In addition to found in traditional Windows PC malware such as process injection, modifying browser settings, displaying advertisements, DualToy also performs the following activities on Android and iOS devices:
>Downloads and installs Android Debug Bridge (ADB) and iTunes drivers for Windows
>Uses existing pairing/authorization records on infected PCs to interact with Android and/or iOS devices via USB cable
>Downloads Android apps and installs them on any connected Android devices in the background, where the apps are mostly Riskware or Adware
>Copies native code to a connected Android device and directly executes it, and activates another custom to obtain root privilege and to download and install more Android apps in the background
>Steals connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number
>Downloads an iOS app and installs it to connected iOS devices in the background; the app will ask for an Apple ID with password and send them to a server without user’s knowledge (just like AceDeceiver)
Several years ago, Android and iOS began requiring user interaction to authorize a device to pair to another device to prevent the kind of sideloading attack used by DualToy. However, DualToy assumes any physically connected mobile devices will belong to the same owner as the infected PC to which they are connected, which means the pairing is likely already authorized. DualToy tries to reuse existing pairing records to directly interact with mobile devices in the background. Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms.
Almost all samples of DualToy are capable of infecting Android devices connected with the compromised Windows PC via USB cable. This functionality is usually implemented in a module named NewPhone.dll, DevApi.dll or app.dll. Then it downloads and sets up ADB environment. Once thi sis done, DualToy will wait for an Android device to connect via USB. Once connected, it will fetch a list of URLs from the C2 server, download the apps, and install them on Android device in the background via the “adb.exe install” command.
Following apps downloaded and installed by DualToy. They’re all games which use Chinese as the default language, and none of them are available in the official Google Play store.
After successfully connecting with an iOS device, DualToy will collect device and system information, encrypt them and send to its C2 server. The collected information includes:
Device name, type, version and model number
Device UUID and serial number
Device baseband version, system build version, and firmware version
SIM card’s IMSI and ICCID
In addition to collecting device information, DualToy also tries to download IPA file(s) from the C2 server and install them on the connected iOS device. When launched for the first time, the app will ask the user to input his or her Apple ID and password
DualToy is an example of a cyber threat where the main reasons for infection are generating money through advertising. It can cause potential damage, but the target is not the computer user’s files. DualToy mainly targets China, the United States, UK, Thailand, Spain, and Ireland.
We also suggest users avoid connecting their mobile phones to untrusted devices via USB. The popularity and ubiquitous nature of mobile devices ensures malicious attackers will only continue to refine and develop new mobile malware, which means users and organizations will need to employ protection to desktops, laptops, and networks.