Two newly-discovered Android apps found on Google Play were designed to spy on their users, claim security experts at Kaspersky. The apps, SuperClean and DroidCleaner, posed as innocuous Android clean-up utilities; however, each app could quietly copy photos, contacts and other information to a remote server. 

If that weren't enough though, security analysts also found that malware authors were grabbing microphone recordings from Windows PCs paired with infected Android devices. What authors intended to do with the snagged recordings is a mystery, but the effort remains unsettling, nonetheless.

To record and steal audio from a microphone on a Windows PC, unscrupulous app writers had to first devise a method for infecting Windows PCs from Android. The programmers chose to exploit Windows' AutoRun feature, designing their apps to quietly plant a malicious Windows executable and AutoRun config file onto any SD-Card inserted into the infected Android device. When the device was connected to any AutoRun-enabled Windows PC, Windows would automatically run the malicious code, allowing virus unfettered access to the user's computer.

AutoRun has been long been an easily exploitable attack vector for Windows machines -- particularly in office, enterprise and educational settings where users frequently swap PCs and flash drives. This security realization prompted Microsoft to disable AutoRun entirely on PCs running Windows XP, Vista and 7 via a security fix eventually pushed out through Windows Update. With approximately 10 percent of Windows users opting out of Automatic Updates though, a large swath of users is likely to be at risk for such attacks.

Some of the malware's capabilities are highlighted here:

  • Sending SMS messages
  • Enabling Wi-Fi
  • Gathering information about the device
  • Opening arbitrary links in a browser
  • Uploading the SD card’s entire contents
  • Uploading an arbitrary file (or folder) to the master’s server
  • Uploading all SMS messages
  • Deleting all SMS messages
  • Uploading all the contacts/photos/coordinates from the device to the master

"This is the first time we have seen such an extensive feature set in one mobile application." noted Kaspersky Labs expert Victor Chebyshev. 

The malicious apps have since been removed from the Google Play market.