A Windows Trojan, named by Palo Alto Networks “DualToy”, used USB connection to load malicious apps on Android and iOS devices, connected to the infected computer.
DualToy was detected for the first time in January 2015 by Palo Alto Networks. Initially, it was thought to infect mainly China-based users but the company discovered that individuals from the US, the UK, Spain, Ireland and Thailand have also been targeted.
Security experts managed to find more than 8,000 different samples of the Trojan. While the first versions were only capable of infecting Android, six months after the threat was first detected, DualToy`s authors upgraded it to be able to hit iOSs as well.
When DualToy infects a Windows computer, it starts showing ads, alters the browser settings and injects processes. Then, once an iOS or Android device is connected to the infected machine via USB, the Trojan starts performing various activities.
DualToy`s devs are hoping that when a device is connected via USB to the infected machine, it has probably already been authorized and they will be able to use existing pairing records for the attack.
“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms.” – Claud Xiao, Palo Alto Networks researcher, blogged.
The Trojan requires the presence of two applications – the Android Debug Bridge (ADB) and iTunes, in order to compromise an Android and iOS devices. Is these apps haven`t been installed, the malware downloads and installs them.
Abusing both apps, DualToy installs other malicious apps on the connected via USB devices. In the case of Android, the malware downloaded several Chinese-language games from a third-party app store.
On iOS running devices, the Trojan collects system info such as the type, name, model number, version, serial Number, IMEI, IMSI, phone number and firmware of the device. All this information, then, is sent back to its C&C server.
Moreover, DualToy also downloads some “.ipa” files (iOS application archives) on the Apple devices. One of them requires users to give their Apple ID and password, which are then being encrypted by the Trojan and sent to a remote server. This application is called Kuaiyong and comes from a third-party iOS store, similar to ZergHelper, which in February managed to go around Apple’s review process and made it onto the official Store.
Palo Alto Networks found the DualToy is analogous to WireLurker and AceDeceiver, both of which infect iOS devices, connected to an already compromised machine.