Recently a trojan which is targeting Windows computers is sideloading mobile applications to any iOS or Android devices secretly and the user is connecting to infected PCs via USB cables.
The trojan is called DualToy and it was active since January 2015. Originally it was only capable of infecting Android devices.
Six months later, DualToy received support for infecting iOS devices, but the number of real-world infections only spiked recently, according to a Palo Alto Networks report. It reached a huge 8,000 different samples detected in the wild.
Going technical, DualToy is programmed in C++ and Delphi. The first thing it does after infecting a computer is to download and install the Android Debug Bridge (ADB) and for Windows the iTunes drivers.
These two applications are used by the trojan’s process to interact with any device connected to the PC.
The trojan assumes that any device attached to the computer is the owner’s device. As such, the trojan uses pairing/authorization records already found on the user’s PC to try and authenticate on the mobile device that’s connected via a USB port.
After successfully accessing the device, DualToy contacts it’s C&C server, gets a list of apps to install, downloads the apps, and then installs them on the user’s device.
To avoid complications with the app installation process, for Android devices, DualToy also downloads special code from the C&C server and runs it on the device. This code roots the device and gives DualToy the ability to install apps without user interaction, in the phone’s background.
For iOS devices, the trojan downloads and runs code that collects details such as IMEI, IMSI, ICCID, serial number and phone number. The purpose of this operation is currently unknown.