The malware turned out to be a good reputation app disguised in the name of "Superclean/ DroidCleaner" and is capable of infecting the USB connected PC.
Once successfully installed, the malware calls home to remote domains and downloads PC executable files (svchosts.exe, folder.ico, Autorun.inf) on the root of the SD card (/mnt/sdcard) which are capable of spying onto User PC.
The app in general seeks the permissions to access and chang the Wi-FI state, SMS manipulations, reading the contact details, uploading the SD card contents and contacting to remote servers as seen from the AndroidManifest file.
The app is enabled by the main launcher and subsequently restarts the running apps in the smart phone.
The available commands with the malicious app is depicted, perhaps among that the notable one is the "USB_AUTORUN_ATTACK".
The remote server claco.kic***.net is contacted (which is currently down) to downloads the malware onto the specific location.
The downloaded files are stored onto the root of t SD card and as when the smart-phone connected triggers the svchosts.exe.
The relevant information is "POST" ed as commanded to the drop zone "claco.hopto.org/app_data/handle_upload.php" which is declared in the Tools.class as shown below. The HTTP post request build is also seen.
- Downloaded application from the trusted sources such as reputed application markets.
- Be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
- Check the applications requests and ensure the application requests matches the features provided.
- Check for unusual behavior such as unknown application being installed without user consent, SMS being sent to unknown recipients, automatic phone call
- Scan the device with an updated malware solution.
- Exercise caution while clicking /visiting trusted /un trusted websites, links