News  General


Over 8,000 different samples of a trojan being dubbed "DualToy" have been discovered in the wild after being initially identified in Jan 2015.

The unusual aspect to this malware is the mechanism it uses to hit it targets, which can be iOS or Android based.

The way it works is to first infect the Windows PC these devices are connected to via USB, then use the file transfer capabilities to deliver malware to the target, and it is capable of doing this to both Apple and Android devices. However, the good news is it is useless against those who keep everything up to date since it relies on weaknesses which were spotted and fixed several years ago. 

Uses a physical connection

Discovered by researchers at Palo Alto Networks, Claud Xiao said:

When DualToy began to spread in January 2015, it was only capable of infecting Android devices. We observed the first sample of DualToy capable of infecting iOS devices on June 7, 2015. Later in 2016, a new variant appeared.

Once a Windows PC was infected , DualToy looks for both the Android Debug Bridge (ADB) and iTunes, because it can't know at that point whioch kinds of mobile device will be connected to it. Especially worrying is its capability to download drivers for these itself if they are missing, because otherwise the Windows PC won't be able to talk to the device at all. As far as is known, these drivers are the legitimate ones required to deliver any file to the target, not just the payload.

The defense against these attacks is already provided - Apple has revoked the certificate required to install the fake app store, and sandboxedand Google changed the way ADB works by running it in a sandbox and requiring user intervention to transfer data. In the past, both of these would have not been fixed and so the malware was able to perform its infection silently. Users of old devices are warned again about the need to keep up to date.

cannon 700x250

"Replaces ADB"

It is thought the DualToy Trojan get into Windows in the first place via the usual routes - spoofing emails with attachments, fake web downloads or pirated software piggy-backs. It downloads and installs a file called adb.exe, which is part of the Android SDK and in itself wouldn't appear to be out of place. It will overwrite one if already present. To hack iOS devices, it does a similar thing with AppleMobileDeviceSupport64.msi and AppleApplicationSupport64.msi, which are part of the regular iTunes installation system.

Fake iOS App Store

One of the things the malware does to iPhones is to intsall a fake App Store - users are immediately asked for their Apple ID and password. Users then find several apps are automatically installed which could be regular ones,where the malware author is paid per download, or more malicious.

Fake App store installation on iPhones isn't new - ZergHelper also did this, for example. This trojan, heowever, uses AceDeceiver like tactics to install its version of one.

The general advice on both platforms is first, avoid sideloading and second ensure all parts of the system, not just the onboard smartphone software, is always kept up to date.