We’ve seen Android malware that attempts to infect Windows systems before. Android.Claco, for instance, downloads a malicious PE file along with an autorun.inf file and places them in the root directory of the SD card. When the compromised mobile device is connected to a computer in USB mode, and if the AutoRun feature is enabled on the computer, Windows will automatically execute the malicious PE file.

Interestingly, we recently came across something that works the other way round: a Windows threat that attempts to infect Android devices.

The infection starts with a Trojan named Trojan.Droidpak. It drops a malicious DLL (also detected as Trojan.Droidpak) and registers it as a system service. This DLL then downloads a configuration file from the following remote server:

http://xia2.dy[REMOVED]s-web.com/iconfig.txt

It then parses the configuration file in order to download a malicious APK to the following location on the compromised computer:

%Windir%\CrainingApkConfig\AV-cdk.apk

The DLL may also download necessary tools such as Android Debug Bridge (ADB).

Next, it installs ADB and uses the command shown in Figure 1 to install the malicious APK to any Android devices connected to the compromised computer:

Figure 1. Command to install the malicious APK

The installation is attempted repeatedly in order to ensure a mobile device is infected when connected. Successful installation also requires the USB debugging Mode is enabled on the Android device.

The malicious APK is a variant of Android.Fakebank.B and poses as a Google App Store application.

Figure 2. Malicious APK posing as Google App Store

However, the malicious APK actually looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions. Android.Fakebank.B also intercepts SMS messages on the compromised device and sends them to the following location:

http://www.slmoney.co.kr[REMOVED]

Figure 3. Malicious APK code snippet

To avoid falling victim to this new infection vector, Symantec suggests users follow these best practices: