A Windows Trojan called DualToy has been discovered that can side load malicious apps onto Android and iOS devices via a USB connection from an infected computer.
Researchers from Palo Alto Networks said DualToy has been in existence since January 2015, and it originally was limited to installing unwanted apps and displaying mobile ads on Android devices. About six months later, the Trojan morphed and began targeting iOS devices by installing a third-party App Store in hopes of nabbing iTunes usernames and passwords.
“When DualToy began to spread in January 2015, it was only capable of infecting Android devices… We observed the first sample of DualToy capable of infecting iOS devices on June 7, 2015. Later in 2016, a new variant appeared,” wrote senior malware researcher Claud Xiao in a technical description of the Trojan.
Researchers said once DualToy infects a Windows machine, it looks for the Android Debug Bridge (ADB) and iTunes, and downloads drivers for both if they’re missing in order to infect mobile devices once connected.
“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Xiao wrote.
Researchers say they have observed 8,000 unique samples of the DualToy variant to date, and add they can’t be sure how many mobile devices have been infected by the malware.
Risk of iOS attacks, at the moment, are negligible because the Apple App certificate needed to install the fake App Store installed by DualToy on iOS devices has expired, researchers said.
Palo Alto notes, during the past two years there have been similar cases of Windows and Apple iOS malware designed to attack mobile devices via side-loading techniques.
“This attack vector is increasingly popular with malicious actors… WireLurker installed malicious apps on non-jailbroken iPhones. The HackingTeam’s RCS delivered its spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones,” Xiao said.
So far, DualToy mainly targets Chinese users, but researchers say it has also infected users in the United States, United Kingdom, Thailand, Spain and Ireland.
Xiao said, in order for the Trojan to infect an iOS device the target must have already set up a trusted pairing relationship between the PC and the iPhone or iPad.
Researchers say its unclear how DualToy Trojan gets on Windows machines. But once DualToy is on a PC, it downloads from a command-and-control server a file called adb.exe, which is the standard Android Debug Bridge on Windows clients. But more recent variants of DualToy drop a custom ADB client, tadb.exe, onto a victim’s PC. The malware also downloads two installers AppleMobileDeviceSupport64.msi and AppleApplicationSupport64.msi, part of Apple’s official iTunes for Windows software.
On Android devices, DualToy installs several Chinese language apps that researchers suspect attackers are getting paid per install by game developers. On iOS devices, DualToy installs a fake iOS App Store used to try to trick users into divulging their iTunes username and password.
The use of a fake iOS App Store is not unique. “The app is yet another third party iOS App Store just like ZergHelper. It also has exactly the same behavior as AceDeceiver. When launched for the first time, the app will ask the user to input his or her Apple ID and password,” Xiao wrote.