Symantec researchers have found what they are calling the first known example of Windows malware specifically designed to infect Android devices. This new Android banking malware leverages vulnerable PCs to install itself on Android mobile devices.
Droidpak is a trojan designed to exploit the Windows operating system and gain a foothold on the victim’s computer. After Droidpak settles in, it contacts a remote command & control server. Then the remote server sends a configuration file back to the infected Windows computer. The configuration file references a website. The infected computer tries connecting to the website. If successful, an Android malware file will begin downloading.
Droidpak to successfully install its payload – Android.Fakebank.B will show up as a “Google App Store” application.
Once installed, Android.Fakebank.B looks to see if there are any mobile banking apps installed on the Android device. Symantec said the version of Android.Fakebank.B studied was specifically targeting Korean-banking applications. If Android.Fakebank.B finds a familiar banking app; it attempts to make the user believe the currently installed banking app is malware, should be removed, and replaced by Android.Fakebank.B. If the user agrees and loads Android.Fakebank.B, the malware is in position to steal login credentials and possibly account information when the user logs in using what is thought to be the correct banking app.
Symantec mentions that, “Android.Fakebank.B also intercepts SMS messages on the compromised device.” Experts suggest turning off USB debugging on Android devices. Most people will not use USB debugging as it’s a developer tool, and used to side-load Android applications from a computer.
Several things have to go right before the Droidpak/Android.Fakebank.B malware combination can successfully steal banking information, but that was also the case with the first versions of banking malware targeting PCs.