Old Apples, modded Androids, most at risk from Chinese DualToy trojan
A newly-outed trojan is exploiting iOS and Android devices, ripping iCloud credentials abusing the trusted link between phones and PCs, says Palo Alto security researcher Claud Xiao.
The attack appears to have failed in most circumstances, thanks to iOS’ sandboxing security controls, hardened modern Android operating systems, and the overt nature of the attack, and will flunk in all current attacks given the expiration of a certificate.
Xiao (@claud_xiao) says the DualToy malware targets Windows machines that have been authorised to work with iPhones and abuses the Android Debug Bridge facility commonly installed by users who run custom Android ROMs.
Once installed it will phish iOS devices for their Apple usernames and passwords shipping those stolen logins to a remote server, along with IMEI, IMSI, ICCID, and serial and phone numbers.
Android devices are more readily owned.
DualToy will download advertising apps, and attempt to gain root privileges from where it can install more applications.
The presence of Android Debug Bridge on Windows systems could help the malware’s bid to obtain root privileges since phones running custom ROMs are more likely to be rooted.
Several years ago, Android and iOS began requiring user interaction to authorise a device to pair to another device to prevent the kind of side-loading attack used by DualToy,” Xiao says.
“However, DualToy assumes any physically connected mobile devices will belong to the same owner as the infected PC to which they are connected, which means the pairing is likely already authorised.
“DualToy tries to reuse existing pairing records to directly interact with mobile devices in the background.”
The malware is a “reminder” of the threat of USB sideloading and multi-platform attacks.
Chinese apps from third party Android app stores are installed on infected Android devices.
Xiao has provided a sample (password: DualToy) for researchers to study. ®