials are encrypted and sent to a remote server.
This app, named Kuaiyong, is a third-party iOS app store, similar to ZergHelper, which in February managed to slip through Apple’s review process and made it onto the official App Store.
Palo Alto Networks has compared DualToy to AceDeceiver and WireLurker, both of which target iOS devices when they are connected to an infected computer.