SCF Advanced Search

  • Total Posts: 41270
  • Total Topics: 14828
  • Online Today: 810
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Fake Cleaning Apps in Google Play: an AutoRun Attack and More  (Read 3457 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Fake Cleaning Apps in Google Play: an AutoRun Attack and More

Almost exactly one year ago, Google announced the addition of a “new layer to Android security,” a service codenamed Bouncer that was intended to provide automated scanning of the Android Market for potentially malicious software. However, as my colleague Jimmy Shah wrote in a previous blog post, Bouncer has not been enough to keep all the malware out of the market: We saw Android malware (for example, Android/DougaLeaker) distributed in the Google Play Market in 2012. Recently, two malicious applications from the developer Smart.Apps were found using the same official distribution method:

Both applications present themselves as “optimizers” that make Android devices faster and more responsive by cleaning the browser cache, optimizing network settings, clearing unused log files, and so on. When the applications are executed, they display fake user interfaces:

In the case of DroidCleaner, the graphical user interface is more elaborate; the application displays three different cleaning options that lead to the same fake progress bar:

Meanwhile, in the background and without user consent, a service establishes a communication with a control server. The commands include common actions performed by other Android malware:

• Sending device and network information (IMEI, IMSI, phone number) to a remote server

• Sending and deleting SMS messages (could be used to subscribe the user to premium-rate services)

• Stealing sensitive personal information (installed applications, pictures, contacts, SMS messages, GPS coordinates)

• Mapping the contents of the SD card (files and directories) to later upload to the remote server

Other less common functions are also implemented as available commands:

• Executing shell commands remotely

• Rebooting the device using the command “reboot” on rooted devices

• Launching another application installed in the device without user consent

• Setting call forwarding and changing the ringer mode to silent so the user is not aware that calls are being redirected to another number

One of the most interesting commands in this new Android malware is UsbAutorunAttack, which consists of downloading three files (autorun.inf, folder.ico, and svchost.exe) from a remote server to place in the SD card and infect Windows computers that have the AutoRun feature enabled. This new distribution method may not be as effective because the latest version of Windows has AutoRun disabled by default; yet it is interesting to see Android malware trying to infect Windows computers.

Another interesting command in this threat is CallOut, which aims to initiate the dialer’s pad with a specific phone number. The implementation of this command reminds me of the “Dirty USSD” vulnerability, discovered last year, because this one uses the protocol “tel:,” which can be used with a special USSD code to wipe an Android device. Although we haven’t seen this attack in the wild and the issue has already been fixed for most devices with an OTA software update, due to the fragmentation problem of Android it is possible that your device doesn’t have the latest version of the operating system. To find out if your device is vulnerable, McAfee offers a test page that performs a test with nonmalicious code. If your device is vulnerable, you can download and install the McAfee Dialer Protection app from Google Play.

This threat also executes phishing attacks aimed to steal Android (Google) and Dropbox credentials by showing the following user interface to the user when the commands creds_attack and creds_dropbox are sent by the control server:

Once the user enters the information and taps “Login,” the stolen credentials are sent to the remote server while the message “Wrong credentials” is displayed.

McAfee Mobile Security detects this mobile threat as Android/Ssucl.A. The Windows threat is detected by McAfee VirusScan/Total Protection as Generic Dropper.p.

Orginal article: Thursday, February 7, 2013 at 12:01pm by Carlos Castillo
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


  • SCF VIP Member
  • *****
  • Posts: 3611
  • KARMA: 157
  • Gender: Female
Re: Fake Cleaning Apps in Google Play: an AutoRun Attack and More
« Reply #1 on: 08. February 2013., 18:51:56 »
:( might explain some problems I was having... Not sure, hope Avast did its job. :s

GOOD warning!



~~~ ~~~
Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-013 by DevNullius)
More information about bitcoin, altcoin & crypto in general? GO TO

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist

Samker's Computer Forum -

Re: Fake Cleaning Apps in Google Play: an AutoRun Attack and More
« Reply #1 on: 08. February 2013., 18:51:56 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising