Android/UsbCleaver.A!tr.spy
Analysis
Android/UsbCleaver.A!tr.spy is a piece of malware targetting Android mobile phones.
The package tricks the user into starting a download for some 'tools' needed by the application to run. The download, in fact, contains several files that are run automatically when the phone is connected to a PC and steal information such as the PC's IP configuration and credentials for Chrome, Firefox, IE, Wifi etc.
Technical Details
The main application is called "UsbCleaver"(ref Fig1) and comes in the package "com.novaspirit.usbcleaver"
Fig1 : UsbCleaver Application Icon
When the application is launched, the user is asked to download a bunch of 'tools' required for the application to run. (ref Fig2)
Fig2 : Download Request
If the user agrees, a ZIP package is downloaded from
hxxp://www.novaspir[REMOVED]er.zip
The downloaded package is saved to the path
/sdcard/usbcleaver/
The downloaded package is then unzipped and ideally contains the following files
- ChromePass.exe
- PasswordFox.exe
- iepv.exe
- WirelessKeyView.exe
Finally, a file called
/sdcard/autorun.infis created that is automatically run each time the phone is connected to a PC.
It results in creation of a file /sdcard/go.bat on the phone that contains the following information about the connected PC :
- Computer Name and the logged user's UserName
- Computer's IP configuration
- Results from execution of the downloaded executables on the PC
Permissions required by the application:
- WRITE_EXTERNAL_STORAGE
- INTERNET
- ACCESS_NETWORK_STATE
Certificate information:
- Owner: CN=Donald Hui, OU=Unknown, O=Novaspirit, L=Unknown, ST=Unknown, C=US
- Issuer: CN=Donald Hui, OU=Unknown, O=Novaspirit, L=Unknown, ST=Unknown, C=US
- Serial number: 4fb31495
- Valid from: Wed May 16 04:44:37 CEST 2012 until: Thu Feb 17 03:44:37 CET 2067
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |