DualToy: A new trojan is targeting Windows computers to serve malicious applications on Android and iOS devices that the victim connects to the infected system via USB cables.
The trojan is called DualToy and was first detected in January of 2015. In its original form, it was able to only infect Android devices.
DualToy has since been updated so it can also infect iOS devices. According to security firm Palo Alto Networks, the number of different samples of the malware has currently reached 8.000 comeyea.
DualToy is written in C++ and Delphi, and the first thing it does after the contamination one computer is to download and install Android Debug Bridge (ADB) and iTunes toy drivers for Windows.
The trojan assumes that each device connected to the computer is the owner's device. So he uses files the corresponding license he has discovered on the user's computer trying to override the authentication of the mobile device connected via a USB port.
After successfully accessing the device, DualToy communicates with a C&C server, downloads a list of applications to install them, and then installs them on the victim device.
To avoid complications during the application installation process on Android devices, DualToy also downloads a special script from the C&C server. This script roots the device and gives DualToy the ability to install applications without the need for user interaction.
For iOS devices, the Trojan downloads and runs a script that collects various data of the device, such as: IMEI, IMSI, ICCID, serial number and phone number. The purpose of this function is currently unknown.
On iOS devices, DualToy also collects the Apple ID along with the user's password.
All applications installed by DualToy are used to display ads that generate profits for the Trojan administrator.
"Although the ability of this attack can be further limited by additional mechanisms (eg, by activating the ADB and iOS sandbox) DualToy reminds us again that attackers can use USB to reach mobile devices and how malware can be transmitted across different platforms, ”said Claud Xiao, security researcher at Palo Alto Networks.
