Droidpak: A sneak attack on Android devices via PC malware

Symantec researchers have found what they are calling the first known example of Windows malware specifically designed to infect Android devices. “We’ve seen Android malware that attempts to infect Windows systems before,” mentioned Flora Lui, author of the Symantec post announcing Droidpak. “Interestingly, we recently came across something that works the other way round: a Windows threat that attempts to infect Android devices.”

Exploits Windows first

Droidpak is a trojan designed to exploit the Windows operating system and gain a foothold on the victim’s computer. After Droidpak settles in, it contacts a remote command & control server. Then, according to Symantec SecurityResponse, the remote server sends a configuration file back to the infected Windows computer similar to the example below:


Notice the configuration file references a website. The infected computer tries connecting to the website. If successful, an Android malware file similar to the one below will begin downloading:


The remote server may also download tools, such as Android Debug Bridge in order to install the Android PacKage (APK) or other malware destined for the target Android device (phone or tablet) connected to the infected computer via a USB cable.

Success: Android.Fakebank.B installed

Several things have to happen in order for Droidpak to successfully install its payload—Android.Fakebank.B. We will look at those in a bit. First, let’s look at what the malware developers designed Android.Fakebank.B to do once installed as an application on an Android device.

Android.Fakebank.B will show up as a “Google App Store” application as shown in the slide below.



Photo: Symantec


Once installed, Android.Fakebank.B looks to see if there are any mobile banking apps installed on the Android device. Symantec said the version of Android.Fakebank.B studied was specifically targeting Korean-banking applications. If Android.Fakebank.B finds a familiar banking app; it attempts to make the user believe the currently installed banking app is malware, should be removed, and replaced by Android.Fakebank.B. If the user agrees and loads Android.Fakebank.B, the malware is in position to steal login credentials and possibly account information when the user logs in using what is thought to be the correct banking app. 

Symantec mentions that, “Android.Fakebank.B also intercepts SMS messages on the compromised device and sends them to the following location.”


Users need to agree

Now it’s time to talk about what needs to happen for Droidpak/ Android.Fakebank.B to be successful. Users must agree to install any program on an Android device. This is where social engineering comes into play, and we all know the bad guys are getting good at it.

Symantec, and other Android experts, I talked to, suggest turning off USB debugging on Android devices. Most people will not use USB debugging as it’s a developer tool, and used to sideload Android applications from a computer—why Droidpak works. This link explains how to disable USB debugging.

The Android experts also said they would be remiss for not mentioning the importance of having AV applications on both computers and Android devices. With Droidpak unmasked, AV companies will have their products looking for it.

Just released AV-Test results

Speaking of antivirus applications for Android, Andreas Marx, CEO of AV-TEST Institute, just sent me the latest Android antivirus app test results. Marx wrote, “30 Android security apps were tested: only two products failed in our latest review against 2,191 malicious apps.”

In the email, Marx included what he considered to be key elements of the latest test:

  • The average malware protection rate was 96 percent (almost 1 percent less than last review).
  • Only four security apps created false positives on our test systems, two out of them related to clean Apps from Google Play (Comodo and Panda), two more from 3rd party App stores (AegisLab and AhnLab).
  • Features offered by the free and paid-for security apps differed significantly. Therefore, we recommend a close review of security features like anti-theft, backup and encryption.

The test results will show up on the AV-TEST website today, Feb. 3.

Final thoughts

Several things have to go right before the Droidpak/Android.Fakebank.B malware combination can successfully steal banking information, but that was also the case with the first versions of banking malware targeting PCs. Now, Zeus and Neverquest are highly successful banking malware.

I would prefer to be wrong, but due to the popularity of mobile devices and the number of banking apps: I’m afraid bad guys are going to make sure malware like Droidpak succeeds.

Leave a Reply